A Small Entity Compliance Guide¹

Introduction

In 2003, Congress amended the Fair Credit Reporting Act (“FCRA”) to require the Federal Trade Commission (“FTC”) and certain other federal agencies (together, the “Agencies”) to jointly adopt identity theft red flags rules and guidelines.  At that time, FCRA did not require or authorize the Securities and Exchange Commission (“SEC”) or Commodity Futures Trading Commission (“CFTC”) to adopt these rules.  Instead, the FTC had authority to adopt and enforce these rules with respect to SEC- and CFTC‑regulated entities.  The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 amended FCRA to transfer identity theft rulemaking responsibility and enforcement authority to the SEC and CFTC with respect to the SEC- and CFTC-regulated entities. 

The SEC and CFTC jointly adopted rules and guidelines that require certain regulated entities that are subject to the SEC’s or CFTC’s enforcement authority to establish programs to address risks of identity theft.  As described below, the SEC’s rules require certain SEC-regulated entities to develop and implement a written program designed to detect, prevent, and mitigate identity theft in connection with certain accounts.  The SEC’s rules operate the same for all covered entities, regardless of their size. 

Identity Theft Red Flags Rules

The SEC’s identity theft red flags rules require certain SEC-regulated entities to adopt a written identity theft program that includes policies and procedures designed to:

• Identify relevant types of identity theft red flags;
• Detect the occurrence of those red flags;
• Respond appropriately to the detected red flags; and
• Periodically update the identity theft program.

Entities that are required to adopt identity theft programs also must provide for the administration of the program, including staff training and oversight of service providers.  The rules do not single out specific red flags as mandatory, require specific policies and procedures to identify possible red flags, or provide a specific method of detecting red flags.  The rules do, however, include guidelines and examples of red flags to help firms administer their programs.  An identity theft program should be appropriate to the size and complexity of the entity and the nature and scope of its activities. 

The SEC’s rules also require SEC-regulated entities that issue debit cards or credit cards to take certain precautionary actions when they receive a request for a new or replacement card soon after they receive a notification of a change of address for a consumer’s account.  The SEC expects few, if any, SEC-regulated entities to be subject to these “card issuer” rules.

Entities Subject to the Identity Theft Red Flags Rules

The SEC’s identity theft red flags rules apply to SEC-regulated entities that qualify as financial institutions or creditors under FCRA and require those financial institutions and creditors that maintain covered accounts to adopt identity theft programs.  SEC‑regulated entities that are likely to qualify as financial institutions or creditors and maintain covered accounts include most registered brokers, dealers, and investment companies, and some registered investment advisers. 

Financial Institutions

An SEC-regulated entity will generally qualify as a financial institution if it holds a transaction account belonging to an individual.  An account may be a transaction account (and therefore the entity holding the account may qualify as a financial institution) if the individual account owner can personally make payments or transfers of money from his or her account to third parties, or can direct the SEC-regulated entity to make such payments or transfers to third parties.  (Please see section II.A.1.i of the rules’ adopting release for additional guidance about the definition of “financial institution.”)

Creditors

An SEC-regulated entity will generally qualify as a creditor if it advances or loans money to consumers.  However, an entity will not qualify as a creditor if it advances money for expenses incidental to a service provided by the entity.  (Please see section II.A.1.ii of the rules’ adopting release for additional guidance about the definition of “creditor.”)

Covered Accounts

A covered account is generally: (1) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; or (2) any other account that poses a reasonably foreseeable risk to customers of identity theft.  (Please see section II.A.1.iii of the rules’ adopting release for additional guidance about the definition of “covered account.”)

Compliance Date for Entities Subject to the Identity Theft Red Flags Rules

The SEC’s rules are substantially similar to the Agencies’ identity theft rules, which applied to SEC-regulated entities when they were adopted.  Therefore, entities subject to the SEC’s rules (including small entities) should already be in compliance with the rules’ requirements.  However, the rules and the rules’ adopting release do contain examples and minor language changes designed to help guide entities within the SEC’s enforcement authority in complying with the rules, which may lead some entities that had not previously complied with the Agencies’ rules to determine that they fall within the scope of the SEC’s rules.

All SEC-regulated entities that fall within the rules’ scope must comply with the rules by November 20, 2013.

Other Resources

The adopting release for the identity theft red flags rules can be found on the SEC’s website at http://www.sec.gov/rules/final/2013/34-69359.pdf.  The proposing release for the rules can be found on the SEC’s website at http://www.sec.gov/rules/proposed/2012/ic-29969.pdf. 

Contacting the SEC

The SEC’s Division of Investment Management and Division of Trading and Markets are happy to assist small entities with questions regarding the identity theft red flags rules.  

Please direct questions regarding small investment companies and small investment advisers to the Division of Investment Management.  Questions may be directed to the Division of Investment Management’s Office of Chief Counsel by e-mail at IMOCC@sec.gov or by telephone at (202) 551-6825. 

Please direct questions regarding small brokers or dealers to the Division of Trading and Markets.  Questions may be directed to the Division of Trading and Markets by e-mail at tradingandmarkets@sec.gov or by telephone at (202) 551-5777.