A blog touching on governance issues important for the open exchange of ideas between the business community and academia.

SEC Adopts New Rules Addressing Identity Theft

Tue, 2013-07-16 13:15

SEC Adopts New Rules Addressing Identity Theft

Not long after being sworn in as the new Chairman of the Securities and Exchange Commission, Mary Jo White presided over her first open SEC meeting on April 10, 2013. At that meeting, the SEC adopted rules requiring certain businesses regulated by the SEC to adopt and implement programs to detect and respond to indicators of possible identity theft. The rules were adopted jointly by the SEC and the Commodity Futures Trading Commission (CFTC), but they aren’t exactly new.

In 2003, Congress amended the Fair Credit Reporting Act (FCRA) to require certain federal agencies to issue joint rules and guidelines on detecting, preventing and mitigating identity theft. At that time, the FCRA did not require the SEC or the CFTC to adopt such rules. However, the FCRA gave the Federal Trade Commission (FTC) the authority to adopt and enforce identity theft rules related to entities regulated by the SEC and CFTC. The Dodd-Frank Act amended the FCRA and effectively transferred rule-making responsibility and enforcement authority with respect to identify theft rules to the SEC and CFTC with respect to those entities that are subject to each agency’s enforcement authority. 

The SEC indicates in its press release that the proposed SEC/CFTC rules relating to identify theft were largely identical to the rules that the FTC and the other federal agencies adopted under the FCRA (see our Up to Date article regarding proposed rules). The SEC’s rules apply only to SEC-regulated entities that meet the definition of “financial institution” or “creditor” in the FCRA, such as broker-dealers, mutual funds and investment advisers. The rules generally require these entities to adopt an identity theft prevention program designed to (i) identify relevant types of identity theft red flags, (ii) detect the occurrence of those red flags, (iii) respond appropriately to those red flags, and periodically update the identity theft program. The rules go into effect 30 days after publication in the Federal Register and compliance is required six months after the effective date.

Filed Under:

About the Author

Michael Plunkett
Blank Rome, LLP

Michael Plunkett takes a common sense approach to legal matters by identifying practical and cost effective solutions, while minimizing legal risks. He understands that the best legal advice must be based on a thorough understanding of each client’s business and goals. Mr. Plunkett represents both domestic and international public and private companies, entrepreneurs, and business owners in a wide range of securities, corporate and commercial matters. With his broad background, Mr. Plunkett often acts as “outside corporate counsel” for clients by providing a wide range of legal advice. He frequently coordinates and oversees the delivery of the Firm’s other legal services, such as litigation, real estate, tax, employee benefits and intellectual property, to ensure exceptional client service and responsiveness that takes into account each client’s unique business needs and objectives.

The Center’s research and programmatic efforts advocate for leading governance practices in the public and private sectors.

About Drexel University's LeBow College of Business

Learn more about why LeBow has been recognized as one of the world’s leading business schools.

Any opinions expressed here, except as specifically noted, are those of the individual authors or commenters and do not necessarily represent the views or policies of Drexel University.