The Securities and Exchange Commission has voted unanimously to adopt rules requiring broker-dealers, mutual funds, investment advisers, and certain other entities regulated by the agency to adopt programs to detect red flags and prevent identity theft.
The SEC voted Wednesday to adopt the rules jointly with the Commodity Futures Trading Commission in accordance with the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.
“Under these rules, certain businesses regulated by the SEC and CFTC would be required to adopt and implement programs to detect and respond to indicators of possible identity theft,” said SEC chairman Mary Jo White in a statement. “These rules are a common-sense response to the growing threat of identity theft to all Americans who invest, save, or borrow money.”
The final rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after the effective date.
The development and expansion of information technology and electronic communication during the past decade have led to increasing threats to the integrity and privacy of personal information, the SEC noted. The federal government has taken steps to help protect individuals and help individuals protect themselves from the risks of theft, loss, and abuse of their personal information.
Congress amended Fair Credit Reporting Act in 2003 to require several federal agencies including the Federal Trade Commission and banking regulators to issue joint rules and guidelines on detecting, preventing, and mitigating identity theft. At that time, the FCRA did not include the SEC or the CFTC among the agencies required to adopt identity theft rules, but instead gave the FTC authority to adopt and enforce identity theft rules related to entities regulated by the SEC and the CFTC.
Under the Dodd-Frank Act, Congress amended the FCRA to transfer identity theft rulemaking responsibility and enforcement authority from the FTC to the SEC and CFTC for entities they regulate.
The SEC and the CFTC jointly proposed rules in February 2012 requiring certain entities they regulate to adopt and administer identity theft red flags programs. The proposed rules were largely identical to the rules that the FTC and other federal agencies adopted under FCRA, and included examples and guidance to help entities comply with the rules.
The final rules require certain entities regulated by the SEC such as broker-dealers, mutual funds and investment advisers to adopt an identity theft program.
The program should include policies and procedures designed to Identify relevant types of identity theft red flags, detect the occurrence of those red flags, respond appropriately to the detected red flags, and periodically update the identity theft program.
The SEC’s rules apply only to SEC-regulated entities that meet the definition of “financial institution” or “creditor” under the FCRA. The rules require entities to provide staff training and oversight of service providers. They also include guidelines and examples of red flags to help firms administer their programs. The rules require entities that issue debit cards or credit cards to take certain precautionary actions when they receive a request for a new card soon after they receive a notification of a change of address for a consumer’s account.
