Co-authored by Avi Badash.

The Securities and Exchange Commission, jointly with the Commodity Futures Trading Commission, adopted rules and guidelines to require certain entities regulated by the SEC and CFTC, such as broker-dealers, mutual funds and investment advisers, to establish and implement a written identity theft program. The SEC and CFTC adopted the rules in accordance with the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The rules require that the written identity theft program be designed to detect, prevent and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The program should include policies and procedures designed to: (i) identify relevant types of identity-theft red flags; (ii) detect the occurrence of those red flags; (iii) respond appropriately to the detected red flags; and (iv) periodically update the identity theft program. The rules require entities to provide such things as staff training and oversight of service providers. The rules include guidelines and examples of red flags to help firms develop and administer programs that would satisfy the requirements of the rules.

The final rules will become effective 30 days after publication in the Federal Register. The compliance date for the final rules will be six months after the effective date.

Click here to read the final rules.