SEC Proposes for Comment "Red Flag" Rules as Required by the Dodd-Frank Act; ICI Requests Comments by Monday, April 9th

 

[25961]

March 5, 2012

TO: OPERATIONS COMMITTEE No. 7-12
SEC RULES COMMITTEE No. 15-12
SMALL FUNDS COMMITTEE No. 6-12
TRANSFER AGENT ADVISORY COMMITTEE No. 15-12 RE: SEC PROPOSES FOR COMMENT "RED FLAG" RULES AS REQUIRED BY THE DODD-FRANK ACT; ICI REQUESTS COMMENTS BY MONDAY, APRIL 9TH

 

As you may know, since 2008, financial institutions, including mutual funds, with transaction accounts have been required by rules of the Federal Trade Commission (FTC) to have programs designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account. [1] With respect to SEC registrants, Section 1008 of the Dodd-Frank Act transferred the regulatory jurisdiction for these programs from the FTC to the SEC and required the SEC to adopt identity theft rules and guidelines similar to those previously imposed by the FTC. Consistent with this mandate, the SEC has published its proposed rules for comment, which are briefly summarized below. [2]

Comments on the proposal are due to the SEC by May 7, 2012. Members with comments they would like to have considered for inclusion in the Institute’s comment letter should provide them to the undersigned by phone (202-326-5825) or email (tamara@ici.org) no later than Monday, April 9th.

Overview of the SEC’s Proposal

I am pleased to report that the SEC’s “red flag” rules are deliberately designed to be substantively similar to those of the FTC. As such, they are not expected to result in any significant disruption to members’ existing red flag programs, nor impose additional duties and responsibilities on members as they continue to implement and oversee their programs. Consistent with the FTC’s rules, the SEC’s rules would only apply to those financial institutions – including broker-dealers, transfer agents, investment companies, and investment advisers – with transaction accounts. [3] It would require such entities to establish and oversee a program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a “covered account” [4] or an existing covered account.

Establishment of a Program

Under the proposed rules, a financial institution’s program must include reasonable policies and procedures to:

• Identify relevant red flags for the covered accounts that the financial institution offers or maintains and incorporate them into the financial institution’s program;
• Detect Red Flags that have been incorporated into the program;
• Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
• Ensure the Program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution from identity theft.

The program must be applied to the financial institution’s covered accounts, and be appropriate to the size and complexity of the financial institution and the nature and scope of its activities. The rule requires a financial institution to consider specified guidelines and include in its program those guidelines that are appropriate. (See Guidelines, below.)

Administration of the Program

Like the FTC’s rules, the SEC’s rules will require that the financial institution:

• Obtain approval of the initial written program from either the institution’s board of directors or an appropriate committee of the board of directors; [5]
• Involve the board of directors, an appropriate committee thereof, or a designated employee (at the level of senior management) in the oversight, development, implementation, and administration of the program;
• Train staff, as necessary, to effectively implement the program; and
• Exercise appropriate and effective oversight of service provider arrangements.

Guidelines

Appendix A to the SEC’s proposed rules sets forth detailed “Guidelines” to assist financial institution in formulating and maintaining a compliant program. These guidelines are essentially identical to those in the FTC’s rules. As with the FTC’s guidelines, the SEC’s proposed guidelines are divided into three sections:

• Identifying Relevant Red Flags – which discusses Risk Factors; Sources of Red Flags; and Categories of Red Flags;
• Detecting Red Flags – which discusses the need for financial institutions to verify the identity of and authenticate covered account holders, monitor transactions, and verify change of address requests;
• Preventing and Mitigating Identity Theft – which discusses how a financial institution might respond to suspected identity theft, such as contacting the customer and changing passwords; and
• Updating the Program – which discusses the need to update the program periodically to reflect changes in experiences with identity theft or its detection, prevention, and mitigation and changes in the financial institution’s business.

Compliance Date

In light of the fact that the SEC’s proposed rules do not “contain new requirements not already in [the FTC’s] final rules, nor . . . expand the scope of those rules to include new entities that were not already” subject to the FTC’s rules, [6] the SEC has proposed a compliance date for the rules of 30 days following their adoption.

 

Tamara K. Salmon
Senior Associate Counsel

endnotes

 [1] See Institute Memorandum No. 22710, dated July 17, 2008, alerting members to the applicability of the FTC’s rules to their operations.

 [2] See Identity Theft Red Flag Rules, SEC Release No. IC-29969 (Feb. 28, 2012) (“Release”), which is available at: http://www.sec.gov/rules/proposed/2012/ic-29969.pdf.

 [3] Generally speaking, a “transaction accounts” is an account that enables the accountholder to make payments from the account to a third party.

 [4] Like the FTC’s rules, the SEC has proposed to define “covered account” to mean: (1) an account that the financial institution offers or maintains primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties and (2) any other account that the financial institution offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution from identity theft, including financial, operational, compliance, reputation, or litigation risks. See proposed Rule 248.201(b)(3).

 [5] In our comment letter on the proposal, the Institute will ask the SEC to clarify that, so long as a registrant’s program under the FTC’s rules had obtained approval by the institution’s board or board committee, additional approval under the SEC’s rules is not also necessary.

 [6] See Release at p. 9-10.