Skip to Content

SEC and CFTC Issue Proposed Rules on Identity Theft

March 6, 2012 -- On February 28, 2012, the Securities and Exchange Commission ("SEC") and the Commodity Futures Trading Commission ("CFTC") (jointly, the "Commissions") issued proposed rules and guidelines related to identity theft (the "Joint Proposed Rules"). The Commissions promulgated the Joint Proposed Rules pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act's amendments to § 615(e) of the Fair Credit Reporting Act ("FCRA"), which added the SEC and CFTC to the list of federal agencies required to enforce the FCRA's provisions regarding identity theft.

The Commissions state that the Joint Proposed Rules are "substantially similar" to those previously adopted by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, and the Federal Trade Commission.  The Commissions assert that the SEC and CFTC regulated entities subject to the Joint Proposed Rules "should already be in compliance" with the identity theft "rules of the F[ederal] T[rade] C[ommission] or the other Agencies"; hence, the Commissions suggest that regulated entities will likely already have in place many of the protections regarding identity theft that the Joint Proposed Rules would require.  However, the Joint Proposed Rules contain "examples" and "minor language changes" designed to help guide SEC and CFTC regulated entities in complying with the rules and discerning whether and how the identity theft rules and guidelines apply to their circumstances.

The Joint Proposed Rules, if adopted, would require "financial institutions" and "creditors" to develop and implement written identity theft prevention programs designed to detect, prevent, and mitigate identity theft in connection with "covered accounts" (the "Red Flags Rules"). The Joint Proposed Rules include guidelines designed to assist in the formulation and maintenance of a program that would satisfy the Red Flags Rules' requirements. The Joint Proposed Rules would also establish special requirements for credit and debit card issuers under the Commissions' jurisdiction to assess the validity of customer changes of address notifications under certain circumstances (the "Card Issuer Rules").

The Red Flags Rules, which are the primary focus of the Joint Proposed Rules, set forth:

1) definitions regarding the scope of coverage, including the terms "financial institution," "creditor" (which incorporate definitions from the FCRA) and "covered account" (which is defined to include personal and family accounts, or other accounts with a reasonably foreseeable risk of identity theft);

2) the objectives of the written identity theft protection program that the covered entities are required to adopt (the "Program");

3) the required elements of the Program; and

4) the steps required to administer the Program.

Substantial guidance is provided with respect to each of these requirements. 

With respect to the Card Issuer Rules, the CFTC notes that it is unlikely that any entities under its jurisdiction would issue debit or credit cards. The SEC projects that few, if any, entities under its jurisdiction would be subject to the proposed card issuer rules, as most SEC regulated entities that issue credit or debit cards do so through partnership with an affiliated or unaffiliated bank that acts as the card issuer.

The Commissions have requested comment on several aspects of the Joint Proposed Rules, including, among others, the scope of the Red Flag Rules, the proposed definitions of "financial institution," "credit," "creditor," and "covered account," the proposed objectives and elements of the Program, and the effective and compliance dates for the proposed rules and guidelines.  The SEC has specifically requested comment on whether its rule should "omit investment advisers or any other SEC regulated entity [such as registered broker-dealers or investment companies] from the list of entities covered by the proposed rule."  The SEC has also requested comments on whether information about compliance with any entity’s Program should be included in any periodic reports submitted by the entity’s chief compliance officer to its board of directors.  Comments regarding the Joint Proposed Rules are due by May 7, 2012.

Entities desiring to clarify the application of the Joint Proposed Rules to their business should consider submitting comments and monitoring subsequent developments. Specifically, SEC and CFTC regulated entities that have not implemented an identity theft detection and prevention Program in compliance with the "substantially similar" Rules of the Federal Trade Commission or other federal Agencies should consider reevaluating their status pursuant to the Joint Proposed Rules to ensure that they are not required to adopt such a Program.  In addition, companies that have already adopted a Program based on the rules of the Federal Trade Commission or other federal Agencies may want to consult the guidance in the Joint Proposed Rules to ensure that best practices are being followed. 

Authored By
Related Practices
Business Transactions
©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.