SEC Adopts New Rules Addressing Identity Theft
Not long after being sworn in as the new Chairman of the Securities and Exchange Commission, Mary Jo White presided over her first open SEC meeting on April 10, 2013. At that meeting, the SEC adopted rules requiring certain businesses regulated by the SEC to adopt and implement programs to detect and respond to indicators of possible identity theft. The rules were adopted jointly by the SEC and the Commodity Futures Trading Commission (CFTC), but they aren’t exactly new.
In 2003, Congress amended the Fair Credit Reporting Act (FCRA) to require certain federal agencies to issue joint rules and guidelines on detecting, preventing and mitigating identity theft. At that time, the FCRA did not require the SEC or the CFTC to adopt such rules. However, the FCRA gave the Federal Trade Commission (FTC) the authority to adopt and enforce identity theft rules related to entities regulated by the SEC and CFTC. The Dodd-Frank Act amended the FCRA and effectively transferred rule-making responsibility and enforcement authority with respect to identify theft rules to the SEC and CFTC with respect to those entities that are subject to each agency’s enforcement authority.
The SEC indicates in its press release that the proposed SEC/CFTC rules relating to identify theft were largely identical to the rules that the FTC and the other federal agencies adopted under the FCRA (see our Up to Date article regarding proposed rules). The SEC’s rules apply only to SEC-regulated entities that meet the definition of “financial institution” or “creditor” in the FCRA, such as broker-dealers, mutual funds and investment advisers. The rules generally require these entities to adopt an identity theft prevention program designed to (i) identify relevant types of identity theft red flags, (ii) detect the occurrence of those red flags, (iii) respond appropriately to those red flags, and periodically update the identity theft program. The rules go into effect 30 days after publication in the Federal Register and compliance is required six months after the effective date.