Skip to main content

"Red Flag" Compliance Requirements Come to Investment Advisors, Broker-Dealers - UPDATE


UPDATE:   We have prepared a detailed Client Alert as a guide to getting started with these new Red Flag Rules and compliance obligations.   You can read it here.


It has been several years since the Federal Trade Commission's Red Flag Rule took effect; and the banking regulators have had the Red Flag Interagency Guidance in place since 2007.   Finally, entities regulated by the Securities and Exchange Commission (SEC), such as broker-dealers and investment advisers, and entities regulated by the Commodity and Futures Trade Commission (CFTC), such as futures commodity merchants, commodity trading advisers and commodity pool operators will be required to join the party.

In announcing the adoption of the rule, new SEC Chair Mary Jo White said, "Current estimates are that about five percent of American adults fall victim to identity theft fraud each year.  It is a risk for everyone, and as technology continues to advance, the risks increase."

Section 1088 of the Dodd-Frank Wall Street Reform and Consumer Protection Act shifted certain oversight functions under the Fair Credit Reporting Act from the Federal Trade Commission to the SEC and the CFTC for entities regulated by those agencies. Last year the agencies issued a joint proposal on the identity theft provision. The final rules are "substantially identical" to the proposal, said Norm Champ, director of the SEC's Division of Investment Management.

Specifically, the rules require that covered entities set up programs that identify, detect, and respond to identity theft "red flags."    Most of the SEC-regulated entities will not be surprised by these rules.  Dodd-Frank essentially transferred oversight of already-existing Fair Credit Reporting Act requirements from the FTC to the SEC and the CFTC.

SEC Commissioner Luis Aguilar, however, noted that certain investment advisers, including advisers to hedge funds and private equity funds, may not have identity theft programs in place and will have to pay "particular attention" to the rules. Such entities were not required to register with the SEC until last year pursuant to Dodd-Frank.

The joint rules will become effective 30 days after publication in the Federal Register, and firms will be required to come into compliance six months after that date.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.

Adam Veness