CFTC and SEC Propose New Identity Theft Red Flags Rules

Background Information

Pursuant to the Fair and Accurate Credit Transactions Act of 2003,¹ a number of federal agencies in 2007 issued joint final identity theft rules and guidelines pertaining to the detection, prevention, and mitigation of identity theft for certain entities subject to the agencies’ enforcement authority.² The entities subject to these rules were required to adopt and implement written identity theft prevention programs. On July 21, 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) added the Commodity Futures Trading Commission (“CFTC”) and the Securities and Exchange Commission (“SEC”) to the list of agencies required to promulgate rules and guidelines pertaining to identity theft red flags.³

The Newly Proposed Rules from the CFTC and SEC

On March 6, 2012, the CFTC and SEC jointly proposed identity theft red flags rules and guidelines for specific entities subject to their authority.⁴ These red flags rules and guidelines are substantially similar to the rules and guidelines adopted in 2007. They are “designed to help guide entities” in determining whether and how identity theft rules and guidelines apply to their particular circumstances “because of the increased likelihood that these entities open or maintain covered accounts, or pose a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.”

What Entities Will Be Subject to the CFTC and SEC Rules?

The CFTC has enumerated the following entities as now expressly subject to the scope of its proposed rule: 

• futures commission merchants;
• retail foreign exchange dealers; 
• commodity trading advisors; 
• commodity pool operators; 
• introducing brokers; 
• swap dealers; and 
• major swap participants.

Similarly, the SEC clarified that the scope of its proposed rule applied to any financial institution or creditor, as defined by the Fair Credit Reporting Act (“FCRA”),⁵ which includes:

• a broker, dealer or any other person registered or required to be registered under the Securities Exchange Act of 1934; 
• an investment company that is registered or required to be registered under the Investment Company Act of 1940, that has elected to be regulated as a business development company under that Act, or that operates as an employees’ securities company under that Act; or 
• an investment adviser that is registered or required to be registered under the Investment Advisers Act of 1940.

Comments Requested

The Commissions request comments from potentially affected entities on the following issues:

• the periodic determination of whether a financial institution offers or maintains a “covered account”; 
• the appropriate written program designed to detect, prevent and mitigate identify theft, according to the size and complexity of the financial institution involved; 
• the elements of the written program, including: 
  • policies and procedures to identify appropriate red flags; 
  • how to detect red flags; 
  • how to respond to red flags that are detected; 
  • periodic updates to reflect changes in risks to customers.

The five categories of red flags to be considered include: 

• alerts or warnings received from customer reporting agencies; 
• suspicious documents; 
• suspicious personal identifying information; 
• unusual use or activity in an account; 
• notice from customers or law enforcement authorities regarding possible identify theft.

The proposed rules would require a financial institution to obtain approval of the written program from either its board of directors or an appropriate committee of the board.

The Commissions expressly acknowledged that these programs can be integrated with current compliance programs and procedures already in place.

Comment Period

The CFTC and SEC are currently seeking comments from interested parties before it promulgates a final rule. Any interested party may submit comments according to the methods detailed in the proposed rule itself.⁶ Comments must be received on or before May 7, 2012.

¹See Pub. L. 108-159, 117 Stat. 1952 (2003).
²See Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 Fed. Reg. 63,718 (Nov. 9, 2007).
³See 15 U.S.C. § 1681m(e)(1).
⁴See Identity Theft Red Flags Rules, 77 Fed. Reg. 13,450 (Mar. 6, 2012) (to be codified at 17 C.F.R. Parts 162, 248), available at http://www.gpo.gov/fdsys/pkg/FR-2012-03-06/pdf/2012-5157.pdf.
⁵Under FCRA, a financial institution includes banks, credit unions, and “any other person that, directly or indirectly, holds a transaction account . . . belonging to a consumer.” 15 U.S.C. § 1681a(t). A transaction account is “a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third parties or others.” 12 U.S.C. § 461(b)(1)(C). Example transaction accounts include “demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.” Id.
⁶See 77 Fed. Reg. at 13,450.