Identity theft, data loss and other privacy violations are among the leading threats faced by financial institutions. Depending on their nature, they can inflict reputational and brand damage, cause revenue losses and prompt civil liability suits by customers. What's more, regulators are taking an increasingly hard line in these matters. Two new regulatory measures to safeguard investor privacy have far-reaching implications for investment companies, and executives need to take steps to comply.
The first measure, the "Identity Theft Red Flags" rule, was issued by the Federal Trade Commission in November 2007. It has been discussed largely in terms of its impact on banks and credit and debit card issuers.
However, recently, it has received significant attention from the mutual fund industry. Mutual fund companies would need to comply with this rule if they have "transaction accounts," that is, accounts from which the accountholder can direct payments or transfers to a third party, such as through checkwriting.
In brief, the Red Flags rule requires financial institutions to develop and implement a formal identity theft prevention program to help detect, prevent and mitigate identity theft, especially risks associated with such routine processes as new account openings, call center activities and transaction processing.
Institutions must assess identity theft risks associated with certain classes of accounts; implement a warning system with red flag "triggers," taking into consideration 26 such red flags specified in the rule's guidance; and develop processes to respond when red flags are triggered.
While there is no one-size-fits-all approach to compliance, many institutions can leverage existing governance, risk and compliance controls and processes to conduct the risk assessment, develop procedures and implement a monitoring program. Those subject to the Red Flags rule must be in compliance by Nov. 1, 2008, which makes it necessary to begin taking steps immediately to comply.
As information security breaches and the potential for identity theft have increased, the SEC has become concerned that some firms lack the data safeguarding programs to cope with phishing and identity theft scams. As a result, in March 2008, the SEC issued four proposed amendments to set forth more specific requirements for safeguarding information, responding to information security breaches and broadening the scope of the information covered by Regulation S-P's original safeguarding and disposal provisions.
The first amendment is intended to help prevent and address security breaches, and includes more specific standards for developing a detailed information security program for safeguarding personal information, including standards for responding to security breaches. More specifically, the information security program must designate an employee to coordinate the program, and identify the relevant security risks, as well as the internal controls that could mitigate those risks.
Firms would also need to periodically test and monitor the program to determine its effectiveness and, if necessary, adjust the program's operations, technology or business arrangements.
The second amendment would revise the safeguard and disposal rules so that both protect "personal information," and broaden the definition of that term to include any record containing nonpublic personal information or consumer data such as that in credit reports. Also, transfer agents are now included in the scope of this rule in addition to brokers, dealers, registered investment advisors, and investment companies.
The third amendment would require institutions to document their safeguards and disposal procedures and keep a record of their compliance.
While financial institutions would have to make a considerable effort to protect customer data, the most important change could be one that covers a matter not currently addressed at all in Reg S-P: How to deal with the customer information of a representative who moves from one broker/dealer or RIA to another.
A proposed fourth amendment to Reg S-P addresses this issue head-on. It would enable one firm to provide another with a customer's name, address, phone number and e-mail address, and also to supply a general description of the accounts, all without needing customer permission. It would forbid the transfer of a customer's Social Security number, account numbers or holdings, given the greater risk of identity theft such information presents.
The proposed amendment's provisions are similar to those of a broker-recruiting agreement entered into by the major wirehouses in 2004 and since joined by about 50 other firms, which permits limited transfer of information when a representative moves from one signatory firm to another.
The proposed changes to the disclosure of information for departing representatives could make it easier for them to bring the most basic contact information with them, while making it harder to take detailed data about investments. The concerns that have been raised include fears that the amendment could make it much harder to transfer customer information, discouraging those who might want to follow their representatives.
The comment period for the proposed amendments ended in May, and the SEC is currently reviewing industry comments. Adoption of the Reg S-P amendments is likely, although their final form and compliance date is uncertain.
Regardless, financial institutions should begin now to evaluate their customer information systems and controls to establish a basis for planning enhancements and any additional budgeting that would be necessary in 2009. At the very least, such reviews will allow management to assess the effectiveness of the systems currently in place.
(c) 2008 Money Management Executive and SourceMedia, Inc. All Rights Reserved.