Red Flags Rule

On January 1, 2011, the Federal Trade Commission (FTC) began enforcing its Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Red Flags Rule. The Red Flags Rule requires that each "financial institution" or "creditor"—which includes most securities firms—implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts." These include consumer accounts that permit multiple payments or transactions, such as a retail brokerage account, credit card account, margin account, checking or savings account, or any other accounts with a reasonably foreseeable risk to customers or your firm from identity theft.

 

On July 21, 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred responsibility for rulemaking and enforcement of identity theft red flag rules and guidelines to the SEC and CFTC for the firms they regulate.


On April 19, 2013 the SEC and CFTC published their joint final Identity Theft Red Flags Rule and guidelines to be effective May 20, 2013, with a compliance date of November 20, 2013.  The rule and guidelines do not contain requirements that were not already in the FTC Red Flags Rule and guidelines, and do not expand the scope of that rule to include new categories of entities that the rule did not already cover.  They do, however, contain examples and minor language changes designed to help guide entities within the SEC's enforcement authority in complying with the rule, which may lead some entities that had not previously complied with the rule to determine that they fall within the scope of the rule that the SEC and CFTC adopted.

 

The following resources may be useful to firms:


Historical Guidance