The Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) have jointly adopted rules, in accordance with the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”), to require various entities they regulate to adopt identity theft programs for the protection of investors. The new rules, adopted as new Regulation S-ID by the SEC and as new regulations under part 162 by the CFTC, require broker-dealers, investment companies, investment advisers, commodity pool operators, commodity trading advisors and other entities regulated by these agencies to adopt these programs in order to help protect investors from the risks of identity theft.

In the Adopting Release,1 the SEC and CFTC explained that the rules are intended to address the growing threat of identity theft to all Americans who invest, save or borrow money. They noted that any person who entrusts money to a financial institution or who receives money on credit can be vulnerable to identity theft, and that this risk increases as technology continues to advance.

In 2007, six federal agencies, including the Federal Trade Commission, jointly adopted identity theft rules under the Fair Credit Reporting Act (“FCRA”) that applied to “financial institutions” and “creditors” that offer and maintain certain types of accounts. The FCRA, however, did not require or authorize the SEC or the CFTC to adopt identity theft rules. Instead, certain entities that the SEC and CFTC regulate, such as broker-dealers, futures commission merchants, investment companies, and investment advisers were covered by the rules of the six federal agencies adopted pursuant to the FCRA.

The Dodd-Frank Act changed this approach by transferring rulemaking and enforcement authority for identity theft rules to the SEC and CFTC for the entities they regulate. Pursuant to this authority, the SEC and CFTC jointly proposed public notice and comment regarding identity theft, red flags, rules and guidelines, and card issuer rules in 2012.2

The final rules require certain SEC-regulated entities and CFTC-regulated entities that meet the definition of “financial institution” or “creditor” under the FCRA to adopt an identity theft program with respect to certain “covered accounts.”3 A “Financial institution” is defined for this purpose to include any person that, directly or indirectly, holds a transaction account belonging to a consumer.4 The term “creditor” is defined to include a creditor, as defined in 15 U.S.C. 1691a,5 that regularly and in the ordinary course of business advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

A “covered account” is any account maintained for an individual that could be subject to the risks of identity theft. A “covered account” is defined in the final rules to mean (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks. For this purpose, the term “account” is defined in the final rules flexibly as a “continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.”

In accordance with the foregoing definitions, the SEC-regulated entities that are covered by the final rules include broker-dealers that offer custodial accounts, investment companies (including companies that have elected to be regulated as business development companies under the Investment Company Act or entities that operate as employees’ securities companies under this Act) that enable investors to make wire transfers to other parties or that offer check-writing privileges, and investment advisers that directly or indirectly hold transaction accounts and that are permitted to direct payments or transfers out of those accounts to third parties.6 An adviser that has the authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account because the adviser would not be making the payments to third parties. In addition, a registered investment adviser that advises a private fund could be covered by the rules if there are natural persons investing in this fund and the adviser has the authority, pursuant to an arrangement with the private fund or the individual, to direct this individual’s investment proceeds to third parties.7 A registered investment adviser to a private fund that regularly, and in the ordinary course of business, lends money to permit investors to make an investment in the fund, pending the receipt or clearance of an investor’s check or wire transfer, could qualify as a creditor.8

The CFTC-regulated entities covered by the final rules include futures commission merchants, commodity trading advisers, commodity pool operators, swap dealers, and major swap participants. A “covered account” for a CFTC-regulated entity includes a margin account. The CFTC’s definition of “creditor” includes certain entities, such as futures commission merchants and commodity trading advisors, that regularly extend, renew or continue credit or make those credit arrangements.

Under the final rules, an identity theft program should include policies and procedures designed to address the following four elements:

  • Identify relevant types of identity theft red flags;
  • Detect the occurrence of those red flags;
  • Respond appropriately to the detected red flags; and
  • Periodically update the identity theft program.

The final rules become effective thirty days after publication in the Federal Register. The compliance date for the final rules will be six months after their effective date.