As a reminder, on May 20, 2013, the Commodity Futures Trading Commission (CFTC) and U.S. Securities and Exchange Commission’s (SEC) joint final rules concerning identity theft precautions took effect.  Most regulated firms will be required to comply with the final rules by November 20, 2013.  In particular, the final rules require that certain regulated entities establish programs to address and reduce the risk of identity theft within their operations.  If you are subject to the regulations, your required program must be designed to detect, prevent and mitigate identity theft in connection with your firm’s existing accounts or the opening of new accounts.

According to U.S. regulators, entities that qualify as either “financial institutions” or “creditors” under the Fair Credit Reporting Act will be impacted.  This effectively includes any CFTC-registered futures commission merchant, retail foreign exchange dealer (“RFED”), commodity trading advisor (“CTA”), commodity pool operator (“CPO”), introducing broker (“IB”), swap dealer (“SD”) or major swap participant (“MSP”).  Other firms subject to the requirement include investment companies, business development companies, investment advisers (not including exempt reporting advisors) and broker-dealers.  A comprehensive list of all the regulated entities that are included is contained in the final rules.

To be more specific regulated entities that offer or maintain one or more of the “covered account” types described in the final rules must adopt a prevention program.  The term “covered accounts” is defined broadly to include personal accounts designed to permit multiple payments or transactions and any account with a reasonably foreseeable risk of identity theft.  In essence, most types of accounts relevant to retail firms are likely to be deemed “covered accounts” under the final rules.

Red Flags

Firms that are required to adopt a prevention program (many CFTC/NFA regulated entities) must include reasonable policies and procedures designed to: (1) identify red flags concerning identity theft; (2) detect the identified red flags; (3) respond appropriately to any detected red flags; and (4) periodically update the prevention program to reflect changes in risks to customers and to the safety and soundness of the firm from identity theft.  These companies will be required to also determine on their own which red flags are relevant to their specific business activities and the accounts they offer and/or maintain.

In preparing its prevention program, a regulated entity must consider, at a minimum, the following factors in identifying relevant red flags: (1) the types of accounts that the firm offers or maintains; (2) its methods to open or access such accounts; and (3) its prior experiences with identity theft.  In addition, firms must also consider including in the prevention program, appropriate ways in which to address: (1) alerts from other reporting agencies or service providers; (2) existence of unusual documents, such as those that appear to have been altered or forged; (3) existence of suspicious personal identifying information, such as an address change; (4) unusual account activity and (5) various notices from customers, victims of identity theft, law enforcement and/or other persons regarding a possible identity theft.

Regulated firms will also be required to periodically review their accounts to ensure they are properly applying the final rules.  The final rules also require approval of the prevention program from either the company’s board of directors, an appropriate committee of the board of directors, or if the entity does not have a board, from a designated senior management employee.  In addition to this, firms must involve the board of directors, an appropriate committee, or a designated senior management employee in the oversight, development, implementation and administration of the prevention program.  Finally, staff members must also be trained on how to properly implement and maintain the prevention program.  In this area regulated entities will need to consider their unique operational circumstances to determine appropriate training practices.

Further Guidance

Affected firms should ensure that they have an appropriate prevention program in place as of November 20, 2013.  Please note that the information set forth in this summary is not intended to be all-inclusive and does not constitute legal advice.  If you have any questions concerning the preparation or implementation of a prevention program, we suggest you contact a regulatory professional like Turnkey Trading Partners (TTP) to assist you in understanding and complying with the new final rules.  TTP has the business acumen, as well as relationships with law firms, such as Henderson & Lyman, to provide you with the guidance you need to assist you in complying with these new rules concerning identity theft protection.

-James Bibbings and Nicole Kuchera


James Bibbings is the President and CEO of North America’s Best Regulatory Advisory Turnkey Trading Partners (“TTP”) as named by Hedgeweek in 2013.  TTP supports CFTC and NFA regulated firms with all of their commodity, forex, and swap specific regulatory and business needs. Prior to founding TTP, Bibbings worked with the National Futures Association (NFA) as a supervising auditor. During his time with NFA he was involved in approximately 100 investigative audits and was able to gain a deep working knowledge of FDM, FCM, IB, CTA, and CPO operations.  He has also provided financial markets content for MSN, Yahoo, Financial Times, The Wall Street Journal’s Market Watch, FinAlternatives, NIBA, Forex Journal, FX Street, Forex Factory, and many other highly acclaimed investment publications.  Two highly sought after informational pamphlets regarding futures, forex, and swap registration authored by Bibbings are currently available for free upon request through his company website.  If you have any questions or comments for Bibbings he can be reached directly by email at and would love to hear from you.

Nicole Kuchera, JD, LL.M. is an attorney in Henderson & Lyman’s Financial Services Practice Group.  She concentrates her legal practice on futures, securities and derivatives industry clients, such as commodity pool operators, commodity trading advisors, hedge funds, introducing brokers, proprietary trading firms, broker-dealers, investment advisers, swap dealers, futures commission merchants, forex dealer members and binary options trading firms.  Ms. Kuchera counsels clients regarding a wide range of compliance and regulatory matters involving the rules and regulations of the CFTC and the SEC, as well as self-regulatory organizations and exchanges.  Ms. Kuchera also represents clients in general corporate matters, such as business formation and structuring, licensing and registration, and preparation of disclosure documents, compliance procedures, business agreements and advertising materials.  She also represents financial services clients in a wide range of litigation matters in various forums, including state and federal courts and in industry arbitrations and mediations.