SEC and CFTC Issue Final Rules on Identity Theft Protection
- Last week, the SEC and the CFTC jointly issued identity theft rules requiring certain regulated entities to adopt programs designed to detect “red flags” of identity theft and to respond appropriately identity theft risks. The Final Rules will become effective 30 days after publication in the Federal Register and affected entities must be in compliance six months thereafter.
- The SEC’s rules potentially apply to SEC-registered investment advisers (including private fund advisers), broker-dealers and investment companies (including mutual funds, business development companies and employees’ securities companies); the CFTC’s rules potentially apply to commodity trading advisers, commodity pool operators, futures commodity merchants, swap dealers, major swap participants, introducing brokers and retail foreign exchange dealers.
- An entity that falls within the scope of the rules is required to implement a program that includes policies and procedures designed to identify identity theft red flags, detect their occurrence and respond appropriately. The program must be overseen by an entity’s board of directors, an appropriate committee thereof or a designated senior management employee and provide for staff training.
- During the SEC’s open meeting, Commissioner Luis Aguilar urged private fund advisers newly registered with the SEC to pay close attention to the new rules. The SEC’s adopting release, and the attached Client Update, offer a number of examples to help advisers understand whether they fall within the scope of the new rules and, consequently, will need to adopt identity theft programs.