On April 10th, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly approved a final rule requiring broker-dealers, mutual funds, federally registered investment advisers, and certain other regulated entities to adopt programs designed to detect and address identity theft. The final rule release is available online by clicking here. These rules are similar to joint rules previously approved by other entities under the Fair Credit Reporting Act of 1970 (“FCRA”), including the Federal Trade Commission and banking regulators. Thus, the rules may offer few additional requirements for certain entities. Any entities not already covered by such rules, however, such as broker-dealers and federally registered investment advisers, must now establish identity theft programs that comply with the new regulations.
The program should be appropriate to the size and complexity of the covered entity and the nature and scope of its business. The program must consist of policies and procedures that:
- Identify relevant types of identity theft red flags;
- Detect the occurrence of those red flags;
- Respond appropriately to detected red flags; and
- Periodically update the program.