Easy access to information has made it increasingly common for hackers and thieves to collect and share personal information about individuals. Congress initially responded to this problem by amending the Fair Credit Reporting Act (“FCRA”) in 2003, mandating that certain federal agencies adopt rules requiring organizations to implement programs for detecting and preventing identity theft (“ID Red Flag Rules”). Although these rules applied to many entities that were also registered with the Commodity Futures Trading Commission (“CFTC”) and the Securities and Exchange Commission (“SEC”), neither the SEC nor the CFTC issued its own ID Red Flag Rules at the time. Consequently, neither the SEC nor the CFTC examined their registrants for compliance or enforced the rules.
However, in April of this year, as required by the Dodd-Frank Act, the SEC and CFTC jointly adopted a rule for the prevention of identity theft, called Regulation S-ID (“Reg S-ID” or “Rule”). The Rule is similar to the ID Red Flag Rules previously enacted by the other agencies, though the SEC and CFTC provide additional guidance on its scope and application for SEC and CFTC registrants.
The Rule requires SEC or CFTC registrants (e.g., investment advisers, investment companies, broker-dealers, commodity pool advisors, futures commission merchants, retail foreign exchange dealers, commodity trading advisers, introducing brokers, swap dealers, and major swap participants) to establish and maintain programs that detect, prevent, and mitigate identity theft, if they maintain certain types of accounts for clients. These organizations must implement Reg S-ID policies and procedures by November 20, 2013.
Importantly, while they may have been covered by prior ID Red Flag Rules, SEC and CFTC registrants are now subject to oversight by the SEC and CFTC with respect to these rules. With the implementation date approaching, we are seeing that impacted organizations are beginning to finalize their approach.
This Financial Services Regulatory Brief clarifies which organizations will be subject to Reg S-ID, assesses the impact of the Rule’s requirements, and provides our view of industry best practices for satisfying the Rule.