Entities Subject to the New Rules Should Already be Compliant with the Agencies' Newly Adopted Rules.

[ by Howard Haykin ]

The Commodity Futures Trading Commission and the Securities and Exchange Commission adopted Joint final rules and guidelines to require certain regulated entities to establish programs to address risks of identity theft.  These rules and guidelines implement provisions mandated under the Dodd-Frank StreetAct, that amended section 615(e) of the Fair Credit Reporting Act and directed the Commissions to adopt rules requiring entities that are subject to the Commissions’ respective enforcement authorities to address identity theft.

• The rules require financial institutions and creditors to develop and implement a written identity theft prevention program, designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts.

• The rules include guidelines to assist entities in the formulation and maintenance of programs that would satisfy the requirements of the rules.

• The rules establish special requirements for any credit and debit card issuers

The 2 Commissions are adopting new rules and guidelines on identity theft red flags for entities subject to their respective enforcement authorities.

• The CFTC is adding new subpart C (“Identity Theft Red Flags”) to part 162 of the CFTC’s regulations [17 CFR part 162] and the SEC is adding new subpart C (“Regulation S-ID:  Identity Theft Red Flags”) to part 248 of the SEC’s regulations [17 CFR part 248], under the Fair Credit Reporting Act [15 U.S.C. 1681–1681x], the Commodity Exchange Act [7 U.S.C. 1–27f], the Securities Exchange Act of 1934 [15 U.S.C. 78a–78pp], the Investment Company Act of 1940 [15 U.S.C. 80a], and the Investment Advisers Act of 1940 [15 U.S.C. 80b].

The final rules adopted on Thursday are substantially similar to the rules the Commissions proposed, and to the rules they adopted in 2007.   The final rules apply to “financial institutions” and “creditors” subject to the Commissions’ respective enforcement authorities, and as discussed further in the final rule release. They do not exclude any entities registered with the Commissions from their scope. The Commissions recognize that entities subject to their respective enforcement authorities, whose activities fall within the scope of the rules, should already be in compliance with the Agencies’ joint rules.

The rules we are adopting today:

• do not contain requirements that were not already in the Agencies’ rules,
• do not expand the scope of those rules to include new categories of entities that the Agencies’ rules did not already cover.
• the rules and this adopting release do contain examples and minor language changes designed to help guide entities within the SEC’s enforcement authority in complying with the rules,
• this may lead some entities that had not previously complied with the Agencies’ rules to determine that they fall within the scope of the rules we are adopting today.

II. EXPLANATION OF THE FINAL RULES AND GUIDELINES

A. Final Identity Theft Red Flags Rules.   In accordance with their mandates, the Commissions have jointly established and will maintain guidelines for “financial institutions” and “creditors” regarding identity theft.  The rules require that such impacted entities establish reasonable policies and procedures for the implementation of those guidelines.  Under the final rules, a financial institution or creditor that offers or maintains “covered accounts” must establish an identity theft red flags program designed to detect, prevent, and mitigate identity theft. \

To that end, the final rules discussed below specify:

• which financial institutions and creditors must develop and implement a written identity theft prevention program (“Program”);
• the objectives of the Program;
• the elements that the Program must contain; and,
• the steps financial institutions and creditors need to take to administer the Program.

1.  Which Financial Institutions and Creditors Are Required to Have a Program.   

The CFTC believes that it should retain the same definition of “financial institution” and “creditor” contained in the Proposing Release.  In that Proposing Release,

• the CFTC defined “financial institution” as having the same meaning as in section 603(t) of the FCRA.

• the CFTC also specified that the term includes any:  (i) FCM (futures commission merchant);  (ii) RFED (retail foreign exchange dealer);  (iii) CTA (commodity trading advisor);  (iv) CPO (commodity pool operator);  (v) IB (introducing broker);  (vi) SD (swap dealer); or, (vii) MSP (major swap participant) that directly or indirectly holds a transaction account belonging to a consumer.  

Similarly, in the CFTC’s proposed definition of “creditor,” the CFTC applies the definition of “creditor” from 15 U.S.C. 1681m(e)(4) to any FCM, RFED, CTA, CPO, IB, SD, or MSP that:

• “regularly extends, renews, or continues credit; regularly arranges for the extension, renewal, or continuation of credit;

• in acting as an assignee of an original creditor, participates in the decision to extend, renew, or continue credit.”

• CFTC determined that the final rules apply to these entities because of the increased likelihood that these entities open or maintain covered accounts, or pose a reasonably foreseeable risk to customers, or to the safety and soundness of the financial institution or creditor, from identity theft.

The SEC’s “scope” subsection provides that the final rules apply to a financial institution or creditor, as defined by the FCRA, that is:

• a broker, dealer or any other person registered or required to be registered under the Securities Exchange Act of 1934 (“Exchange Act”);

• An RIC registered or required to be registered under the ICA of 1940 (“Investment Company Act”), that has elected to be regulated as a business development company (“BDC”) under that Act, or that operates as an employees’ securities company (“ESC”) under that Act;  or,

• An RIA registered or required to be registered under the IAA of 1940 (“Investment Advisers Act”).

• Types of entities listed by name in the scope section are the registered entities regulated by the SEC that are most likely to be financial institutions or creditors - i.e., “broker-dealers”, investment companies, and investment advisers.  

• Scope section also includes any other entities registered or are required to register under the Exchange Act - e.g.,  nationally recognized statistical rating organizations (“NRSROs”), self-regulatory organizations (“SROs”), municipal advisors, and municipal securities dealers, are not listed by name in the scope section because they may be less likely to qualify as financial institutions or creditors under the FCRA. 

• If any entity of a type not listed qualifies as a financial institution or creditor, it is covered by the SEC’s rules.  The scope section does not include entities that are not themselves registered or required to register with the SEC (with the exception of certain non-registered investment companies that nonetheless are regulated by the SEC38), even if they register securities under the Securities Act of 1933 or the Exchange Act, or report information under the federal securities laws.

SEC and CFTC Contacts.   At the CFTC, direct your questions to:   Sue McDonough, Counsel, Office of the General Counsel, Three Lafayette Centre, 1155 21st Street, NW, Washington, DC 20581, tel. number (202) 418-5132, fax number (202) 418-5524, e-mail smcdonough @cftc.gov.

At the SEC, direct your questions to:   with regard to RICs and RIAx, Andrea Ottomanelli Magovern, Sr. Counsel, Amanda Wagner, Senior Counsel, Thoreau Bartmann, Branch Chief, or Hunter Jones, Asst Director, Office of Regulatory Policy, Division of Inv. Mgmt, (202) 551-6792;   with regard to brokers, dealers, or transfer agents, contact Brice Prince, Special Counsel, Joseph Furey, Asst Chief Counsel, David Blass, Chief Counsel, Office of Chief Counsel, Division of Trading and Markets, (202) 551-5550, SEC, 100 F Street, NE, Washington, DC 20549-8549

For further details, go to:   [SEC FINRA Rule Release 34-69359, 4/11/13].

To contact the author, write to:  [howard@compliance-insights.com]