The Securities and Exchange Commission and the Commodity Futures Trading Commission have adopted rules that require most broker-dealers, mutual funds, investment advisers, and certain other regulated entities to create programs to prevent identity theft. The new rules become effective May 20, 2013, and entities regulated by the new rules must comply by November 20, 2013.
Regulated entities subject to the rules must develop identity theft prevention programs to detect “red flags” signaling potential identity theft, to respond appropriately to such red flags, and to periodically update detection programs as identity theft risks change.
Among other requirements, the Red Flag Rules apply to “financial institutions” that offer or maintain “covered accounts.” “Covered accounts” are defined broadly to include personal accounts designed to permit multiple transactions and any account with a reasonably foreseeable risk of identity theft to customers. “Financial institutions” include any entity that holds a transaction account belonging to a consumer on which the account holder can make withdrawals to pay third parties. Examples cited by the SEC include:
- a broker-dealer that offers custodial accounts;
- a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and
- an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.
Many of these entities likely have identity theft prevention programs because they were previously required by Federal Trade Commission rules; however some entities, such as investment advisers, may have avoided scrutiny of their programs due to lax enforcement and may face increased attention now that the SEC and CFTC are charged with enforcing the Red Flag Rules for these entities.
Regulated entities should evaluate current red flag programs in the context of the SEC’s and CFTC’s new enforcement duties to determine if improvements are needed.