17 CFR § 248.201 - Duties regarding the detection, prevention, and mitigation of identity theft.
(a) Scope. This section applies to a financial institution or creditor, as defined in the Fair Credit Reporting Act (15 U.S.C. 1681), that is:
(1) A broker, dealer or any other person that is registered or required to be registered under the Securities Exchange Act of 1934;
(2) An investment company that is registered or required to be registered under the Investment Company Act of 1940, that has elected to be regulated as a business development company under that Act, or that operates as an employees' securities company under that Act; or
(3) An investment adviser that is registered or required to be registered under the Investment Advisers Act of 1940.
(b) Definitions. For purposes of this subpart, and Appendix A of this subpart, the following definitions apply:
(1) Account means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes a brokerage account, a mutual fund account (i.e., an account with an open-end investment company), and an investment advisory account.
(2) The term board of directors includes:
(i) In the case of a branch or agency of a foreign financial institution or creditor, the managing official of that branch or agency; and
(ii) In the case of a financial institution or creditor that does not have a board of directors, a designated employee at the level of senior management.
(3) Covered account means:
(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties; and
(ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4) Credit has the same meaning as in 15 U.S.C. 1681a(r)(5).
(5) Creditor has the same meaning as in 15 U.S.C. 1681m(e)(4).
(6) Customer means a person that has a covered account with a financial institution or creditor.
(7) Financial institution has the same meaning as in 15 U.S.C. 1681a(t).
(8) Identifying information means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any—
(i) Name, Social Security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
(ii) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(iii) Unique electronic identification number, address, or routing code; or
(iv) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).
(9) Identity theft means a fraud committed or attempted using the identifying information of another person without authority.
(10) Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
(11) Service provider means a person that provides a service directly to the financial institution or creditor.
(12) Other definitions.
(i) Broker has the same meaning as in section 3(a)(4) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(4)).
(ii) Commission means the Securities and Exchange Commission.
(iii) Dealer has the same meaning as in section 3(a)(5) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(5)).
(iv) Investment adviser has the same meaning as in section 202(a)(11) of the Investment Advisers Act of 1940 (15 U.S.C. 80b-2(a)(11)).
(v) Investment company has the same meaning as in section 3 of the Investment Company Act of 1940 (15 U.S.C. 80a-3), and includes a separate series of the investment company.
(vi) Other terms not defined in this subpart have the same meaning as in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).
(c) Periodic identification of covered accounts. Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1) The methods it provides to open its accounts;
(2) The methods it provides to access its accounts; and
(3) Its previous experiences with identity theft.
(d) Establishment of an Identity Theft Prevention Program—
(1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
(2) Elements of the Program. The Program must include reasonable policies and procedures to:
(i) Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
(ii) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
(iii) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and
(iv) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
(e) Administration of the Program. Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:
(1) Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
(2) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
(3) Train staff, as necessary, to effectively implement the Program; and
(4) Exercise appropriate and effective oversight of service provider arrangements.
(f) Guidelines. Each financial institution or creditor that is required to implement a Program must consider the guidelines in Appendix A to this subpart and include in its Program those guidelines that are appropriate.