Dodd-Frank transferred responsibility for identity theft from the FTC to the CFTC and SEC for those financial institutions under their jurisdiction. The rules adopted in April 2013 require “financial institutions” that “hold” “covered accounts” to establish an Identity Theft Prevention Program (“ITPP”). These rules are known as the “Red Flag” rules. The CFTC has defined the term “financial institution” to include FCMs, IBs, CTAs and CPOs as well as Swap Dealers. Traditional futures trading accounts are considered “covered accounts”.
If you don’t “hold”, covered accounts, directly or indirectly, then the extent of your responsibility under the Red Flag rules is to conduct a periodic review to make certain that you have not acquired any covered accounts. The SEC has made the determination that investment advisers may be indirectly holding covered accounts if they have the authority to authorize payments to third parties from their customer’s accounts. A similar interpretation could be made for CTAs. In fact, the CFTC estimated that 10% of CTAs and CPOs may be holding covered accounts.
If your firm holds covered accounts, then you must develop and adopt a written Identity Theft Prevention Program. That is actually easier than you might think. The FTC has developed a template ITPP that is easily customizable for your particular circumstances. The first step is to determine which red flags pose a risk to your customers or your firm. Then you must describe how you would detect those red flags and how you would respond if a red flag were detected. The ITPP must be updated periodically to reflect changes in risks to both your customers and your firm, and you need to train your staff on detecting and responding to red flags.
Red flags may be present both in the account opening process and the account access allowed to your customers. Care must be taken to prevent thieves from opening accounts in other people’s names but a more important issue for IBs is preventing thieves from accessing customer accounts. Your FCM may hold you responsible if you authorize a disbursement from a customer account for the wrong payee. We have all received the phony emails purporting to be from friends or associates requesting funds because they were stranded somewhere outside the country. With email takeovers so prevalent, every IB must be vigilant for sophisticated attempts to raid customer accounts.
I have heard that the NFA has been asking the IBs that they are examining about identity theft. I have also heard that the NFA is being greeted with blank stares from the IBs. While an IB is a financial institution, it is unlikely that an IB will ever hold a covered account. If the NFA inquires, your response should be (in the most civil possible manner) that you have determined that you do not hold covered accounts and therefore are not required to implement an ITPP. It is probably a good idea to add a sentence to your AML policy directing the AML officer to make a determination that your firm holds no covered accounts.
Identity theft is an important and costly issue. You should ask each FCM that you work with, to provide you with copies of the policies they have in place to protect your customers. We work in an increasingly hostile online environment, where email take overs are common, so you must be on your guard and verify every request to withdraw funds from your customer’s accounts. It’s better to be safe than sorry.
Marc Nagel
Marc Nagel is an independent compliance consultant and acts as an advisor to Exchange Analytics, the leading provider of training to the futures and derivatives industry. Exchange Analytics will be offering a training program on identity theft beginning this summer.