May 20, 2013
On April 10, 2013, the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) published new regulations regarding identity theft prevention and red flags that require financial institutions regulated by these two agencies to develop and implement identity theft prevention programs.
In response to a nationwide increase in identity theft, Congress in 2003 passed the Fair and Accurate Credit Transactions Act (FACT Act), which amended the Fair Credit Reporting Act (FCRA). The 2003 amendment required the Federal Trade Commission (FTC) and the federal prudential banking regulators to issue rules and guidelines regarding the detection, prevention and mitigation of identity theft applicable to financial institutions and creditors; these rules were issued in 2007 and effective in 2008. At the time, the FACT Act did not require the SEC or CFTC to promulgate rules specifically for the institutions subject to their supervision; rather, the FTC’s rule was determined to be applicable to these firms. This framework did not provide the SEC and CFTC the specific authority to enforce the FTC’s rules.
Under the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA), rule-making and enforcement authority for the FACT Act red flags requirements were transferred from the FTC to the SEC and CFTC for the entities registered with and regulated by these agencies. Though the rules adopted by the SEC and CFTC are substantially similar to the FTC’s rules that were already applicable to firms subject to SEC and CFTC oversight, it is worthwhile for affected firms to revisit the applicability of these rules and their technical requirements since it is likely these will become areas of significant examination focus for the SEC and CFTC going forward. This Flash Report summarizes the technical requirements of these rules.
Covered Entities and Accounts
The SEC’s and CFTC’s rules apply to the following types of financial institutions (“covered entities”) if they directly or indirectly maintain “covered accounts”:
- Registered broker-dealers
- Registered investment companies
- Investment advisers
- Futures commission merchants
- Retail foreign exchange dealers
- Commodity trading advisers
- Commodity pool operators
- Introducing brokers
- Swap dealers
- Major swap participants
As defined by the CFTC and SEC, “covered account” means:1
- An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a margin account, a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties; and
- Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.
Identity Theft Red Flags
The agencies recognize that red flags may differ in terms of relevancy from one covered account to another and from one covered entity to another. The rules address five categories of identity theft red flags that covered entities should consider when developing their identity theft prevention programs:
- Alerts, notifications or other warnings received from consumer reporting agencies or service providers, such as fraud detection services
- Presentation of suspicious documents, such as documents that seem to be altered or forged
- Presentation of suspicious personal identifying information, such as suspicious address changes
- Unusual use of, or other suspicious activity that is related to, a covered account
- Notice from customers, victims of identity theft, law enforcement authorities or other persons regarding possible identify theft in connection with covered accounts held by the financial institution or creditor
Identity Theft Prevention Program Requirements
Covered entities that maintain one or more types of covered accounts must develop and implement a written board of director-approved identity theft prevention program designed to identify, detect, prevent and mitigate identity theft in connection with the opening of, or servicing of existing, covered accounts. At a minimum, these programs must include reasonable policies and procedures commensurate with the size and complexity of the financial institution and the scope of its activities to:
- Identify and reassess periodically the extent of covered accounts maintained by the institution.
- Identify identity theft risks associated with covered accounts maintained and incorporate into the identity theft prevention program relevant red flags for the covered accounts that the financial institution offers or maintains.
- Detect those red flags incorporated into its program.
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft.
- Train staff, as necessary, to implement the identity theft prevention program effectively.
- Periodically update the program to reflect the changing identity theft-related risks to customers and the institutional safety and soundness.
1Identity Theft Red Flags Rules, Federal Register, www.federalregister.gov/articles/2013/04/19/2013- 08830/identity-theft-red-flags-rules.
Covered entities that utilize third-party service providers to originate, service and/or otherwise maintain covered accounts on their behalf are responsible for ensuring that these service providers identify, detect, prevent and mitigate the theft of personal information. Failure of a financial institution to oversee its service providers appropriately could result in culpability for the financial institution. The institution may consider contractually requiring a service provider to have policies and procedures to detect relevant red flags that may arise in performance of the service provider’s activities and either report the red flags to the financial institution or take appropriate steps to prevent or mitigate identity theft.
The board of directors and/or senior management should have involvement in the oversight, development, implementation and administration of the identity theft prevention program. Staff of the financial institution should provide reporting to the board and/or senior management at least annually regarding the effectiveness of the program, including any identity theft-related incidents and management’s response and any recommendations related to material changes to the program.
Perspectives on Implementing and Maintaining an Effective Identity Theft Prevention Program
Financial institutions subject to these requirements are challenged to implement an effective identity theft prevention program and should consider the following:
- Evolving risks. Identity theft risks and financial crimes evolve, often at a pace faster than financial institutions can monitor and address. Further, internal changes to products, services, processes and systems should be assessed for risks associated with identity theft. It is critical that institutions view risk assessment as a continuous exercise, and take steps to update their identity theft prevention programs in a timely manner as risks evolve.
- Accountability. An institution should assign clear accountability for managing its enterprisewide identity theft prevention program, coordinating efforts with various other departments and providing reporting at least annually to senior management and the board.
- Coordination. Program activities related to the detection, prevention and mitigation of identity theft should be coordinated with existing fraud and anti-money laundering efforts. Where overlap occurs, institutions should take care to prevent unnecessary duplication. The SEC and CFTC rules permit institutions to leverage other governance efforts to address the red flags requirements.
- Systems. Technologies should enable identity theft detection and mitigation efforts, such as through the identification of potential patterns and trends, and transaction blocking, respectively, as well as ongoing management reporting. Organizations that receive consumer complaints regarding identity theft should evaluate how systems and technologies may have been used more effectively to detect, prevent and mitigate such activity.
Identity theft is a very personal crime for a financial institution’s customers and a growing financial crime. Identification, detection, prevention and mitigation of identity theft is not just a legal or regulatory requirement, but also a fundamental tenet of good customer service for which institutions face significant reputation risks if not addressed appropriately
The final rule and associated guidelines were published in the Federal Register on April 19, 2013, by the SEC and the CFTC, and will become effective on May 20, 2013, with a full compliance date of November 20, 2013.
Although the rules do not necessarily create new compliance obligations for firms subject to SEC and CFTC oversight (because these entities should have previously developed identity theft prevention programs), these firms should re-evaluate the completeness and effectiveness of their programs against the new rules. Firms that have not developed such programs should evaluate the applicability of the rules to their operations and take steps to implement internal controls and procedures necessary to implement these requirements in a timely manner.
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
For additional information about the issues reviewed here or Protiviti’s services, please contact: