Privacy & Cybersecurity Law Blog

On April 10, 2013, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly adopted rules that require broker-dealers, mutual funds, investment advisers and certain other regulated entities to adopt programs designed to detect “red flags” and prevent identity theft. These rules implement provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, that amended the Fair Credit Reporting Act (“FCRA”) to direct the SEC and the CFTC to adopt rules requiring regulated entities to address risks of identity theft. The 2003 amendments to the FCRA required other regulatory authorities to issue identity theft red flags rules, but did not authorize or require the SEC or the CFTC to issue their own rules.

The final rules require “financial institutions” and “creditors” (as defined in the FCRA) to develop and implement written identity theft prevention programs “designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts.” The rules set forth four elements that the regulated entities must incorporate into their identity theft prevention programs. These elements include adopting policies and procedures to (1) identify relevant red flags, (2) detect the red flags, (3) respond appropriately to red flags that have been detected, and (4) periodically update the program to reflect changes in identity theft risks to customers and to the regulated entity. The rules also establish specific requirements for covered credit or debit card issuers to assess the validity of notifications of changes of address under certain circumstances.

The final rules will become effective 30 days after publication in the Federal Register, with compliance required by six months after the effective date.