On April 10, 2013, the SEC and CFTC (Commissions) issued rules and guidelines to require certain regulated entities to adopt programs designed to prevent identity theft. In 2012, the Dodd-Frank Wall Street Reform and Consumer Protection Act amended the Fair Credit Reporting Act to transfer to the Commissions rulemaking responsibility and enforcement authority for identity theft red flags rules for entities subject to each agency's enforcement authority. These entities include broker-dealers, mutual funds, investment advisers and certain other regulated agencies. The final rules:

Regulated entities subject to the rules must establish identity theft prevention programs with policies and procedures that:

After receiving 27 comment letters, the Commissions adopted final rules substantially similar to their proposed rules from February 2012. For more information on the proposed rules, see Legal Update, SEC and CFTC Propose Joint Red Flag Rules and Guidelines to Protect Against Identity Theft. The final rules also do not expand the requirements of the rules adopted by the FTC (jointly with the federal bank regulatory agencies) in 2007 or the scope of those rules to include new entities that were not already previously covered.

The rules also contain examples and minor language changes to aid compliance. The Commissions therefore advise that this may cause some entities that had not previously complied with the 2007 rules to determine that they fall within the scope of the Commissions' rules.

The rules and guidelines will be effective May 20, 2013. Entities subject to regulation must be in compliance with the rules and guidelines by November 20, 2013.