SEC Identity Theft Red Flags Rule
On January 1, 2011, the Federal Trade Commission (FTC) began enforcing its Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Red Flags Rule. The Red Flags Rule requires that each "financial institution" or "creditor"—which includes most securities firms—implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts." These include consumer accounts that permit multiple payments or transactions, such as a retail brokerage account, credit card account, margin account, checking or savings account, or any other accounts with a reasonably foreseeable risk to customers or your firm from identity theft.
On July 21, 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred responsibility for rulemaking and enforcement of identity theft red flag rules and guidelines to the SEC and CFTC for the firms they regulate.
On April 19, 2013, the SEC and CFTC published their joint final Identity Theft Red Flags Rules and guidelines with a compliance date of November 20, 2013. The SEC rule is called Regulation S-ID. The joint rules and guidelines do not contain requirements that were not already in the FTC Red Flags Rule and guidelines, and do not expand the scope of that rule to include new categories of entities that the rule did not already cover. They do, however, contain examples and minor language changes designed to help guide entities within the SEC's enforcement authority in complying with the requirements, which may lead some entities that had not previously complied with the FTC Red Flags Rule to determine that they fall within the scope of the SEC and CFTC joint rules.
- SEC Release Nos. 34-69359, IA-3582, IC-30456 (April 19, 2013): Identity Theft Red Flags Rules; Final Rule Release
- SEC Release No. IC-29969 (February 28, 2012): Identity Theft Red Flags Rules; Proposed Rule Release
- Identity Theft Red Flags Rule: A Small Entity Compliance Guide