On April 10, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) (together, the Commissions) jointly adopted rules and guidelines that require certain entities subject to their enforcement authorities to develop compliance programs to protect investors from identity theft.  The new Identity Theft Red Flags Rules, adopted pursuant to the Dodd-Frank Act, which amends the Fair Credit Reporting Act (FCRA), are similar to existing identity theft rules enforced by the Federal Trade Commission (FTC) and federal banking regulators.
The Red Flags Rules require "financial institutions"  and "creditors"  that hold certain covered accounts to develop and implement a written identity theft prevention program. The program must provide for identification and detection of and responses to patterns, practices or specific activities -- known as "red flags" -- that could indicate identity theft.
The entities regulated by the SEC that are most likely to be financial institutions and creditors include broker-dealers offering custodial accounts, investment companies permitting investor wire transfers and check writing, and investment advisers permitting payments out of transaction accounts. The entities most likely to be covered within the CFTC's regulatory scope include futures commission merchants, retail foreign exchange dealers, commodity trading advisers, commodity pool operators, introducing brokers, swap dealers and major swap participants.
Once the determination is made that the entity is a financial institution or creditor, a decision must then be made about whether the entity maintains any "covered accounts." The term "covered account" encompasses two types of accounts: one maintained primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; and the second includes any other account for which there is a foreseeable risk of identity theft. This second type is governed by a risk-based analysis, and each entity must make its own determination of whether its accounts meet the definition. The Commissions' guidance on the second type of account provides that the entity should conduct a risk evaluation that considers both the methods it employs to open or access its accounts and its previous experience with identity theft.
Elements of Identity Theft Prevention Program
The Red Flags Rules are meant to be flexible and provide a covered entity with the opportunity to design and implement a program that is appropriate to its size and the nature of its operations. Therefore, a large company with several types of accounts may need a complex program, while a small, low-risk business may be able to adopt a streamlined program. Regardless of the nature of a business, the program must include five elements:
The obligations of an entity to comply with the Red Flags Rules also apply even if the entity outsources parts of its operations. Therefore, the entity must specify how it will ensure and monitor compliance with the program by external service providers.
The Red Flags Rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after the effective date (around November 15).
Despite the fact that many of the entities described above have been subject to similar rules administered by the FTC in the past, these rules will be new for others, particularly certain private fund advisers recently registered with the SEC.
It is essential that entities regulated by the Commissions correctly determine whether they fall under the definition of "financial institution" or "creditor" and, if so, whether they maintain "covered accounts." Entities so designated should design and implement appropriate identity theft prevention programs. Even in the absence of a legal obligation, implementing a program containing elements of the rules would help companies mitigate the risk of identity theft and reduce their overall exposure.
Implementation of an identity theft prevention program starts with an analysis of risks to the secure maintenance of confidential information. Such risk analysis would evaluate the likelihood and severity of a data breach. The results of the risk assessment would help to prioritize the risk areas (e.g., portable devices, offshore business associates, lack of encryption) that would be targeted for the implementation of controls (e.g., policies, processes, training) to manage identified risks.
Companies should review or implement policies, processes and systems to prevent, detect, contain and correct intentional or accidental misuse, disclosure, modification or destruction of confidential information. Further, companies should review third-party service provider agreements to ensure that they contain contractual undertakings to protect confidential information entrusted to such providers and give companies the right to enforce data protection standards. In addition, relevant employees and service providers should be provided with training on ways to protect confidential information (e.g., not leaving sensitive information unattended at workstations or on an open computer screen, and ensuring that e-mail containing such information is encrypted). Finally, employees and service providers need to be aware of personal sanctions for violating data security standards.
For more information about the Identity Theft Red Flags Rules or how to design an identity theft compliance program, please contact any of the individuals listed above or Jim Bowers, our director, Compliance Risk Services, who can be reached at (860) 275 0339 or email@example.com.
 Identity Theft Red Flags Rules at http://www.sec.gov/rules/final/2013/34-69359.pdf.
 Section 603(t) of the FCRA defines "financial institution" to include certain banks and credit unions and "any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer."
 The FCRA defines "creditor" for the purpose of these rules as a creditor as defined in the Equal Credit Opportunity Act (i.e., a person that regularly extends, renews or continues credit, or makes those arrangements) that "regularly and in the course of business...advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person."
On May 25, Dina Sanna and Carl Merino were panelists at an event hosted by Citco.
Jed Davis will be a featured panelist in a CLE program titled, "Implementing the New DFS Cybersecurity Regulation," (click on title to register), sponsored by the Data Law Initiative at Cardozo Law School.
On April 25, 2017, Jed Davis presented at the Family Office Association's Spring Global Summit held at Tamarack Country Club in Greenwich, CT.
Steven Cash co-authored an article, "Evolution of a Valuable Tool for Attorneys: Business Intelligence Practitioners," for the New York Law Journal.
Day Pitney Press Release
Day Pitney Press Release
Day Pitney Press Release
Jed Davis was interviewed at length about the increasing risks to family offices from hacking and other cybercrimes in an article in Private Asset Management entitled "Family Office Cybersecurity Still Coming up Short" (subscription required).
Day Pitney Press Release