SEC Adopts Identity Theft Red Flag Regulation as Required by the Dodd-Frank Act; Compliance Date Set for October 2013
[27181]
April 15, 2013
TO: OPERATIONS COMMITTEE No. 18-13SMALL FUNDS COMMITTEE No. 9-13
SEC RULES COMMITTEE No. 16-13
TRANSFER AGENT ADVISORY COMMITTEE No. 30-13 RE: SEC ADOPTS IDENTITY THEFT RED FLAG REGULATION AS REQUIRED BY THE DODD-FRANK ACT; COMPLIANCE DATE SET FOR OCTOBER 2013
The SEC has adopted a new regulation, Regulation S-ID, “Identity Theft Red Flags,” as mandated by the Dodd-Frank Act. [1] The regulation will be effective 30 days after its publication in the Federal Register, which is expected in the very near future. The compliance date will be six months after such publication, which should be sometime in October 2013. As discussed below, SEC registrants that are in compliance with the Identity Theft Red Flag Rules adopted by the Federal Trade Commission (FTC) in 2008 should be in compliance with the SEC’s regulation, which is briefly summarized below.
Background
As you know, since 2008, financial institutions, including mutual funds, with “transaction accounts” have been required by rules of the FTC to have programs designed to detect, prevent, and mitigate identity theft in connection with the opening of a “covered account.” [2] With respect to SEC registrants, Section 1008 of the Dodd-Frank Act transferred the regulatory jurisdiction for these programs from the FTC to the SEC and required the SEC to adopt identity theft rules and guidelines similar to those previously imposed by the FTC. Consistent with this mandate, in February 2012 the SEC published its proposed regulation for comment. Because the requirements of the SEC’s proposal were substantively identical to those of the FTC’s rules, the Institute filed a comment letter supporting adoption of the proposal. Our letter recommended, however, that the SEC clarify in its adopting release that the SEC’s regulation would not necessitate the re-approval of existing programs by a fund’s board of directors. [3]
Overview of SEC Regulation S-ID,Identity Theft Red Flags
The SEC’s “red flag” regulation is deliberately designed to be substantively similar to the previous rules of the FTC. As such, its requirements are not expected to result in any significant disruption to registrants’ existing red flag programs, nor impose additional duties and responsibilities on them as they continue to implement and oversee their programs. As stated in the SEC’s Release:
The rules we are adopting today do not contain requirements that were not already in the [FTC’s] rules, not do they expand the scope of those rules to include new categories of entities that the [FTC’s] rules did not already cover. The rules and this adopting release do contain examples and minor language changes designed to help guide entities within the SEC’s enforcement authority in complying with the rules . . . [4]
Consistent with the FTC’s rules, the SEC’s regulation would only apply to those financial institutions – including broker-dealers, transfer agents, investment companies, and investment advisers – with transaction accounts. [5] It would require such entities to establish and oversee a program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a “covered account” [6] or the ongoing maintenance of an existing covered account.
Establishment of a Program
Regulation S-ID requires a financial institution’s program to include reasonable policies and procedures to:
- Identify relevant red flags for the covered accounts that the financial institution offers or maintains and incorporate them into the financial institution’s program;
- Detect red flags that have been incorporated into the program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the red flag program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution from identity theft.
The program must be applied to all of the financial institution’s covered accounts and be appropriate to the size and complexity of the financial institution and the nature and scope of its activities. The regulation includes guidelines to assist financial institutions in formulating and maintaining a program that satisfies the regulation. (See Guidelines, below.)
Administration of the Program
Like the FTC’s rules, the SEC’s regulation requires that the financial institution:
- Obtain approval of the initial written program from either the institution’s board of directors or an appropriate committee of the board of directors;
- Involve the board of directors, an appropriate committee thereof, or a designated employee (at the level of senior management) in the oversight, development, implementation, and administration of the program;
- Train staff, as necessary, to effectively implement the program; and
- Exercise appropriate and effective oversight of service provider arrangements.
Guidelines
Appendix A to the SEC’s regulation sets forth detailed “Guidelines” to assist financial institution in formulating and maintaining a compliant program. The first four sections of the guidelines are essentially identical to those in the FTC’s rules though they have been tailored to address SEC registrants. As with the FTC’s guidelines, the SEC’s proposed guidelines are divided into six sections:
- Identifying Relevant Red Flags – which discusses Risk Factors, Sources of Red Flags, and Categories of Red Flags;
- Detecting Red Flags – which discusses the need for financial institutions to verify the identity of and authenticate covered account holders, monitor transactions, and verify change of address requests;
- Preventing and Mitigating Identity Theft – which discusses how a financial institution might respond to suspected identity theft, such as contacting the customer and changing passwords;
- Updating the Program – which discusses the need to update the program periodically to reflect changes in the financial institution’s business and changes in experiences with identity theft or its detection, prevention, and mitigation;
- Methods for Administering the Program – which provide guidance on how the program should be oversight by the board, a committee of the board, or a designated employee of senior management; and
- Other Applicable Legal Requirements – which reminds SEC registrants of other related legal requirements that may be applicable such as Suspicious Activity Reporting requirements.
Compliance Date
While the SEC had originally proposed a compliance period of 30 days, as noted above, the compliance date for the regulation will be six months following its publication in the Federal Register.
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See Identity Theft Red Flag Rules, SEC Release No. IC-30456 (April10, 2013) (“Release”), which is available at: http://www.sec.gov/rules/final/2013/34-69359.pdf.
[2] See Institute Memorandum No. 22710, dated July 17, 2008, alerting members to the applicability of the FTC’s rules to their operations.
[3] As discussed below, the SEC’s Release confirms that such re-approval is not required.
[4] Release at p. 8.
[5] Generally speaking, a “transaction accounts” is an account that enables the accountholder to make payments from the account to a third party.
[6] Like the FTC’s rules, the SEC regulation defines “covered account” to mean: (1) an account that a financial institution offers or maintains primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties and (2) any other account that the financial institution offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution from identity theft, including financial, operational, compliance, reputation, or litigation risks. See proposed Rule 248.201(b)(3).