This post was also written by Amy J. Greer and Frederick C. Leech.
On February 28, 2012, the Securities and Exchange Commission (SEC) and the Commodity Future Trading Commission (CFTC) issued a proposed regulation, Regulation S-ID. This regulation, if adopted, would set forth specific guidance for SEC and CFTC-regulated entities in implementing their internal programs to detect and deter would-be identity thieves. The Identity Theft Red Flags Rule promulgated by Federal Trade Commission had already mandated such programs for all companies falling under the Rule’s definitions of “financial institution” and/or “creditor”. And the fact that some SEC- and CFTC-regulated entities would fall within those definitions had already been widely recognized. The proposal of Regulation S-ID is a result of the Dodd-Frank Act shifting enforcement authority over these provisions in the FCRA, so that the SEC and CFTC would enforce the Red Flags Rule with respect to their respective regulated entities, instead of the FTC acting as the enforcement agency. The proposed regulation lists types of entities under the purview of the CFTC which may qualify as financial institutions or creditors, and hence may need to enact and implement red flags rule policies. The SEC does not provide a similar list of effected entities, although “financial institutions” would include broker/dealers registered under the Securities Exchange Act, investment companies registered under the Investment Company Act, and investment advisers registered under the Investment Advisers Act.
The proposed regulation is intended to provide additional examples of how the Red Flags Rule applies to SEC- and CFTC-regulated entities. The proposed rule also describes additional rules and regulations that currently exist (besides the existing Red Flags) that generally require these entities to conduct risk assessments and take steps to prevent identity theft and other fraud. Some entities may already be subject to, and in compliance with, customer identification program (CIP) rules under the PATRIOT Act, other Bank Secrecy Act rules, Federal Financial Institutions Examination council’s guidance on authentication, and Federal Information Processing standards.
For these reasons, even though the proposed regulation is intended to act as a clarification, it makes sense for SEC- and CFTC-regulated entities to review their red flags rule policies against the specifics of the proposal. Since third-party vendors of those regulated entities are sometimes called upon to implement those Red Flags Rule programs, those third parties should also review the proposal. The proposed Regulation S-ID will be open for comment for 60 days.