Red Flags Rule
On January 1, 2011, the Federal Trade Commission (FTC) began enforcing its Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Red Flags Rule. The Red Flags Rule requires that each "financial institution" or "creditor"—which includes most securities firms—implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts." These include consumer accounts that permit multiple payments or transactions, such as a retail brokerage account, credit card account, margin account, checking or savings account, or any other accounts with a reasonably foreseeable risk to customers or your firm from identity theft.
On July 21, 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred responsibility for rulemaking and enforcement of identity theft red flag rules and guidelines to the SEC and CFTC for the firms they regulate.
On Feb. 28, 2012, the SEC and CFTC jointly proposed for comment identity theft red flag rules and guidelines that are substantially similar to the FTC Red Flags Rule and do not propose new requirements or cover new entities. The proposed rules and guidelines do, however, include examples and minor language changes to help securities and commodities firms comply. The comment period closed May 7, 2012.
The following resources may be useful to firms: