CFTC/SEC Identity Theft Policies Now Required
As a reminder, on May 20, 2013, the Commodity Futures Trading Commission (CFTC) and U.S. Securities and Exchange Commission’s (SEC) joint final rules concerning identity theft precautions took effect. Most regulated firms will be required to comply with the final rules by November 20, 2013. In particular, the final rules require that certain regulated entities establish programs to address and reduce the risk of identity theft within their operations. If you are subject to the regulations, your required program must be designed to detect, prevent and mitigate identity theft in connection with your firm’s existing accounts or the opening of new accounts.
According to U.S. regulators, entities that qualify as either “financial institutions” or “creditors” under the Fair Credit Reporting Act will be impacted. This effectively includes any CFTC-registered futures commission merchant, retail foreign exchange dealer (“RFED”), commodity trading advisor (“CTA”), commodity pool operator (“CPO”), introducing broker (“IB”), swap dealer (“SD”) or major swap participant (“MSP”). Other firms subject to the requirement include investment companies, business development companies, investment advisers (not including exempt reporting advisors) and broker-dealers. A comprehensive list of all the regulated entities that are included is contained in the final rules.
To be more specific regulated entities that offer or maintain one or more of the “covered account” types described in the final rules must adopt a prevention program. The term “covered accounts” is defined broadly to include personal accounts designed to permit multiple payments or transactions and any account with a reasonably foreseeable risk of identity theft. In essence, most types of accounts relevant to retail firms are likely to be deemed “covered accounts” under the final rules.
Red Flags
Firms that are required to adopt a prevention program (many CFTC/NFA regulated entities) must include reasonable policies and procedures designed to: (1) identify red flags concerning identity theft; (2) detect the identified red flags; (3) respond appropriately to any detected red flags; and (4) periodically update the prevention program to reflect changes in risks to customers and to the safety and soundness of the firm from identity theft. These companies will be required to also determine on their own which red flags are relevant to their specific business activities and the accounts they offer and/or maintain.In preparing its prevention program, a regulated entity must consider, at a minimum, the following factors in identifying relevant red flags: (1) the types of accounts that the firm offers or maintains; (2) its methods to open or access such accounts; and (3) its prior experiences with identity theft. In addition, firms must also consider including in the prevention program, appropriate ways in which to address: (1) alerts from other reporting agencies or service providers; (2) existence of unusual documents, such as those that appear to have been altered or forged; (3) existence of suspicious personal identifying information, such as an address change; (4) unusual account activity and (5) various notices from customers, victims of identity theft, law enforcement and/or other persons regarding a possible identity theft.
Regulated firms will also be required to periodically review their accounts to ensure they are properly applying the final rules. The final rules also require approval of the prevention program from either the company’s board of directors, an appropriate committee of the board of directors, or if the entity does not have a board, from a designated senior management employee. In addition to this, firms must involve the board of directors, an appropriate committee, or a designated senior management employee in the oversight, development, implementation and administration of the prevention program. Finally, staff members must also be trained on how to properly implement and maintain the prevention program. In this area regulated entities will need to consider their unique operational circumstances to determine appropriate training practices.
Further Guidance
Affected firms should ensure that they have an appropriate prevention program in place as of November 20, 2013. Please note that the information set forth in this summary is not intended to be all-inclusive and does not constitute legal advice. If you have any questions concerning the preparation or implementation of a prevention program, we suggest you contact a regulatory professional like Turnkey Trading Partners (TTP) to assist you in understanding and complying with the new final rules. TTP has the business acumen, as well as relationships with law firms, such as Henderson & Lyman, to provide you with the guidance you need to assist you in complying with these new rules concerning identity theft protection.Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers.