SEC, CFTC Adopt Joint Final Rule On Investor Identity Theft Red Flags

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Maria Lokshin


The Securities and Exchange Commission and the Commodity Futures Trading Commission April 10 voted unanimously in separate meetings to adopt a joint rule to require certain entities to put in place programs to help protect investors from identity theft.

Section 1088 of the Dodd-Frank Wall Street Reform and Consumer Protection Act shifted certain oversight functions under the Fair Credit Reporting Act from the Federal Trade Commission to the SEC and the CFTC for entities regulated by those agencies.

In February 2012, the commissions issued a joint identity theft proposed rule to protect investors from identity theft by ensuring that regulated entities create and maintain programs to respond to red flags (11 PVLR 417, 3/5/12).

The final rule is “substantially identical” to the proposal, Norm Champ, director of the SEC's Division of Investment Management, said at the SEC's meeting where the rule was considered.

Specifically, the rule requires that certain SEC-regulated entities, such as broker-dealers and investment advisers, set up programs that identify, detect, and respond to identity theft red flags. The CFTC's rule covers entities regulated by that agency, including futures commodity merchants, commodity trading advisers, and commodity pool operators.

For both agencies, however, entities are required to comply with the rule only if they meet the definition of “financial institution” or “creditor” under FCRA. Entities first must determine whether they meet one of these definitions and then determine whether they hold “covered accounts” that likely could be at risk for identity theft, according to SEC staff.

In addition, the rule provides guidance and examples of red flags to help companies set up their programs.

The rule, Champ said, will not be “new” to most of the SEC-regulated entities, because Dodd-Frank “in essence transferred” oversight of the FCRA requirements from the FTC to the SEC and the CFTC. He said the rule does not layer on new requirements or expand their scope.

Commissioner Luis Aguilar, however, noted that certain investment advisers, including advisers to hedge funds and private equity funds, may not have identity theft programs in place and will have to pay “particular attention” to the rule. Such entities were not required to register with the SEC until last year pursuant to Dodd-Frank.

The joint rule will become effective 30 days after publication in the Federal Register, and companies will be required to come into compliance six months after that date.

By Maria Lokshin

The joint proposed rule is available at

Request Bloomberg Law: Privacy & Data Security