- Broker-Dealers May Need to Develop and Implement Anti-Identity Theft Programs Under FACT Act "Red Flag" Rules
- October 25, 2008
- Law Firm: LeClairRyan - Richmond Office
November 1, 2008, is the compliance date for new federal regulations implementing section 114 of the Fair and Accurate Credit Transactions Act (“FACT Act”).
These rules require all “financial institutions” and “creditors” that maintain “covered accounts” to develop and implement a written program to detect, prevent and mitigate identity theft in connection with certain accounts. The FACT Act rules include broad definitions of “financial institution” and “creditor.” Brokerage firms that extend credit to customers through margin or otherwise, or provide check-writing features in their customer accounts are subject to these rules.
Specifically, the term “creditor” means any person who regularly extends, renews or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit. Thus, a broker-dealer that participates in the extension of margin credit to a customer would be a “creditor” for purposes of these rules.
The definition of “financial institution” is similarly broad, including, in addition to commercial banks and savings institutions any other person that directly or indirectly holds a “transaction account” belonging to a consumer. A “transaction account” is defined as a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others, including demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. Accordingly, any broker-dealer that offers a check-writing feature as part of its brokerage account would be a "financial institution” for purposes of the FACT Act Red Flag rules.
The rules apply to any creditor or financial institution that holds a “covered account.” Under these rules, a “covered account” is an account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account or any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks. Given this extraordinarily broad definition, virtually any broker-dealer that satisfies the definition of “creditor” or “financial institution” and has retail customers will be subject to these rules.
Required Elements of Identity Theft Program
In order to be in compliance with the FACT Act Red Flag rules, a covered broker-dealer is required to develop and implement a written program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. This program must be appropriate to the size and complexity of the firm and the nature and scope of its activities. The program must include reasonable policies and procedures to:
- Identify relevant red flags for the covered accounts that the firm offers or maintains and incorporate those red flags into the program;
- Detect red flags that have been identified for inclusion in the program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft;
- Ensure that the program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the firm from identity theft.
Procedural Steps Required in Adoption and Administration of the Program
Entities that are required to adopt and implement an identity theft program are also required to take the following procedural steps in connection with the continued administration of the program:
- Obtain approval of the initial written program from either the firm’s board of directors or an appropriate committee of the board of directors;
- Involve either the firm’s full board of directors, an appropriate committee or a designated employee at the senior management level in the oversight, development, implementation and administration of the program;
- Train staff, as necessary, to effectively implement the program; and
- Exercise appropriate and effective oversight of service provider arrangements
The November 1, 2008, compliance date for the FACT Act Red Flag Rules is barely six weeks away. If your firm is covered by these rules, the development of an appropriate identity theft program should be commenced immediately.