On April 10, the SEC voted unanimously to adopt a final rule requiring broker-dealers, mutual funds, investment advisers, and other regulated entities to implement programs designed to detect and prevent identity theft. The final rule applies to SEC-regulated entities that meet the definition of “financial institution” or “creditor” under the FCRA. The final rule will take effect 30 days after publication in the Federal Register and give covered firms six months from the effective date to comply. Under the final rule, covered firms must establish policies and procedures designed to (i) identify relevant types of identity theft red flags, (ii) detect the occurrence of those red flags, (iii) respond appropriately to the detected red flags, and (iv) periodically update the identity theft program. The rule requires covered firms to provide staff training and oversight of service providers, and provides guidelines and examples of red flags to help firms administer their programs. Further, the rule requires covered firms that issue debit cards or credit cards to take certain precautionary actions when they receive a request for a new card soon after notification of a change of address for a consumer’s account.