On February 28, 2012, the SEC and the CFTC jointly proposed rules that would require funds and advisers to affirmatively combat identity theft. The proposed rules would require registered investment companies, investment advisers, commodity pool operators (“CPOs”), commodity trading advisors (“CTAs”), and other SEC- or CFTC-regulated entities to create programs to detect and respond to red flags. The proposed rules would also establish special requirements for certain credit and debit card issuers to assess the validity of notifications of changes of address in certain circumstances.
The SEC’s proposed rules and guidelines would apply to a financial institution or creditor, as defined by the Fair Credit Reporting Act of 1970 (the “FCRA”), including SEC-registered investment companies, investment advisers, brokers, dealers, and other entities registered under the Securities Exchange Act of 1934. The CFTC’s proposed rule would apply to CPOs, CTAs, futures commission merchants, introducing brokers, swap dealers, major swap participants, and retail foreign exchange dealers.
A “covered account” would include any account “that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.” The SEC’s proposed definition includes, for example, a brokerage account with a broker-dealer and an account maintained by a mutual fund that permits wire transfers or other payments to third parties. The CFTC’s proposed definition of a “covered account” includes a margin account as an example.
The proposed rules would require covered entities to adopt a written identity theft program (“Program”) that would include reasonable policies and procedures designed to: (1) identify relevant red flags; (2) detect the occurrence of red flags; (3) respond appropriately to the detected red flags; and (4) provide for periodic updates.
The proposed guidelines would require a covered entity to report at least annually to its board of directors, board committee, or to a designated senior management employee on compliance with the proposed rules. The report would address, among other things: the effectiveness of the policies and procedures; service provider arrangements; incidents involving identity theft and management’s response; and recommendations for changes to the Program.
Section 1088 of the Dodd-Frank Act transferred authority over certain parts of the FCRA from the Federal Trade Commission (“FTC”) to the SEC and CFTC. In particular, the Dodd-Frank Act amended the FCRA by adding the SEC and the CFTC to the list of federal agencies required to jointly prescribe and enforce identity theft red-flag rules and guidelines and credit/debit card issuer rules for entities they regulate.1
The joint proposal by the SEC and the CFTC is similar to final rules and guidelines adopted in 2007 by the FTC and the other federal financial regulatory agencies previously required to adopt such rules. The SEC and the CFTC noted that most of the entities over which they have jurisdiction are likely already in compliance with the 2007 rules. According to the Commissions, the proposal does not contain any new requirements not in the 2007 rules, and does not expand the scope of the 2007 rules to include new entities. The Commissions stated that the joint proposal contains examples and minor language changes intended to help entities “discern whether and how the identity theft rules and guidelines apply to their circumstances.”
Comments on the proposal must be received by the SEC or the CFTC on or before May 7, 2012.
Identity Theft Red Flags Rules, SEC Release No. IC-29969 (Feb. 28, 2012), available at http://www.sec.gov/rules/proposed/2012/ic-29969.pdf.