Promulgating Rules to Prevent Identity Theft
Commissioner Luis A. Aguilar
U.S. Securities and Exchange Commission
SEC Open Meeting, Washington, D.C.
April 10, 2013
In today’s world, the expansion of information technology and the proliferation of electronic communication and social media have resulted in a dramatic increase in identity theft. The Federal Trade Commission (“FTC”) estimated that as many as nine million Americans have their identities stolen each year.1 It is not clear how many more cases go unreported. Additionally, identity theft has topped the FTC’s National Consumer Complaints List for the 13th consecutive year.2
Today, to help address this growing problem, the Commission considers rules and guidelines to adopt Regulation S-ID to require those entities covered by the rules to establish programs to detect, prevent, and mitigate identity theft. This action is a direct result of Section 1088 of the Dodd-Frank Act that directed the U.S. Securities and Exchange Commission (“SEC”) and the U.S. Commodity Futures Trading Commission to adopt joint rules requiring entities that are subject to the Commissions’ respective enforcement authorities to address identity theft.
This requirement is an expansion of a requirement initially put in place in 20033 that required several federal agencies, albeit not the SEC, to issue joint rules and regulations regarding the detection, prevention, and mitigation of identity theft. These rules were enacted in 2007. Even though, the Commission was not one of the included agencies, many of its regulated entities are likely to have already been subject to similar rules previously enacted by those other agencies, as a result of activities that cause these entities to qualify as “financial institutions” or “creditors.” Thus, for those entities, they should already have identity theft prevention programs in place.
There is one group of entities, however, that may not have existing identity theft red flag programs and will need to pay particular attention to the rules being adopted today. This group consists of investment advisers registered under the Investment Adviser Act — particularly the private fund and hedge fund advisers that are recent registrants with the SEC. Today’s release offers a number of examples and illustrations that may assist those entities in understanding, whether they qualify, and, if they do, what their responsibilities are under Regulation S-ID.
I am pleased to support the staff’s recommendation to adopt Regulation S-1D and I want to thank the staff for its efforts.
3 See, Fair and Accurate Credit Transactions Act of 2003, Pub. L. 108-159, 117 Stat. 1952 (2003).