The CFTC and the SEC are jointly issuing final rules and guidelines to require certain regulated entities to establish programs to address risks of identity theft. These rules and guidelines implement provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which amended the Fair Credit Reporting Act (“FCRA”). First, the rules require financial institutions and creditors to develop and implement a written identity theft prevention program (“Program”) designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The rules include guidelines to assist entities in the formulation and maintenance of programs that would satisfy the requirements of the rules.


Sections 615(e)(1)(A) and (B) of the FCRA, as amended by the Dodd-Frank Act, require that the Commissions jointly establish and maintain guidelines for “financial institutions” and “creditors” regarding identity theft, and adopt rules requiring such institutions and creditors to establish reasonable policies and procedures for the implementation of those guidelines. Under the final rules, a financial institution or creditor that offers or maintains “covered accounts” must establish an identity theft red flags program designed to detect, prevent, and mitigate identity theft.


The types of entities listed by name in the scope section are the registered entities regulated by the SEC that are most likely to be financial institutions or creditors, i.e., broker-dealers, investment companies, and investment advisers. The scope section also includes any other entities that are registered or are required to register under the Exchange Act, such as SROs and municipal advisors. Moreover, if any entity of a type not listed qualifies as a financial institution or creditor, it is covered by the SEC’s rules.


As discussed above, the Commissions’ final red flags rules apply to “financial institutions” and “creditors.” As in the proposed rules, the Commissions are defining the term “financial institution” in the final rules by reference to the definition of the term in the FCRA. That section defines a financial institution to include certain banks and credit unions, and “any other person that, directly or indirectly, holds a transaction account belonging to a consumer.” The Federal Reserve Act defines “transaction account” to include an “account on which the account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.” The FCRA defines “consumer” as an individual; thus, to qualify as a financial institution, an entity must hold a transaction account belonging to an individual. The following are illustrative examples of an SEC-regulated entity that could fall within the meaning of the term “financial institution” because it holds transaction accounts belonging to individuals: (i) A broker-dealer that offers custodial accounts; (ii) a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and (iii) an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.


Under the final rules, a financial institution or creditor must establish a red flags Program if it offers or maintains “covered accounts.” The Commissions are defining the term “covered account” in the final rules as: (i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. The SEC’s definition includes, as examples of a covered account, a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties.

The Commissions are defining an “account” as a “continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.” The SEC’s definition includes, as examples of accounts, “a brokerage account, a mutual fund account, and an investment advisory account.”

The final rules require all financial institutions and creditors to assess whether they offer or maintain covered accounts. The rules provide examples of covered accounts, but not all of the types of accounts that could be covered accounts. Any list that attempts to encompass all types of covered accounts would likely be under-inclusive and would not take into account future business practices. The definition of “covered account” is deliberately designed to be flexible to allow the financial institution or creditor to determine which accounts pose a reasonably foreseeable risk of identity theft and protect them accordingly.