The Dodd–Frank Act required the SEC and CFTC to jointly adopt and individually enforce identity-theft prevention rules. As a result, the Dodd-Frank Act transferred rulemaking responsibility and enforcement authority to the SEC and CFTC with respect to entities subject to each agency’s enforcement authority.

The SEC and CFTC have adopted a joint rule re-quiring “financial institutions” and “creditors” that carry “covered accounts” to create identity-theft prevention rules. The new rules became ef-fective May 20, 2013, but entities and persons that are subject to the new rules have until November 20, 2013 to comply. The SEC and CFTC final rules identify these entities and persons as including, but not limited to: (i) FCMs, (ii) CTAs, (iii) CPOs, (iv) broker-dealers and (v) registered investment advisers.

The term “covered accounts” is defined broadly to include personal accounts designed to permit multiple payments or transactions, and any ac-count with a reasonably foreseeable risk of iden-tity theft. The final rules require “financial insti-tutions” and “creditors” carrying “covered ac-counts” to develop and maintain a written “identity theft prevention program” that includes: (i) identifying the relevant red flags and incorpo-rating those red flags into the program, (ii) detecting the red flags, (iii) responding appro-priately to any red flags and (iv) ensuring peri-odic program updates.