SEC and CFTC Issue Joint Proposed Rules and Guidelines to Address Identity Theft

March 12, 2012


On Feb. 28, 2012, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly issued proposed rules and guidelines to implement new statutory provisions mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) (the “Release”). Dodd-Frank included an amendment to section 615(e) of the Fair Credit Reporting Act of 1970 (“FCRA”) that directs the SEC and CFTC to prescribe rules for entities subject to their jurisdiction to address identity theft. The proposed rules do not create new requirements for those financial institutions that are already required to have identity theft programs under the FCRA. The proposed guidelines, however, provide examples of “red flags” to help firms administer their programs.

FCRA sets standards for the collection, communication and use of information about consumers by consumer reporting agencies. In 2003, the Fair and Accurate Credit Transaction Act (“FACT Act”) amended FCRA by directing certain federal agencies1 to jointly issue rules and guidelines requiring financial institutions to respond to “red flags” concerning potential identify theft, which they did in 2007.

The new rules proposed in the Release would require “financial institutions” and “creditors” that are subject to the jurisdiction of the SEC or CFTC to develop and implement written identity theft prevention programs that are designed to detect, prevent and mitigate identity theft in existing or new “covered accounts.”2 The proposed guidelines seek to assist these entities in the formulation and maintenance of a program that satisfies the proposed rules.

As noted above, many of the “financial institutions” or “creditors” that are subject to the proposed rules and guidelines have already been required to implement identity theft prevention programs. For example, in 2007, the staff of the SEC advised that Section 114 of the FACT Act and related rules adopted by the FTC applied to mutual funds that otherwise met the definition of “financial institutions,” so mutual funds (and their transfer agents) that held covered accounts adopted FACT Act “Red Flags” programs in 2008. For entities already in compliance with existing FACT Act rules, the proposed rules do not impose new requirements.

The proposed rules also establish special requirements for any credit and debit card issuers that are the subject of the jurisdiction of the SEC or CFTC that are designed to assess the validity of notifications of changes of addresses. The Release states that the CFTC is unaware of any entities subject to its jurisdiction that issue debit or credit cards. The Release also states that the SEC believes that few, if any, entities under its jurisdiction are subject to the proposed card issuer rules, since the entities it supervises typically issue cards in partnerships with banks or other financial institutions that are themselves subject to the FACT Act’s requirements.

The Identity Theft Red Flags Rules and Guidance

I. Scope

The SEC’s proposed rules apply to “financial institutions”3 and “creditors,”4 which are broker-dealers, registered investment advisers, registered investment companies, business development companies and employees’ securities companies. Investment companies that allow investors to make wire transfers to other parties or that offer check-writing privileges are subject to the SEC’s proposed rules, but investment companies whose transactions are made only through a broker-dealer are not. Funds that are not registered with the SEC are not subject to the proposed rules even if they register securities under the Securities Act of 1933 or the Exchange Act. Unregistered advisers are not subject to the proposed rules, even if they report information under the Investment Advisers Act of 1940. Most investment advisers will not be subject to the SEC’s new rules, since investment advisers usually do not hold accounts that provide similar money-transfer privileges.

The SEC notes in the Release that municipal advisers and municipal securities dealers generally do not qualify as financial institutions or creditors; however, the SEC requests comment on this point.

The CFTC scope provision operates similarly in that it also applies to financial institutions and creditors as defined by FCRA. The CFTC proposal then further defines financial institutions to include futures commission merchants, retail foreign exchange dealers, commodity trading advisers, commodity pool operators, introducing brokers, swap dealers and major swap participants if they hold customer transactions accounts.5

The SEC’s proposed rules define “creditors” to include “lenders such as brokers or dealers offering margin accounts, securities lending services, and short selling services.” The CFTC rules define creditors to include any entity listed in the definition of financial institution that “regularly extends, renews, or continues credit; regularly arranges for the extension, renewal, or continuation of credit; or in acting as assignee of an original creditor, participates in the decision to extend, renew or continue credit.”6

II. Covered Accounts

Under the proposed rules, the SEC and CFTC define “account” as a “continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.” The SEC’s proposed definition also expressly includes a “brokerage account, a mutual fund account and an investment advisory account.” The proposed rules differ from those adopted by other agencies in that they do not include “deposit accounts,” as defined in the FCRA, since deposit accounts are typically offered only by banks in connection with their banking activities. The SEC and CFTC request comment, however, as to whether “deposit accounts” are offered by any of the entities regulated by them.

The proposed rules require financial institutions to determine periodically whether they “offer or maintain” covered accounts.7 Financial institutions must conduct a risk assessment of the methods they use for opening and accessing accounts that takes into account any previous experience with identity theft. The Release notes that, in instances where a financial institution engages only in transactions with businesses where the risk of identity theft is minimal, the entity may determine, after a preliminary risk assessment, that it does not have to develop and implement an identity theft prevention program, or that its program needs only to address a limited range of its activities for certain covered accounts. In those circumstances, however, the financial institution is still required to conduct a periodic assessment to determine whether changes in its business or that of its customers require it to develop or enhance its program.

