The SEC and CFTC Jointly Approve New Identity Theft Rules

Recently, the Securities and Exchange Commission (“SEC”), in tandem with the Commodity Futures Trading Commission (CFTC), jointly adopted Final Rulesrequiring certain entities to implement programs to detect red flags and prevent identity theft.  These rules were developed in response to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”) which shifted responsibility for identify theft rules and enforcement of such rules from the Federal Trade Commission to the SEC and the CFTC for those entities under their respective jurisdiction.  Specifically, the SEC’s rules will apply to those entities under its jurisdiction, including broker-dealers, investment companies, and investment advisers; while the CFTC’s rules will apply to futures commission merchants, commodity trading advisors and commodity pool operators.  However, both the SEC and CFTC rules will only apply to “financial institutions” and “creditors” as those terms are defined in the Fair Credit Reporting Act that offer and maintain “covered accounts.”The new rules require those covered entities to develop and implement written policies and procedures designed to detect, prevent and mitigate identity theft in connection with certain existing accounts or the opening of new accounts.  Specifically, these policies and procedures must: (1) identify relevant red flags; (2) detect the red flags; (3) respond appropriately to red flags that have been detected; and (4) periodically update the identity theft policies and procedures.  The Final Rulesprovide additional guidance, including examples, to help determine which entities qualify and, if so, how to comply with the new rules.The new rules also require that covered entities provide staff training and appoint a “senior management employee” (most likely the entity’s Chief Compliance Officer) to be responsible for the program.  Furthermore, those entities not initially subject to the new rules are required to periodically reassess whether or not they are required to develop such policies and procedures in light of changes in the accounts they offer or maintain.The Final Ruleswill become effective 30 days after publication in the Federal Register.  Once effective, those subject to the new rules will have six months to implement their red flag programs.For further information about this, or other related topics, please contact us at (619) 298-2880 or at

Leave a Reply

Your email address will not be published. Required fields are marked *