The Securities and Exchange Commission has proposed new rules aimed at safeguarding investors from identity theft by requiring broker-dealers, mutual funds and other SEC-regulated entities create programs to detect and respond to “red flags” indicating possible identity theft.
The proposed rules are substantially similar to the so-called “Red Flags Rules” adopted in 2007 by the Federal Trade Commission and other federal financial regulatory agencies that were previously required to adopt such rules. The Red Flags Rule was originally promulgated under the Fair and Accurate Credit Transactions Act of 2003, but the requirements were repeatedly delayed by the FTC under pressure from various industry groups. Congress finally exempted accountants from the Red Flags Rule in December 2010, along with physicians, law firms, and other types of professional service providers (see Congress Exempts CPAs from Red Flags Rule).
The SEC issued the new proposal Tuesday in conjunction with the Commodity Futures Trading Commission. Section 1088 of the Dodd-Frank Wall Street Reform and Consumer Protection Act transferred authority over certain parts of the Fair Credit Reporting Act from the Federal Trade Commission to the SEC and CFTC for entities they regulate. The proposed rules are substantially similar to rules adopted in 2007 by the FTC and other federal financial regulatory agencies that were previously required to adopt such rules.
The rule proposal would require SEC-regulated entities to adopt a written identity theft program that would include reasonable policies and procedures to identify relevant red flags, detect the occurrence of red flags, respond appropriately to the red flags they detect, and periodically update the identity theft program.
The proposed rule would also include guidelines and examples of red flags to help firms administer their identity theft protection programs. The proposal will be published in the Federal Register with a 60-day public comment period.