Last week, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) published in the Federal Register a joint rule requiring entities regulated by the agencies to adopt programs to detect and prevent identity theft.  The rule is referred to as the “red flags rule” and applies to certain broker-dealers, mutual funds, investment advisers, futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers, major swap participant, and certain other entities regulated by the SEC and CFTC that qualify as a “financial institution” or “creditor” under the Fair Credit Reporting Act.  The SEC and CFTC promulgated the rule pursuant to the Dodd-Frank Act, which amended the Fair Credit Reporting Act to require the SEC and CFTC to adopt the red flags rule.  Prior to the Dodd-Frank Act, only the federal banking regulators and the Federal Trade Commission were required to adopt red flags rules applicable to the entities under their jurisdiction.  Entities will be expected to comply with the rule by November 20, 2013.    

The SEC and CFTC’s final rule requires affected entities offering or maintaining a “covered account” (generally, an account for personal, family, or household purposes that is designed to permit multiple transactions, such as a broker-dealer brokerage account) to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.  The program should be appropriate to the size and complexity of the entity and the nature and scope of its activities. 

The program is required to include reasonable policies and procedures to:

(1) Identify relevant Red Flags (activities that indicate the possible existence of identity theft) for the covered accounts that the entity offers or maintains, and incorporate those Red Flags into its program;

(2) Detect Red Flags that have been incorporated into the entity’s program;

(3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and

(4) Ensure the program is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft.  

The SEC and CFTC’s red flags rule is nuanced, particularly in defining the entities that are subject to its requirements.  SEC- and CFTC-regulated entities should review the rule carefully to determine whether they are required to develop identity theft prevention programs.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.