News & Resources

SEC makes announcement regarding Red Flags Rule

May 07, 2013 Dave King

SEC makes announcement regarding Red Flags Rule

Identity theft continues to be a widespread and devastating issue in the United States and abroad, as cybercriminals and other incendiary forces have become more capable of turning a little amount of personal information into major losses. As officials and law enforcement entities try to develop new strategies of reducing the spread of the crime, businesses remain the first line of defense.

ID verification protocols and governance need to be constantly assessed and refined to ensure protections are relevant and steadfast in the face of evolving threats. New tactics and threats proliferate incredibly rapidly, and companies need to keep abreast with the evolution of risks through assessments, vulnerability checks and swift patches.

The Federal Trade Commission has been among the most involved government entities when it comes to identity theft prevention, and recently established the Red Flags Rule to improve the response times to crimes. Now, two other government organizations are beginning to oversee the Red Flag rule to broaden governance and improve the efficacy of efforts.

SEC and CFTC join the fight


The Securities Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) will begin to hold all covered entities - mostly financial institutions and creditors - accountable for adhering to the FTC's Red Flags rule. The FTC launched this initiative to strengthen regulatory compliance related to identity theft.

The organization explained that enterprises must implement policies and procedures to identify and quash relevant patterns, practices and specific forms of criminal activity. Covered entities are also required to update policies regularly according to the proliferation of threats and detail appropriate responses to red flags detected.

The announcement was made by SEC Chairman Mary Jo White, who noted that this action was taken in accordance with the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.

"Under these rules, certain businesses regulated by the SEC and CFTC would be required to adopt and implement programs to detect and respond to indicators of possible identity theft," White explained in a statement. "These rules are a common-sense response to the growing threat of identity theft to all Americans who invest, save or borrow money."

The SEC explained that the final rules will go into effect 30 days following the publication of the new legislation in the Federal Register. Covered entities will then have six months to comply with the rules following the effective date.

Further, officials explained that this will help maintain the integrity of managed personal and corporate financial information through strengthened accountability. For example, the SEC noted that covered entities will need to provide more widespread and effective staff training to all employees, and that such organizations will also need to maintain more stringent oversight of any and all third-party service providers.

Red Flags Rule notes
The FTC's Red Flags Rule covers all financial institutions and creditors that manage consumer accounts, especially those designed to facilitate multiple transactions. Organizations that have more questions related to ID verification standards or the Red Flags Rule should reference the FTC's website, as well as those of the SEC, Consumer Financial Protection Bureau and CFTC.