In June of 2008, the Federal Trade Commission (FTC) and the federal banking regulators issued joint regulations implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act).1 Known as the “Red Flag Rules”, financial institutions and creditors with covered accounts are required to develop and implement written identity theft prevention programs for the detection, prevention, and mitigation of identity theft in connection with the opening of certain accounts or certain existing accounts.2 Enforceable in May 2009, the identity theft program must be able to detect, identify, and respond to indicators of possible fraudulent activity that, when detected, would prompt creditors to determine whether there is any fraudulent activity afoot.3
To be subject to the FTC’s rules, a securities institution must first fall within the FACT Act’s definition of either a “creditor” or a “financial institution”. A “creditor” is an entity that is regularly involved with the extension, renewal or continuation of credit.4 A “financial institution” includes banks, credit unions, savings and loans, but also any other person holding a transaction account either directly or indirectly belonging to a consumer.5 For this purpose, a “transaction account” means a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.6
Certain broker-dealers may fall under the definition of a creditor if they extend credit to customers as part of their regular business by allowing them to trade on margin. Other broker-dealers may be deemed a financial institution if they maintain custodial accounts which allow customers to make multiple account withdrawals for the purposes of payments and transfers to third parties. Similarly, some mutual funds allow investors to direct redemption payments to be made to third parties. This too would convert the fund into a transaction account and consequently make the fund a financial institution.
As long as a securities institution conducts activities causing it to fall under the FTC’s jurisdiction, all activities performed by that institution will be subject to the Red Flag Rules. For example, although most investment advisers do not maintain custody of client accounts or advance funds to clients as part of their advisory business, as true “dual registrant” (i.e. a firm registered both as a registered investment adviser and broker-dealer with the SEC) may need to comply if the firm’s broker-dealer business falls within the definition of a financial institution or creditor.
To be subject to the Red Flag Rules, the securities institution must not only fall within the definition of a creditor of financial institution but, also hold “covered accounts” for its customers. The term “covered account” means an account used primarily for personal, family or household purposes which allows for multiple transactions or payments as well as “[a]ny other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”7 In practice, most accounts held by securities firms or investment companies will fall within the definition of covered account. This is because personal and non-public information is used in opening and maintaining accounts or investment company interests and this poses a reasonably foreseeable risk of identity theft which is likely to qualify the account as a covered account for the purposes of the Rules
Similar to the proposed revised Regulation S-P, the Red Flags Rules allow businesses great flexibility in designing an identity theft prevention program suitable to the nature of a company’s business operations as well as appropriate for their size and capabilities.8 As guidance to assist businesses in designing and implementing a written identity theft prevention program, the FTC identified 26 possible red flag indicators to serve as examples for creditors to use as a starting off point. For more information regarding the possible red flag indicators, please visit http://edocket.access.gpo.gov/2007/pdf/07-5453.pdf.
Ordinary securities activities will not cause most institutions to fall into either category. However, if these institutions provide ancillary services or are registered as something other than a broker, dealer, investment company or investment adviser, it could still be caught by these provisions. Regardless of whether the firm is indeed subject to the FTC’s jurisdiction, all securities firms should pay close attention to the Red Flags Rules. When considering its proposals to amend Regulation S-P, the SEC looked at the regimes imposed by its fellow regulators in an attempt to promote consistency between its rules and guidelines and those of the other federal agencies that oversee the financial services industry. Many of the proposed changes to Regulation S-P discussed above appear to closely resemble certain rules of the FTC. It is therefore possible that the SEC may take its cue from the Red Flag Rules and impose similar requirements on securities firms, either in further revisions to Regulation S-P or in future regulations. In the meanwhile, be sure you are prepared for the enforcement of these Red Flags Rules in 2009.
Author: Michelle Jacko, Managing Partner and Christina Rovira, Legal Assistant, Jacko Law Group, PC (“JLG”). JLG works extensively with investment advisers, broker-dealers, investment companies, hedge funds and banks on legal and regulatory compliance matters.
This article is for information purposes and does not contain or convey legal advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer.
1 FTC Business Alert, New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft, available at http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm.
2 16 C.F.R. § 681.2.
3 Supra, note 1.
4 16 C.F.R. § 681.2(b)(5).
5 15 U.S.C. § 1681a(t).
6 12 U.S.C. § 461(C).
7 16 C.F.R. § 681.2(b)(3).
8 Supra, note 1.