SEC And CFTC Adopt Rules To Address FCRA Requirements For Identity Theft Programs And Credit Card Changes Of Address (Financial Services Alert For April 16, 2013)

Edited by: Eric R. Fischer, Jackson B.R. Galloway and Elizabeth Shea Fries

In This Issue:

SEC and CFTC Adopt Rules to Address FCRA Requirements for Identity Theft Programs and Credit Card Changes of Address Federal Court Rules That Failure to Meet Statutory 180-Day Deadline After Wells Notice Does Not Bar Filing of Enforcement Action FRB Issues Proposed Rule Concerning Annual Assessments on Largest Banking Organizations and on Nonbank Financial Companies Designated for FRB Supervision by FSOC OCC Deputy Chief Counsel Testifies Before Senate Subcommittee Concerning Retention by Banks of Independent Consultants in Connection with OCC Enforcement Actions FRB Issues Final Retail Forex Rule CFTC Extends Reporting Requirement Compliance Date for End-Users SEC and CFTC Adopt Rules to Address FCRA Requirements for Identity Theft Programs and Credit Card Changes of Address

The SEC and CFTC (the "Commissions") jointly issued final rules that will (a) require "financial institutions" and "creditors" subject to a Commission's jurisdiction to develop and implement a written identity theft prevention program addressing identity theft in connection with certain existing accounts or the opening of new accounts and (b) establish special requirements under which a credit or debit card issuer subject to a Commission's jurisdiction would have to assess the validity of change of address notifications. The Commissions adopted the final rules because the Dodd-Frank Act amended the Fair Credit Reporting Act of 1970 ("FCRA") to add the Commissions to the list of federal agencies required to jointly prescribe and enforce identity theft red flags rules and card issuer rules regarding certain changes of address. The final rules are substantially similar to identity theft rules and card issuer rules adopted in 2007 by the federal banking regulators and the FTC in response to prior amendments to FCRA. The final rules do, however, contain some examples and minor language changes designed to facilitate compliance by entities under the Commissions' jurisdiction.

Transfer of Enforcement Authority to the Commissions. In broad terms, the primary effect of the final rules is to transfer to each Commission the enforcement of identity theft rules and card issuer rules as applied to the entities generally subject to that Commission's enforcement authority. The Commissions' joint release relating to the final rules observes that "[t]he Commissions recognize that entities subject to their respective enforcement authorities, whose activities fall within the scope of the rules, should already be in compliance with" the other agencies' rules. The release adds that the final rules neither contain requirements not already included in the other agencies' rules, nor expand the scope of those rules to include new categories of entities not already covered, although elsewhere in the release, as discussed below in greater detail, there is an expectation on the SEC's part that certain investment advisers may determine in response to this rulemaking that they are subject to the SEC's identity theft rule, Regulation S-ID.

Identity Theft Rules. In broad terms, a Commission's identity theft rules apply to "financial institutions" and "creditors" subject to its enforcement authority. An entity that falls within either of these categories must periodically assess whether it maintains "covered accounts." If it determines that it does, the entity must adopt an identity theft program with respect to those accounts in accordance with the Commission's identity theft rule.

A "financial institution" is defined to include, in addition to certain banks and credit unions, "any other person that, directly or indirectly, holds a transaction account . . . belonging to [an individual]." A "transaction account" is an "account on which the ... account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others." A "creditor" is "a person that regularly extends, renews or continues credit, or makes those arrangements, that "regularly and in the course of business ... advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person," except for a creditor that "advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person." A "covered account" is: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers (which may be either individuals or entities) or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. Regulation S-ID and Investment Advisers. In a statement issued in connection with the SEC action adopting the final rules, SEC Commissioner...