• SEC and CFTC Publish Proposed Identity Theft Red Flag Rules for Public Comment
  • March 28, 2012 | Authors: Veronica K. McGregor; Mauricio F. Paez; Katherine S. Ritchey; Elaine Wallace
  • Law Firms: Jones Day - San Francisco Office ; Jones Day - New York Office ; Jones Day - San Francisco Office
  • On February 28, 2012, the Securities and Exchange Commission ("SEC") and the Commodity Futures Trading Commission ("CFTC") issued proposed rules and guidelines, requiring broker-dealers, mutual funds, and other SEC- and CFTC-regulated entities to create programs to detect and respond appropriately to "red flags" commonly associated with identity theft. Since 2008, these entities have been subject to red flag regulations, adopted and enforced by the Federal Trade Commission ("FTC") and five other federal financial regulatory agencies, that apply to all "financial institutions" and "creditors." In 2010, the Dodd-Frank Act transferred authority to implement and enforce these regulations from the FTC to the SEC and CFTC for all SEC- and CFTC-regulated entities. Although Congress did not provide a list of entities that are affected by this change, the SEC has indicated that the new regulations also would apply to broker/dealers registered under the Securities Exchange Act, investment companies registered under the Investment Company Act, and investment advisers registered under the Investment Advisers Act.

    Apart from the change in enforcement power, the proposed rules are substantially similar to the rules adopted by the FTC. The regulation will continue to cover "financial institutions" and "creditors" that offer or maintain "covered accounts," including all accounts that "a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions" as well as "any other account - for which there is a reasonably foreseeable risk to customers - from identity theft." Proposed § 162.30(b)(3) (CFTC); proposed § 248.201(b)(3) (SEC). Moreover, the new regulation adopts the four-part framework outlined in the FTC's regulation, requiring companies to: (i) identify patterns, practices, or specific activities that indicate the possible existence of identity theft in connection with a covered account; (ii) detect red flags when they occur; (iii) develop appropriate policies and procedures to respond when red flags are detected; and (iv) periodically update their program to reflect any changes in risk.

    The proposed regulation will be open for comment for 60 days.