III. The Elements of the Program

The four proposed elements for an identity theft prevention program are the same elements adopted by other federal agencies in 2007. The proposed rules would require financial institutions and creditors to have reasonable policies and procedures to:

  • Identify relevant red flags for covered accounts and incorporate those red flags into its program. The Release states that the rules and guidelines are intended to be flexible in determining which red flags are relevant to a particular entity’s business and the covered accounts it holds. To that end, the proposed guidelines provide a list of factors that a financial institution or creditor should consider in determining which red flags are relevant to their businesses;
  • Detect red flags;
  • Respond appropriately to any red flags that are detected,8 and
  • Ensure that the program is updated periodically to reflect changes in risks to customers and to the “safety and soundness” of the financial institution from identify theft.

IV. Administering the Identity Theft Prevention Program

Board Approval and Involvement — The proposed rules require the initial written red flags program to be approved by the financial institution’s or creditor’s board of directors or an appropriate committee of the board. The proposed rules also require that the board of directors, an appropriate committee of the board, or a designated senior management employee remain involved in the oversight, development, implementation and administration of the program. The guidelines suggest that the effective administration of the program will include reports, at least annually, to the board, board committee or senior manager on “issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft . . . service provider arrangements; significant incidents involving identity theft and management response; and recommendations for material changes to the [p]rogram.”

Training — The proposed rules require that the financial institution or creditor provides training that enables relevant staff to address the risk of identity theft. By way of example, staff should be trained to detect red flags with regard to new and existing accounts and should be trained to mitigate identity theft by recognizing when an account should not be opened.

Service Provider Oversight — The proposed rules require financial institutions and creditors to “exercise appropriate and effective oversight of service provider arrangements” in connection with covered accounts. The proposed guidelines suggest that one step a mutual fund or broker dealer may take is to require the service provider to commit in its service contract to have red flag policies and procedures, “and either report the [r]ed [f]lags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft.” The guidelines state that a service provider that provides services to many institutions may do so in accordance with its own program to prevent identity theft, as long as the service provider’s program meets the requirements of the proposed identity theft prevention rules.

Integration Of/Differentiation Between Identity Theft Red Flag Programs and Other Procedures

Mutual funds, broker-dealers, introducing brokers in commodities, and futures commission merchants and other entities that are subject to the federal Customer Identification Program or other Bank Secrecy Act rules, such as anti-money laundering rules, may have separate policies and procedures designed to comply with those requirements. The Release notes that these institutions are expected to re-evaluate the adequacy of these existing policies and procedures, and to “develop and implement risk-based policies and procedures that detect red flags in an effective and comprehensive manner.” The Release seeks comments as to whether the SEC should provide further guidance on the integration of or differentiation between identity theft prevention programs and other existing procedures.


The SEC and CFTC seek comments on a number of aspects of the proposed rules and guidelines. Many financial institutions that will be affected by the new rules already have identity theft prevention programs. They may be able to draw on their experience with these programs to make suggestions to improve the design and implementation of identity theft red flags programs under the proposed rules. Comments are due by May 7, 2012.

*This alert was co-authored Michael Weissmann, Paul Tyrrell, David Boch, W. Hardy Callcott and Nancy Persechino.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:


1 Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, and the Federal Trade Commission. The amendments in Dodd-Frank add the CFTC and the SEC to this list.

2 A covered account is defined as “(i) an account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft including financial operational, compliance, reputation, or litigation risks.”

3 The FCRA defines a “financial institution” to include certain banks and credit unions and “any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a customer.” FCRA § 603(t). A “transaction account” is “a deposit account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment order or withdrawal, telephone transfer, or other similar items for the purpose of making payments or transfers to third parties or others.” Federal Reserve Act § 19(b).

4 The FCRA defines “creditor” as it is defined in the Equal Credit Opportunity Act, namely a person that regularly extends, renews or continues credit or makes those arrangements that “regularly and in the course of business . . . advances funds to or on behalf of a person based on an obligation of the person to repay the funds payable from specific property pledged by or on behalf of the person.”

5 Entities that are or will be dually-registered with the SEC and CFTC should evaluate the significance of these proposed requirements in light of the business activities that have caused them to register with each of those regulators.

6 The Release clarifies that an investment adviser or a commodity trading adviser will not be a “creditor” if it bills fees for services in arrears.

7 See fn 2, supra

8 The proposed guidelines provide a list of aggravating factors and examples that a financial institution or creditor should consider in determining the appropriate response. For example, an appropriate response may include monitoring a covered account for evidence of identity theft; contacting the customer; or changing passwords, security codes, or other security devices that permit access to a covered account.

This article was originally published by Bingham McCutchen LLP.