April 10, 2013
Preventing and Detecting Identity Theft
SEC Open Meeting
April 10, 2013
The development and expansion of information technology and electronic communication during the past decade have led to increasing threats to the integrity and privacy of personal information. The federal government has taken steps to help protect individuals and help individuals protect themselves from the risks of theft, loss, and abuse of their personal information.
Congress amended Fair Credit Reporting Act (FCRA) in 2003 to require several federal agencies including the Federal Trade Commission (FTC) and banking regulators to issue joint rules and guidelines on detecting, preventing, and mitigating identity theft. At that time, the FCRA did not include the SEC or CFTC among the agencies required to adopt identity theft rules, but instead gave the FTC authority to adopt and enforce identity theft rules related to entities regulated by the SEC and CFTC.
Under the Dodd-Frank Act, Congress amended the FCRA to transfer identity theft rulemaking responsibility and enforcement authority from the FTC to the SEC and CFTC for entities they regulate.
The SEC and CFTC jointly proposed rules in February 2012 requiring certain entities they regulate to adopt and administer identity theft red flags programs. The proposed rules were largely identical to the rules that the FTC and other federal agencies adopted under FCRA, and included examples and guidance to help entities comply with the rules.
The final rules require certain entities regulated by the SEC such as broker-dealers, mutual funds, and investment advisers to adopt an identity theft program.
The program should include policies and procedures designed to:
Identify relevant types of identity theft red flags.
Detect the occurrence of those red flags.
Respond appropriately to the detected red flags.
- Periodically update the identity theft program.
The SEC’s rules apply only to SEC-regulated entities that meet the definition of “financial institution” or “creditor” under the FCRA.
The rules require entities to provide such things as staff training and oversight of service providers. The rules include guidelines and examples of red flags to help firms administer their programs.
The rules require entities that issue debit cards or credit cards to take certain precautionary actions when they receive a request for a new card soon after they receive a notification of a change of address for a consumer’s account.
The final rules will become effective 30 days after publication in the Federal Register. The compliance date for the final rules will be six months after their effective date.