Broker-dealers are reminded that the Federal Trade Commission’s (FTC) Red Flags Rule (Rule), promulgated under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act)1, becomes effective on May 1, 2009. Although it is not an SEC or FINRA rule, the Rule may, nonetheless, apply to some broker-dealers. If applicable, the Rule requires firms to develop and implement an approved written identity-theft prevention program to safeguard against identity theft among new and existing accounts.2
In November 2008, FINRA notified its members that firms that are subject to the Rule must, by May 1, 2009, have a written program to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.3 FINRA also advised members that a failure to comply with the Rule would violate the just and equitable principles of trade underpinning FINRA Rule 2110. To underscore the importance of compliance with the Rule, FINRA has listed the Rule on its list of examination priorities in 2009.4
In order to answer the threshold question of whether the Rule applies, broker-dealers should evaluate whether they fall within the definitions of either “financial institution” or “creditor.” If so, they should further determine whether they hold “covered accounts.”
Most broker-dealers likely would not fall within the definition of financial institution, which is defined as a depository institution or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.5 The term “transaction account” means an account that permits the account holder to make withdrawals for payment or transfer to third parties of securities or funds via telephone transfers, check, debit card, or other similar items.6 The term “consumer” as used here only refers to individuals.7 A broker-dealer with no individuals as clients would not be a financial institution. Firms that provide their individual customers with check-writing or debit/credit card privileges meet the definition of a financial institution.8
The Rule also applies to firms that are considered creditors. The term creditor means any person who regularly extends, renews, or continues credit or regularly arranges for the extension, renewal, or continuation of credit.9 A broker-dealer, acting as either an introducing or clearing firm, that provides a customer with margin would be deemed to be a creditor for purposes of the Rule. A broker-dealer also would be deemed to be a creditor if it extends credit, or arranges to extend credit, to any of its customers in any other context such as arranging loans. A broker-dealer that is not covered by the definition of financial institution could still be a creditor if it extends credit, or arranges to extend credit, for any of its customers.
If a firm is a financial institution or creditor, it must analyze whether it has covered accounts. A covered account is (1) an account offered or maintained primarily for personal, family, or household purposes that is designed to permit multiple payments or transactions; or (2) any other account for which there is a reasonably foreseeable risk to customers or safety and soundness of the member firm from identity theft, including financial operational, compliance, reputation, or litigation risks.10
While the definition of covered accounts in clause (1) generally only applies to retail accounts, the alternative definition in clause (2) would include any type of account (including institutional accounts) if the broker-dealer determines that those accounts pose a reasonably foreseeable risk to its customers or to its own safety or soundness from identity theft. Based on this definition, introducing broker-dealers should assume that, even though the extension of credit for margin and check-writing privileges may actually be services offered by the clearing firm, the introducing broker is required to comply with the Rule since it has the direct customer relationship.
If a broker-dealer meets the definitions of a financial institution or creditor maintaining covered accounts, it must develop and implement a program. The program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. It also must enable the firm to, among other things, identify relevant patterns, practices, and specific forms of red flag activities, detect red flags that have been incorporated into the program, and respond appropriately to any red flags.
Broker-dealers subject to the Rule will be able to use their AML and Regulation S-P policies and procedures as a framework to create a program. Firms should not, however, rely solely on existing policies because the Rule necessitates a separate and specific written program addressing the Rule. The FTC has provided detailed guidance on the creation of a program in Appendix A of the Rule. Since May 1, 2009 is just weeks away, if a broker-dealer determines that the Rule applies, it should immediately begin to develop an appropriate program.
1 See Sections 114 and 315 of FACT Act, Pub. L. 108-159 at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf
2 News Release, FTC, Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy (October 31, 2007) at www.ftc.gov/opa/2007/10/redflag.shtm
3 See FINRA Regulatory Notice 08-69, dated November 2008, at www.finra.org/web/groups/industry/ip/reg/notice/documents/notices/p117448.pdf
4 See FINRA Examination Priorities letter at www.finra.org/web/groups/industry/ip/reg/guide/documents/industry/p118113.pdf
5 The term “financial institution” is specifically defined as “a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account ... belonging to a consumer.” 16 CFR 681.2(b)(7); 15 U.S.C. 1681a(t).
6 A “transaction account” is specifically defined as “a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others. Such term includes demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.” 12 U.S.C. 461(b)(1)(C).
9 The term “creditor” specifically means “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” See 16 CFR 681.2(b)(5); 15 U.S.C. 1681a(r)(5); and 15 U.S.C. 1691a(e).
10 The term “covered account” specifically means: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputational, or litigation risk. 16 CFR 681.2(b)(3).
Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:
Dean M. Jeske
U. Mariam Ahmed