The Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC” and together with the SEC, the “Commissions”) released, on April 10, 2012, their final regulations—referred to as Regulation S-ID by the SEC—requiring certain broker-dealers, investment advisers, investment companies, futures commission merchants and other entities subject to the Commissions’ respective enforcement authority to establish programs to address identity theft risks.1 The regulations implement Section 615(e) of the Fair Credit Reporting Act (“FCRA”), often called the “red flags” rule. The new regulations, at 17 C.F.R. pts. 162 and 248, become effective on May 20, 2013; compliance with the regulations will be required as of November 20, 2013. Entities regulated by the SEC and CFTC should review their identity theft programs to ensure they meet the requirements of the new regulations.