The SEC adopted rules jointly with the Commodity Futures Trading Commission (CFTC) that require broker-dealers, mutual funds, investment advisers, and certain other entities regulated by the SEC to adopt programs to prevent identity theft.
A unanimous decision by the SEC commissioners resulted in the adoption of the rule, known as Regulation S-ID.
The requirement expands rules initially enacted in 2007 by several federal agencies—but not the SEC. The Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203, transferred rulemaking and enforcement authority for identity theft rules to the SEC and the CFTC for the entities they regulate.
Therefore, many entities recognized as financial institutions or creditors subject to the new Regulation S-ID have already been complying with similar rules, SEC Commissioner Luis Aguilar said.
Registered investment advisers in particular, though, may not have existing identity theft red flag programs and may need to pay particular attention to the rules adopted Wednesday, Aguilar said.
The rules require broker-dealers, mutual funds, and investment advisers to adopt policies and procedures to:
- Identify relevant types of identity theft red flags.
- Detect the occurrence of those red flags.
- Respond appropriately to the detected red flags.
- Periodically update the identity theft program.
The rules, available at tinyurl.com/cane2zx, will take effect 30 days after publication in the Federal Register, and the compliance date will be six months after the rules’ effective date.