SEC and CFTC Issue Final Identity Theft Rule

Posted by Mike Nonaka on April 25, 2013

Last week, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) published in the Federal Register a joint rule requiring entities regulated by the agencies to adopt programs to detect and prevent identity theft.  The rule is referred to as the “red flags rule” and applies to certain broker-dealers, mutual funds, investment advisers, futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers, major swap participant, and certain other entities regulated by the SEC and CFTC that qualify as a “financial institution” or “creditor” under the Fair Credit Reporting Act.  The SEC and CFTC promulgated the rule pursuant to the Dodd-Frank Act, which amended the Fair Credit Reporting Act to require the SEC and CFTC to adopt the red flags rule.  Prior to the Dodd-Frank Act, only the federal banking regulators and the Federal Trade Commission were required to adopt red flags rules applicable to the entities under their jurisdiction.  Entities will be expected to comply with the rule by November 20, 2013.    

The SEC and CFTC’s final rule requires affected entities offering or maintaining a “covered account” (generally, an account for personal, family, or household purposes that is designed to permit multiple transactions, such as a broker-dealer brokerage account) to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.  The program should be appropriate to the size and complexity of the entity and the nature and scope of its activities. 

The program is required to include reasonable policies and procedures to:

(1) Identify relevant Red Flags (activities that indicate the possible existence of identity theft) for the covered accounts that the entity offers or maintains, and incorporate those Red Flags into its program;

(2) Detect Red Flags that have been incorporated into the entity’s program;

(3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and

(4) Ensure the program is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft.  

The SEC and CFTC’s red flags rule is nuanced, particularly in defining the entities that are subject to its requirements.  SEC- and CFTC-regulated entities should review the rule carefully to determine whether they are required to develop identity theft prevention programs.

FTC Announces Amended Rule on Identity Theft "Red Flags"

Posted by Kristi Cercone on December 04, 2012

On Friday, November 30, the Federal Trade Commission (FTC) issued an Interim Final Rule to amend its Red Flags Rule, which requires certain financial institutions and creditors to establish programs to detect, prevent and mitigate identity theft in connection with consumer accounts.  The Interim Final Rule narrows the definition of “creditor” in response to legislation passed by Congress in December 2010 (as covered in previous blog posts), excluding from the definition most doctors, lawyers, and other professionals who do not receive full payment at the time their service is furnished.  The rule is effective on February 11, 2013, and the FTC is seeking comments on the rule until that time.     

The Interim Final Rule narrows the circumstances under which creditors are covered by the Rule in an attempt to be consistent with Congress’s legislation. The amended Rule now provides that a creditor is covered only if, in the ordinary course of business, it regularly: (1) obtains or uses consumer reports in connection with a credit transaction; (2) furnishes information to consumer reporting agencies in connection with a credit transaction; or (3) advances funds to or on behalf of a person (except for a creditor who advances funds on behalf of the person for expenses incidental to a service provided by the creditor to that person).   

Under the Rule, covered entities’ Red Flag programs must: (1) include reasonable policies and procedures to identify signs – or “red flags” – of identity theft in the day-to-day operations of the business; (2) be designed to detect the red flags of identity theft known to the business; (3) set out the actions the business will take upon detecting red flags; and (4) re-evaluate its program periodically to reflect new risks.

D.C. Circuit Decides Red Flags Litigation

Posted by Mike Nonaka on March 04, 2011

Last Friday, the U.S. Court of Appeals for the D.C. Circuit issued its opinion in litigation between the American Bar Association (ABA) and the Federal Trade Commission (FTC) over the scope of the FTC’s Red Flags rule.  The Court held the ABA's claims moot in light of recently-enacted legislation.   

The Red Flags rule requires covered entities to design and implement identity theft prevention programs.  In August 2009, the ABA challenged the FTC’s authority to enforce the rule with respect to attorneys.  In December 2010, Congress passed the Red Flag Program Clarification Act, which amended the definition of “creditor” in the underlying statute to limit the scope of the FTC’s rule.  We covered in previous blog posts the Act as well as supplemental briefs (here and here) filed by both parties arguing over the Act’s impact on the litigation.  The Court held that the ABA’s claims were now moot because the Act caused there to no longer be a case or controversy. 

The ABA’s claims for injunctive relief were premised on the original definition of “creditor” prior to passage of the Act.  The Court stated that “the policy, rule, and statute that gave rise to [the] suit are no longer in the same posture.”  The Court acknowledged that the FTC could promulgate new regulations seeking to subject attorneys to the Red Flags rule but dismissed it as a mere “hypothetical possibility” not giving rise to a live dispute. 

FTC Chairman Jon Leibowitz applauded the Court’s decision for vindicating the FTC’s contention that the case should be dismissed.

Additional Briefs Filed in ABA-FTC Red Flags Litigation

Posted by Mike Nonaka on February 17, 2011

We covered in a previous post ongoing litigation in the D.C. Circuit between the American Bar Association and Federal Trade Commission over the scope of the FTC’s Red Flags rule.  On January 20, 2011, the FTC filed a supplemental brief analyzing the impact of the recently-enacted Red Flag Program Clarification Act of 2010 on the permissible scope of the rule.  The ABA filed a response brief on February 3, 2011, and the FTC filed a reply brief on February 10, 2011. 

The ABA’s response brief emphasized the view that Congress never intended for the Red Flags requirements to apply to lawyers and used the Clarification Act and its deliberations in Congress as further evidence of that congressional intent.  The Clarification Act does not contain an express authorization for the FTC to apply the Red Flags rule to attorneys and, in fact, narrows the definition of “creditor.”  It points to legislative history that suggests Congress intended to prevent the FTC from applying the rule to professionals such as attorneys. 

The FTC’s reply brief argued that the Clarification Act provided no categorical exemption from the definition of “creditor” for attorneys and that the definition, as amended, continues to encompass certain attorney billing or credit arrangements.  Moreover, Congress considered but ultimately did not pass bills that explicitly exempted attorneys from the scope of the rule.

Federal Trade Commission Provides Initial Interpretation of the Red Flags Clarification Act in Litigation with the American Bar Association

Posted by Mike Nonaka on January 24, 2011

We recently covered the Red Flag Program Clarification Act of 2010 in a blog post and client alert.  The Act was intended to narrow the scope of the Federal Trade Commission’s Red Flags rule, which imposes requirements on creditors and financial institutions to detect and deter identity theft.  Prior to the Act’s passage, the American Bar Association had commenced litigation against the FTC regarding the rule’s application to attorneys.  The litigation is presently in the U.S. Court of Appeals for the District of Columbia Circuit, and in court papers filed on Friday, January 20, 2011, the FTC provided its initial interpretation of the Act’s impact on the rule. 

The FTC argued that the Act does not provide a blanket exemption for all attorneys, contrary to the ABA’s contention and the district court’s ruling.  Pursuant to the Act, an attorney could be subject to the Red Flags rule if he or she satisfies the definition of “creditor” under the Equal Credit Opportunity Act and regularly obtains consumer reports in connection with credit transactions, furnishes information to consumer reporting agencies in connection with credit transactions, or lends money to or on behalf of a person unless the loan is for expenses incidental to the services provided by the attorney.  In addition, the Act authorizes the FTC to subject any person to the rule if the FTC determines, by rulemaking, that the person “offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”  The FTC pointed to these two provisions, as well as the absence of legislative history supporting a blanket exemption for any profession, in arguing that the Act does not support the ABA’s position that attorneys should be categorically exempt from the rule. 

The ABA’s responsive brief is due on February 3, 2011. 

Older Posts