The Securities and Exchange Commission (the “SEC”) and Commodity Futures Trading Commission (the “CFTC”) recently adopted rules requiring entities subject to their respective enforcement authorities to adopt and implement programs to detect and respond to indicators of possible identity theft, as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”). The SEC rules apply to entities such as broker-dealers, investment companies and investment advisers, while the CFTC’s rules apply to entities such as futures commission merchants, commodity trading advisors and commodity pool operators.
The Dodd-Frank Act requirement shifted rulemaking responsibility and enforcement authority for identity theft rules governing such entities to the SEC and CFTC from the six federal agencies that had jointly adopted identity theft rules under the Fair Credit Reporting Act in 2007.
The rules adopted by the SEC and the CFTC specify: (1) which financial institutions and creditors must develop and implement a written identity theft prevention program; (2) the objectives of such program; (3) the elements that the program must contain; and (4) the steps financial institutions and creditors need to take to administer the program. The rules do not contain any requirements that were not already in the rules established in 2007, nor do they expand the scope of those rules to include new categories of entities that the rules did not already cover. However, the rules and the related adopting release contain examples and minor language changes that are designed to help guide entities with compliance.
The rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after that effective date.