On April 10, 2013, the Securities and Exchange Commission (“SEC”) and the Commodities Futures Trading Commission (“CFTC”) jointly adopted rules and guidelines requiring certain entities regulated by the agencies to enact programs that identify, detect, and respond to identity theft red flags. The Dodd-Frank Act amended the Fair Credit Reporting Act (“FCRA”) to transfer responsibility for identify theft rules and the enforcement of the rules from the Federal Trade Commission to the SEC and the CFTC with respect to the entities they regulate. The SEC’s rules apply to an SEC-registered investment adviser, broker-dealer, or mutual fund that meets the definition of a “financial institution” or a “creditor” under the FCRA. Certain registered investment advisers would meet the definition of a “financial institution” if they have the authority to make payments from or otherwise disburse funds to third parties from an investor’s account. The CFTC's rules covers entities regulated by that agency, including futures commodity merchants, commodity trading advisers, and commodity pool operators.
Entities that fall within the scope of the rules must adopt a program containing policies and procedures that are designed to (i) identify relevant types of identity theft red flags; (ii) detect the occurrence of those red flags; (iii) respond appropriately to the detected red flags; and (iv) periodically update and identify the identity theft program. The rules include guidelines to assist subject entities in the formulation and maintenance of programs that would satisfy the requirements of the rules.
The final rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after the effective date (i.e., about seven months from the date of this alert).
For a copy of the final rules, see http://www.sec.gov/rules/final/2013/34-69359.pdf