Pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, in February 2012, the Securities And Exchange Commission ("SEC") and the Commodity Futures Trading Commission ("CFTC") jointly proposed rules requiring certain regulated entities to adopt and administer identity-theft red flags programs. These proposals largely mirrored provisions in effect at federal agencies as mandated in 2003 under the Fair Credit Reporting Act ("FCRA"), which Congress amended in order to transfer identity theft rulemaking responsibility and enforcement authority from the Federal Trade Commission ("FTC") to the SEC and CFTC for entities they the latter two commissions regulate
As a result of increasing threats to the integrity and privacy of personal information, it was deemed necessary to implement protections for individuals to counter the rising incidents of theft, loss, and abuse of personal information that was attendant to the recent expansion of information technology and electronic communication. The hallmarks of the recently enacted SEC and CFTC rules call for policies and procedures designed to:
It is anticipated that covered firms will undertake staff training and oversight of service providers. Pointedly, issuers of debit cards or credit cards will be obligated to take certain precautionary actions when they receive a request for a new card soon after they receive a notification of a change of address for a consumer's account.
On April 10, 2013, the SEC and the CFTC jointly adopted rules requiring covered entities to adopt programs to detect red flags and prevent identity theft. The rule proposal asserts that a financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.
Having just read through all 115 pages of the rule proposal, I must admit that I'm not all that impressed. Beyond much discussion about what and who will or will not be covered - ah, yes, the ever-present hand of lobbyists twisting words and compiling the regulator's lexicon - there just isn't a hell of a lot of substance to this pronouncement beyond a fairly generic call for regulated entities to be on the look-out for red flags and to take prompt action in response.
In the end, this is little more than another regulatory rule requiring the drafting of yet more pages of in-house compliance policies and procedures; as if the piled-up volumes of such unread written policies have proven effective in the past. Further, we are once again confronted with a 100-page plus tome, which, under close inspection, reveals itself to be little more than broad brushstrokes of vagueness. For example, consider this passage from the proposal on Page 30:
[F]irst, the final rules require a financial institution or creditor to develop a Program that includes reasonable policies and procedures to identify relevant red flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those red flags into the Program. Rather than singling out specific red flags as mandatory or requiring specific policies and procedures to identify possible red flags, this first element provides financial institutions and creditors with flexibility in determining which red flags are relevant to their businesses and the covered accounts they manage over time. . .
On Page 35 of the proposal, we get this similarly vague nugget:
Section II(c) of the guidelines identifies five categories of red flags that financial institutions and creditors must consider including in their Programs, as appropriate: Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; Presentation of suspicious documents, such as documents that appear to have been altered or forged; Presentation of suspicious personal identifying information, such as a suspicious address change; Unusual use of, or other suspicious activity related to, a covered account; and Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. . .
Of course, silly me, but I don't find all that much help or guidance in characterizing a bit of information or a document as "suspicious." After all, isn't that what's ultimately going to become the battlefield in enforcing these rules? Don't you think that the whole defense will tend to be that something didn't seem, at first blush, to be suspicious? And this is what passes of Wall Street regulation in 2013. Draft reasonable policies. Look out for anything suspicious. Pay attention to red flags. Respond appropriately. How sad that it takes years to draft such feel-good claptrap and that our regulatory community trumpets such pap as a meaningful achievement. Welcome to regulation by the pound of paper and the gigabyte of data.
I mean, c'mon, why don't we just send the police out to arrest all the "guilty looking" folks? And while we're off on such a fool's errand, let not forget to be on the lookout for the Jabberwock, the Jubjub bird, and the frumious Bandersnatch!