Feds Implement New Identity Theft Rules for Banks and Investment Advisers – A JD Supra Q&A

“… the written identity theft program [must] be designed to detect, prevent and mitigate identity theft in connection with certain existing accounts or the opening of new accounts.” (Katten Muchin Rosenman)

On May 20, 2013, identity theft red flag rules developed by the Securities and Exchange Commission and the Commodities Futures Trading Commission went into effect. The new rules – intended to protect consumers against fraud stemming from the use of stolen personal information – require covered financial institutions and investment advisers to develop a written identity theft prevention program.

Covered entities have until November 20, 2013 to comply with the red flag rules.

For your reference, a brief Q&A on the new regulations:

Who is covered by the new rules?

“The CFTC’s rules will apply to CFTC regulated entities that qualify as ‘financial institutions’ or ‘creditors’ under the Fair Credit Reporting Act. The SEC’s rules will apply to broker-dealers, mutual funds, investment advisers, and certain other regulated entities.” (Perkins Coie)

Which new policies and procedures are required?

“Each program should include (i) reasonable policies and procedures to identify red flags (i.e., a pattern, practice, or specific activity that indicates the possible existence of identity theft, such as alerts, notifications, and suspicious documents); (ii) reasonable policies and procedures to detect the identified red flags (e.g., obtaining identifying information and monitoring transactions); (iii) reasonable policies and procedures to respond appropriately to any detected red flags (e.g., contacting customers and/or law enforcement, opening new accounts, and changing passwords); and (iv) reasonable policies and procedures to periodically update the program (e.g., analyzing changes in business practices and methods of identity theft).” (Lowenstein Sandler)

What exactly are the red flags of identity theft?

“The Rules define a red flag as ‘a pattern, practice, or specific activity that indicates the possible existence of identity theft.’ The Rules do not specifically identify relevant red flags, but rather allow covered entities to determine relevant red flags, based on (1) the types of covered accounts offered or maintained; (2) the methods provided to open covered accounts; (3) the methods provided to access covered accounts; and (4) previous experiences with identity theft.” (Dechert)

How to monitor customer accounts for red flags?

“The Commissions provide some examples of policies and procedures for detecting red flags, such as by (i) obtaining identifying information about, and verifying the identify of, a person opening a covered account; and (ii) authenticating customers, monitoring transactions, and verifying the validity of change of address requests for covered accounts.” (Mintz Levin)

What to do if red flags are detected?

“Appropriate prevention and mitigation steps may include: (a) monitoring the covered account for evidence of identity theft; (b) contacting the customer; (c) changing passwords, security codes, and other security devices permitting access to a covered account; (d) reopening a covered account with a new account number; (e) closing an existing covered account; (f) not attempting to collect on a covered account or not selling it to a debt collector; or (g) notifying law enforcement.” (Morrison & Foerster)

Who should be put in charge of the program?

“The Program should be overseen by the entity’s board of directors, a committee of the board of directors, or a designated senior management employee. This oversight should include assisting specific responsibility for the Program’s implementation, reviewing reports prepared by staff regarding compliance by the entity, and approving material changes to the Program.” (Mintz Levin)

What to consider when updating the program?

“… the rules require financial institutions and creditors to have reasonable policies and procedures to periodically update their programs to reflect changing risks to customers and the soundness of the financial institution or creditor from identity theft. The guidelines list certain factors on which financial institutions and creditors could base their periodic updates, including: their experience with identity theft; changes in methods of identity theft; changes in methods to detect, prevent, or mitigate identity theft; changes in the types of accounts offered or maintained; and changes in the business arrangements, including mergers, acquisitions, joint ventures, and service provider arrangements.” (Morrison & Foerster)

Are outside service providers subject to the same rules?

“Organizations that engage service providers must ensure that the providers conduct their activities in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. If a third-party service provider loses customers’ personal information, the financial institution may be found to have run afoul of the Rules if it failed to exercise appropriate and effective oversight over the service provider arrangement.” (Dechert)

The updates:

Related reading:

Find additional updates on the Red Flags Rule at JD Supra Law News>>