The Securities and Exchange Commission (SEC) and the Commodities Future Trading Commission (CFTC) issued a joint proposed rule and guidelines to help protect investors from identity theft enacted by Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act. This proposal currently does not apply to registered investment advisers. The SEC has recognized that registered investment advisers are unlikely to hold transaction accounts and thus would not qualify as a “financial institution.” The SEC is requesting comments on the proposed rule asking whether the rule should “omit investment advisers or any other SEC-registered entity from the list of entities covered by the proposed rule?” When the proposal is published in the federal register there will be a 60-day comment period.
Section 1088 of the Dodd-Frank Act transferred authority over parts of the Fair Credit Reporting Act (FCRA) from the Federal Trade Commission (FTC) to the SEC and the CFTC. The provisions amended section 615(e) by adding the CFTC and SEC to a list of federal agencies required to create identity theft regulations. The purpose of an identity prevention program is to detect, prevent and mitigate identity theft.
The FTC already has red flag rules in place to prevent identity theft. If the SEC and CFTC’s rule is adopted then it will be substantially similar to the rule implemented by the FTC in 2007 and other federal financial regulatory agencies that were previously required to adopt such rules. It will not contain any new requirements nor will it expand the scope of the rules to include new entities not already covered.
The proposed rule will help financial institutions and creditors develop and implement a written identity theft prevention program by providing guidelines to assist entities in the formulation and maintenance of a program that would satisfy the requirements of the proposed rules. It would require entities to adopt a written identity theft program with reasonable policies and procedures to:
- Identify red flags,
- Detect the occurrence of red flags,
- Respond appropriately to the detected red flags, and
- Periodically update the program.
The proposed rule would include guidelines and examples of reds flags to help administer their programs. It would also provide special requirements for any credit and debit card issuers that are subject to the regulator’s jurisdiction, to asses the validity of notifications of changes of address under certain circumstances.
The proposed rule states that it will apply to “financial institutions” and “creditors.” The SEC has already stated that it will follow the guidance of the FTC’s Red Flag Rules when defining the term “creditor.” It historically would not include businesses that may “advance funds or that may bill in arrears for services provided.” However, there is more ambiguity for the term “financial institution,” which the rule defines as certain bank and credit unions, as well as “any other person that, directly or indirectly, holds a transaction account belonging to a consumer.” The rule defines a transaction account as “a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third parties or others.”
Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds and issuers of securities, among others. Our regulatory practice group assists financial service providers with the complex issues that arise in the course of their businesses, including compliance with federal and state laws and rules.