News & Insights

SEC and CFTC Issue Final Red Flags Rules Relating to Identity Theft

SEC Regulatory, Bank Regulatory and Privacy Update

The Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC” and together with the SEC, the “Commissions”) released, on April 10, 2013, their final regulations—referred to as Regulation S-ID by the SEC—requiring certain broker-dealers, investment advisers, investment companies, futures commission merchants and other entities subject to the Commissions’ respective enforcement authority to establish programs to address identity theft risks.1 The regulations implement Section 615(e) of the Fair Credit Reporting Act (“FCRA”), often called the “red flags” rule. The new regulations, at 17 C.F.R. pts. 162 and 248, become effective on May 20, 2013; compliance with the regulations will be required as of November 20, 2013. Entities regulated by the SEC and CFTC should review their identity theft programs to ensure they meet the requirements of the new regulations.


Section 615(e) of the FCRA, adopted by Congress in 2003 as part of the Fair and Accurate Credit Transactions Act (“FACT Act”) originally provided rulemaking authority to the banking agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the National Credit Union Administration) and the Federal Trade Commission (“FTC”). These agencies jointly issued final identity theft red flag rules in 2007. SEC- and CFTC- regulated entities that fell within the definitions of “financial institution” and/or “creditor” covered by Section 615(e) were historically subject to one of the other agency’s rules, typically the FTC’s. However, because the SEC and CFTC lacked authority to enforce the rules, firms may not have been focused on these requirements.

The Dodd-Frank Act amended the FCRA to give the SEC and CFTC authority to adopt regulations and enforce the Section 615(e) requirements for entities regulated by them. The SEC and CFTC proposed, in 2012, to adopt rules that were substantially similar to the rules previously adopted by the banking agencies and the FTC. The changes were designed to address the particular application of the rules to the entities regulated by the SEC and CFTC.

Final Rules

The final regulations are substantially similar to the proposed regulations, and continue to largely follow the existing identity theft regulations of the banking agencies and the FTC. As a result, SEC and CFTC-regulated entities will generally continue to be subject to the same legal requirements as they have been since 2007. The new regulations do, however, contain illustrations and examples that are more tailored to SEC- and CFTC-regulated businesses. Moreover, because the SEC and CFTC now have authority to enforce the rules, compliance is a more visible item.

In summary, the new regulations require SEC and CFTC-regulated “financial institutions” and “creditors” that offer or maintain “covered accounts” to establish a red flags program that is designed to detect, prevent and mitigate identify theft. The regulations require involvement of the board of directors of the covered firm, or an appropriate committee of the board, in approving the program. The board, a committee, or a designated senior management employee must be involved in the oversight, development, implementation and administration of the program. Each firm’s program is required to have four elements: identifying relevant red flags for identity theft in the context of that firm’s “covered accounts;” detecting red flags; responding appropriately to any red flags; and ensuring that the program is updated periodically.

The only area in which the SEC and CFTC received substantial comment was the scope of the new regulations, and the identification of the entities subject to the new rules. Section 615(e) applies to “financial institutions” and “creditors.” “Financial institution” is defined as a bank, credit union, “or any other person that … holds a transaction account belonging to” an individual (consumer). “Creditor” is defined broadly to include persons extending credit, but excludes some incidental credit providers (such as service providers that bill in arrears). The CFTC’s regulation defines these terms by reference to the definitions in the FCRA, but also lists CFTC-regulated entities specifically included within the “creditor” definition—i.e., any futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, swap dealer or major swap participant that (i) “regularly” extends, renews or continues credit or arranges for the extension, renewal or continuation of credit; or (ii) in acting as an assignee of an original creditor, participates in the decision to extend, renew or continue credit.

While the SEC’s definitions only cross-reference the FCRA definitions, the introductory language to the SEC’s Regulation S-ID states that the regulation applies to any financial institution or creditor that is: (i) a broker, dealer, or other person registered or required to be registered under the Securities Exchange Act of 1934 (“Exchange Act”); (ii) an investment company that is registered or required to be registered under Investment Company Act of 1940, that has elected to be regulated as a business development company under that Act, or that operates as an employees’ securities company under that Act; or (iii) an investment adviser registered or required to be registered under the Investment Advisers Act of 1940.

An “account” is defined in the regulations as “a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.” In this regard, the SEC’s regulation offers brokerage accounts, mutual fund accounts and investment advisory accounts as examples. The CFTC’s regulation notes that an account includes “an extension of credit, such as the purchase of property or services involving a deferred payment.”

A “covered account,” in turn, is defined in the regulations as an “account that a financial institution offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions,” as well as “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” The SEC’s regulation offers the example of a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties. The CFTC’s regulation offers a margin account as an example of a covered account.

