The growth and expansion of information technology and electronic communication have made it increasingly easy to collect, maintain, and transfer personal information about individuals. Advancements in technology also have led to increasing threats to the integrity and privacy of personal information. The Fair Credit Reporting Act of 1970 (‘‘FCRA’’), as amended in 2003, required several federal agencies to issue joint rules and guidelines regarding the detection, prevention, and mitigation of identity theft for entities that are subject to their respective enforcement authorities (also known as the “identity theft red flag rules”). At the time the Agencies adopted their rules; the FCRA did not require or authorize the Commodity Futures Trading Commission (“CFTC”) to issue identity theft red flags rules.
In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act amended the FCRA to add the CFTC to the list of federal agencies that must jointly adopt and individually enforce identity theft red flags rules. The CFTC issued final rules and guidelines to require certain regulated entities to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The final rules became effective on May 20, 2013 and the compliance date for these requirements was November 20, 2013.
Under the final rules, the CFTC defined the following institutions as those required to adopt and enforce programs to identify risks to identify theft: futures commission merchants, retail foreign exchange dealers , commodity trading advisors, commodity pool operators, introducing brokers (‘‘IB’’), swap dealers, or major swap participants.
All IBs are required to develop and implement an identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with customer accounts. An IB should have already established and implemented an Anti-Money Laundering (“AML”) policy. The AML policy is expected to work in conjunction with the Identity Theft Prevention Program. The Identity Theft Prevention Program should:
- Designate an individual, generally from senior management, responsible for the oversight, development, implementation, and administration of the Identity Theft Prevention Program;
- Identify red flags pertaining to:
- Suspicious documents (e.g. documents provided for identification appear to have been altered or forged
- Suspicious personal identifying information (e.g. personal information provided is inconsistent when compared against external information sources);
- Alerts, notifications, or warnings from a consumer reporting agency (e.g. a consumer reporting agency provides a notice of address discrepancy);
- Describe the processes used to identify identity theft which should cover detection by the IB at the account opening process as well as during the life of the account;
- Describe the process for the IB to respond to potential identity theft (e.g. additional monitoring of an account, changing passwords, contacting law enforcement);
- Require periodic updates based upon changes in risks to customers or to the safety of the IB;
Once the program is established, it must be approved in writing by senior management, periodic training must be provided for staff, and annually a report must be prepared addressing material matters relating to the identity theft prevention program and evaluate issues such as (i) the effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts; (ii) service provider arrangements; (iii) significant incidents involving identity theft and management's response; and (iv) recommendations for material changes to the identity theft prevention program.