On April 19, 2013, the SEC and the CFTC published joint rules and guidelines requiring certain registrants to establish programs to address the risk of identity theft. The SEC’s rules apply to broker-dealers, mutual funds, investment advisers and other financial institutions. The CFTC’s rules apply to commodity trading advisers, commodity pool operators and swap dealers, among others.

Although the release includes examples of “red flags” that registrants should monitor, the rules do not require that compliance programs address specific red flags, nor do they require specific policies and procedures to identify such red flags. Instead, the Commissions gave financial institutions flexibility to determine which red flags are relevant to their business models and the covered accounts that they manage. The Commissions noted their intent that registrants should adopt programs designed to “respond and adapt to new forms of identity theft and the attendant risks as they arise.” Similarly, guidance about the definition of “covered account” is flexible to allow a financial institution “to determine which accounts pose a reasonably foreseeable risk of identity theft.”

Policies and procedures adopted to comply with the new rules should also provide for appropriate responses to detected red flags, commensurate with the risks posed, taking into consideration factors that might heighten the risk of identity theft.

Click here to review more information about the identity theft rules. Compliance with the new rules is required by November 20, 2013.