Both the SEC and the CFTC rejected commenters’ requests to exclude certain types of regulated entities on the grounds that these entities were unlikely to be considered “creditors” or “financial institutions” in the first instance. For example, commenters suggested that Exchange Act registered clearing organizations and municipal advisors should be excluded from Regulation S-ID’s coverage. Other commenters argued that registered investment advisers should be excluded. While the Commissions acknowledged that some entities may be considerably less likely to trigger the definitions, they concluded that such entities would and should be covered to the extent they engaged in activities that caused them to be deemed creditors or financial institutions for purposes of the regulations. Importantly, firms that conclude that they do not offer accounts subject to the regulation—for example, that offer accounts only to businesses—are obligated to confirm that conclusion on a periodic basis.

Of particular note, the SEC concluded that investment advisers would be considered “financial institutions” subject to Regulation S-ID if they have the ability to direct transfers or payments from accounts belonging to individuals to third parties, or if they act as agents on behalf of individuals. The SEC rejected comments that investment advisers should be excluded because they do not have actual custody of the accounts because, the agency concluded, the practical risk of identity theft is the same.


The new SEC and CFTC rules specifically address the application of the red flags requirements to those entities regulated by the two Commissions. While the substance of the rules is not new, certain nuanced definitional issues may contribute to confusion and potential traps for the unwary. The six month compliance period affords firms the opportunity to revisit their policies and procedures, and enhance them as necessary, in order to comply with the expectations of the SEC and CFTC going forward.

If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work.


1 See SEC Release No. 34-69359 (April 10, 2013), 78 FR 23638 (April 19, 2013).


The Securities and Futures Regulatory Practice of Sidley Austin LLP 

Sidley Austin LLP has one of the nation's premier securities and futures regulatory practices, with more than 50 lawyers spanning Sidley offices in the United States, Europe and Asia. Lawyers in this practice group represent major investment banks, broker-dealers, futures commission merchants, commercial banks, insurance companies, hedge funds complexes, alternative trading systems and ECNs, and exchanges, both domestic and foreign. Drawing from its breadth and depth, Sidley's Securities and Futures Regulatory group handles a wide spectrum of matters—assisting clients with the formation of their businesses; counseling on general compliance, proposed laws and regulations, and regulatory trends; representing clients on securities and derivatives transactions; and defending firms in regulatory inquiries and enforcement proceedings.

The SEC Enforcement Practice of Sidley Austin LLP

Navigating today’s complex regulatory climate requires strategic thinking aimed at creatively and efficiently defending and, where appropriate, resolving securities investigations by the SEC, FINRA, NYSE, state Attorneys General and other regulators. Our national practice includes seasoned SEC enforcement practitioners in all of our domestic offices, including a former Associate Director of the SEC’s Enforcement Division, a former Co-Head of Enforcement for the SEC’s New York regional office and a former Senior Trial Counsel from the SEC’s Los Angeles regional office. By carefully assessing each case, we mount effective responses to any kind of securities regulatory inquiry. Our adversarial skills cover the full spectrum of securities enforcement matters, from defending investigations to litigating unsettled cases in federal court or before administrative and regulatory tribunals.

The Banking and Financial Services Practice of Sidley Austin LLP

The Banking and Financial Services Practice group offers counseling, transaction and litigation services to domestic and non-U.S. financial institutions and their holding companies, as well as securities, insurance, finance, mortgage, and diversified companies that provide financial services. We also represent all sectors of the payments industry, including payment networks and processors, money transmitters, and payors and payees in various systems. We represent financial services clients before the U.S. Department of the Treasury, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau and state regulatory agencies, as well as financial services regulators in other jurisdictions where we have offices. In addition, we represent clients before the United States Supreme Court, other federal courts and state courts.

The Privacy, Data Security & Information Law Practice of Sidley Austin LLP

We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes lawyers experienced in regulatory compliance, litigation, financial institutions, healthcare, EU regulation, IT licensing, marketing counsel, intellectual property, and criminal issues. Sidley provides services in the following areas:

  • Privacy and Consumer Protection Litigation, Enforcement and Regulatory Compliance
  • Data Breach, Incident Response, and Cybersecurity Advice
  • Global Data Protection, International Data Transfer Solutions and Cross-Border Issues
  • Corporate Data Protection, Compliance Programs and Information Governance Assessments
  • FTC and State Attorney General Investigations of Unfair or Deceptive Acts and Practices
  • Social Media, Cloud Computing, Online Advertising, E-Commerce and Internet Issues
  • EU, China and Japan Data Protection and Compliance Counseling
  • Gramm-Leach-Bliley and Financial Privacy
  • HIPAA and Healthcare Privacy
  • Communications Law and Data Protection
  • Workplace Privacy and Employee Monitoring
  • Website Policies Online Trademarks and Domain Name Protection
  • Records Retention, Electronic Discovery, Government Access and National Security

To receive future copies of this and other Sidley updates via email, please sign up at

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.