The SEC on Wednesday adopted rules jointly with the Commodity Futures Trading Commission (CFTC) that require broker-dealers, mutual funds, investment advisers, and certain other entities regulated by the SEC to adopt programs to prevent identity theft.
SEC Chairman Mary Jo White, who was sworn in Wednesday, cast a vote in a unanimous decision by the SEC commissioners to adopt the rule, known as Regulation S-ID.
“These rules are a common-sense response to the growing threat of identity theft to all Americans who invest, save, or borrow money,” White said in her opening statement at the meeting.
The requirement expands rules initially enacted in 2007 by several federal agencies—but not the SEC. The Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203, transferred rulemaking and enforcement authority for identity theft rules to the SEC and the CFTC for the entities they regulate.
Therefore, many entities recognized as financial institutions or creditors subject to the new Regulation S-ID have already been complying with similar rules, SEC Commissioner Luis Aguilar said.
Registered investment advisers in particular, though, may not have existing identity theft red flag programs and may need to pay particular attention to the rules adopted Wednesday, Aguilar said.
The rules require broker-dealers, mutual funds, and investment advisers to adopt policies and procedures to:
- Identify relevant types of identity theft red flags.
- Detect the occurrence of those red flags.
- Respond appropriately to the detected red flags.
- Periodically update the identity theft program.
The SEC’s rules apply only to SEC-regulated entities that are defined as “financial institutions” or “creditors” under the Fair Credit Reporting Act.
Entities will be required to train their staffs and oversee service providers to ensure that the rules are followed. Entities that issue debit cards or credit cards will be required to take certain precautionary measures when they receive a request for a new card soon after they receive a notification of a change of address for a consumer’s account.
The rules will take effect 30 days after they are published in the Federal Register, and the compliance date will be six months after the rules’ effective date.
Ken Tysiac (
) is a JofA senior editor.