Introduced in 2003 by amendment to the Fair Credit Reporting Act of 1970 (FCRA), the identity theft red flags rule (Red Flags Rule) required the Federal Trade Commission (FTC) to issue rules that require certain regulated entities to implement programs designed to detect against, prevent and mitigate identity theft. In 2007, the FTC released the first Red Flags Rule, which was written so that the FTC could enforce the rule on entities regulated by the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC). Then, in 2010, the Dodd-Frank Act amended the FCRA, requiring other agencies, including the SEC and CFTC, to take over for the FTC and enforce their own version of the Red Flags Rule on their respective regulated entities.
Pursuant to the Dodd-Frank Act, the SEC and CFTC issued a joint Red Flags Rule earlier this year. The SEC’s rule applies to broker-dealers, investment companies and investment advisers. The CFTC’s rule applies to futures commission merchants, commodity trading advisers and commodity pool operators. The joint Red Flags Rule specifies: (i) which regulated entities are subject to the rule; (ii) the objectives of the program; (iii) the elements that a program must contain; and (iv) the steps covered entities should take in order to implement and carry out their program.
Covered entities are required to be in full compliance with the SEC and CFTC joint Red Flags Rule by Nov. 20, 2013. The joint rule issued by the SEC and CFTC contains no material differences from the 2007 version of the rule, nor does the joint rule expand the scope of the previous rule. Thus, entities regulated by the SEC and CFTC should already have compliance programs in place that satisfy the requirements of “new” Red Flags Rule.
Entities regulated by the SEC and CFTC should examine the final joint Red Flags Rule to ensure their program satisfies the requirements of the rule.