SEC and CFTC Propose Rules Regarding Detecting Identity Theft
On February 28, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC, together with the SEC, the Commissions) jointly issued proposed rules that would require entities subject to the Commissions’ jurisdiction to address identity theft in two ways: (i) financial institutions and creditors would be required to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identify theft with either certain existing accounts or opening new accounts, and (ii) credit and debit card issuers subject to the Commissions’ jurisdiction would be required to assess the validity of change-of-address notifications under certain circumstances. Section 1088 of the Dodd-Frank Act transferred authority over certain parts of the Fair Credit Reporting Act from the Federal Trade Commission to the Commissions for entities they regulate. The Commissions’ proposed rules are substantially similar to rules adopted in 2007 by the FTC and other federal financial regulatory agencies that previously were required to adopt such rules. The proposed rules set out the four elements that regulated entities would be required to include in their identify theft prevention programs: (i) identify relevant red flags, (ii) detect the occurrence of red flags, (iii) respond appropriately to the detected red flags, and (iv) periodically update the program to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. The Commissions issued jointly proposed guidelines in an appendix to the proposed rules to assist regulated entities in formulating and maintaining a Program that would satisfy the proposed rule requirements. The Commissions are accepting comments on the proposal through May 7, 2012.