SEC and CFTC Adopt Rules Regarding Identity Theft

The Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly adopted rules that would require entities regulated by the two agencies to adopt and implement programs aimed at detecting red flags in order to prevent identity theft.

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 gave the SEC and CFTC responsibility for rulemaking related to identity theft and the authority to enforce those rules for the entities they regulate. The rules apply to SEC-regulated entities that are defined as “financial institutions” or “creditors.”

The identity theft policies and procedures should be designed to detect and respond to identity theft red flags. The SEC’s rule includes examples of red flags to assist firms in implementing their programs. The firms will be required to periodically review and update their identity theft programs.

The final rules, which will become effective 30 days after publication in the Federal Register, require broker-dealers, investment advisers, and other entities regulated by the SEC and CFTC, to adopt identity theft programs within six months after the effective date.