FOR IMMEDIATE RELEASE
2013-57
Washington, D.C., April 10, 2013 — The Securities and Exchange Commission today voted unanimously to adopt rules requiring broker-dealers, mutual funds, investment advisers, and certain other entities regulated by the agency to adopt programs to detect red flags and prevent identity theft.
The SEC adopted the rules jointly with the Commodity Futures Trading Commission (CFTC) in accordance with the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.
"Under these rules, certain businesses regulated by the SEC and CFTC would be required to adopt and implement programs to detect and respond to indicators of possible identity theft," said SEC Chairman Mary Jo White. "These rules are a common-sense response to the growing threat of identity theft to all Americans who invest, save, or borrow money."
The final rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after the effective date.
# # #
The development and expansion of information technology and electronic communication during the past decade have led to increasing threats to the integrity and privacy of personal information. The federal government has taken steps to help protect individuals and help individuals protect themselves from the risks of theft, loss, and abuse of their personal information.
Congress amended Fair Credit Reporting Act (FCRA) in 2003 to require several federal agencies including the Federal Trade Commission (FTC) and banking regulators to issue joint rules and guidelines on detecting, preventing, and mitigating identity theft. At that time, the FCRA did not include the SEC or CFTC among the agencies required to adopt identity theft rules, but instead gave the FTC authority to adopt and enforce identity theft rules related to entities regulated by the SEC and CFTC.
Under the Dodd-Frank Act, Congress amended the FCRA to transfer identity theft rulemaking responsibility and enforcement authority from the FTC to the SEC and CFTC for entities they regulate.
The SEC and CFTC jointly proposed rules in February 2012 requiring certain entities they regulate to adopt and administer identity theft red flags programs. The proposed rules were largely identical to the rules that the FTC and other federal agencies adopted under FCRA, and included examples and guidance to help entities comply with the rules.
The final rules require certain entities regulated by the SEC such as broker-dealers, mutual funds, and investment advisers to adopt an identity theft program.
The program should include policies and procedures designed to:
The SEC´s rules apply only to SEC-regulated entities that meet the definition of "financial institution" or "creditor" under the FCRA.
The rules require entities to provide such things as staff training and oversight of service providers. The rules include guidelines and examples of red flags to help firms administer their programs.
The rules require entities that issue debit cards or credit cards to take certain precautionary actions when they receive a request for a new card soon after they receive a notification of a change of address for a consumer´s account.
The final rules will become effective 30 days after publication in the Federal Register. The compliance date for the final rules will be six months after their effective date.