SEC/FTC Red Flags Rule
While the FACT Act required the FTC to develop an identity theft rule for certain financial institutions, the Dodd-Frank Act of 2010 directed the securities industry to develop its own rules on identity theft. As a result, the SEC and CFTC launched a joint identity theft red flags rule, known as Regulation S-ID. Regulation S-ID requires member firms that offer covered accounts to develop and implement a written identity theft prevention program to guide the opening and execution of those accounts. The program must create procedures to identify red flags and incorporate them into the firm’s daily activities. Entities must respond “appropriately” when red flags are detected to prevent identity theft. The board of directors or a designated senior level employee must approve the program, administer it, and train staff to implement it. The firm must update the program “periodically” to reflect changes in customer and institutional identity theft risks. Staff should report to the board of directors or its designated employee at least annually on compliance.
The program must include relevant red flags from the four categories listed below. The rule also provides illustrative examples of red flags for these categories, such as the following.
Alerts Received from Consumer Reporting Agencies or Service Providers |
• A fraud or active-duty alert is included with a consumer report • A consumer report indicates a pattern of activity that is inconsistent with the customer’s usual pattern |
Presentation of Suspicious Documents or Personal Identifying Information |
Personal identifying information means any name or number that may be used to identify a specific person, including personal IDs—such as a driver’s license, Social Security number, or passport—biometric data, such |