From Section 1088 of the Dodd-Frank Act comes final rules and guidelines from the SEC that would require entities covered by the rules to establish programs aimed at detecting, preventing, and mitigating identity theft. Previously, Dodd-Frank required the SEC and the U.S. Commodity Futures Trading Commission (“CFTC”) to adopt joint rules requiring entities that are subject to these agencies’ respective enforcement authorities to address identity theft.
Regulation S-ID is an expansion of the initial requirements of amendments in 2003 to the Fair Credit Reporting Act. Those amendments required federal agencies deemed “financial institutions,” or “creditors” to issue joint rules and regulations regarding identity theft. The rules were enacted in 2007. At the time, neither the SEC nor the CFTC adopted the identity theft rules because the laws did not authorize either agency to do so. Instead, entities that the SEC and CFTC regulate such as broker-dealers and futures commission merchants were covered by the rules of other agencies. Even though the SEC was not one of the included agencies, many of its regulated entities were likely to have already been subject to similar rules enacted earlier by those other agencies, as a result of activities that cause these entities to qualify as “financial institutions” or “creditors.”
The SEC rules are similar to those that other agencies adopted in 2007. The SEC and CFTC rules include guidance to help firms determine how to comply with the new rules. The SEC’s identity theft rules would apply to broker-dealers, investment companies, and investment advisers. The CFTC’s rules would apply to entities such as futures commodity merchants, commodity trading advisors, and commodity pool operators.
The final rules note that Rule S-ID will become effective 30 days after its publication in the Federal Register. The compliance date for the final rules will be six months after their effective date.