Effective November 1, investment companies that allow account holders to make withdrawals that are payable to third persons by check, transferable or negotiable instruments, or similar items (e.g., debit cards) must have established and obtained board approval of an identity theft prevention program designed to identify and detect relevant “red flags” pursuant to the 2003 amendments to the Fair Credit Reporting Act. The program must have written approval from the board of directors or an appropriate committee thereof, and the board of directors, an appropriate committee, or a designated employee at the senior level of management must be involved in the oversight, development, and administration of the program.

http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf