The Securities and Exchange Commission on Wednesday adopted rules requiring broker-dealers, mutual funds, investment advisers and other “financial institutions” and “creditors” to adopt programs for detecting and responding to cases of identity theft.

The rules, adopted jointly with the Commodity Futures Trading Commission also apply to the futures commission merchants, retail foreign exchange dealers, commodity trading advisers, commodity pool operators, swap dealers, and major swap participants that agency oversees.

“These rules are a common-sense response to the growing threat of identity theft to all Americans who invest, save, or borrow money,” SEC Chairman Mary Jo White said during the hearing, the first she presided over after being sworn into office earlier that morning. The vote approving the so-called "red flag" rules was unanimous.

Even though many regulated entities have already been subject to similar rules enacted by other agencies, the requirements will be brand new for investment advisers registered under the Investment Adviser Act, in particularly private fund and hedge fund advisers that are recent registrants with the SEC, Commissioner Luis Aguilar explained prior to the vote to adopt what is being referred to as Regulation S-ID

Congress amended Fair Credit Reporting Act in 2003 to require several federal agencies, including the Federal Trade Commission and banking regulators, to issue joint rules and guidelines on detecting, preventing, and mitigating identity theft. At that time, the FCRA did not include the SEC or CFTC among the agencies required to adopt identity theft rules, but instead gave the FTC authority to do so for the entities they regulate. In 2010, the Red Flag Program Clarification Act, narrowed the scope of the definition of “creditor,” relieving lawyers, accountants, and many healthcare providers, from compliance.

With the Dodd-Frank Act, Congress amended the FCRA to transfer enforcement authority over to the SEC and CFTC. In response, they jointly proposed rules in February 2012 requiring those they oversee to administer identity theft “red flag” programs. Their proposed rules were largely identical to the rules that the FTC and other agencies adopted.

Required programs must have policies and procedures designed to: identify relevant types of identity theft red flags; detect the occurrence of those red flags; respond appropriately; and periodically update the identity theft program.

Rather than singling out specific red flags, the rule allows flexibility in determining which ones may be relevant to their businesses and the accounts they manage. “Given the changing nature of identity theft, the Commissions believe that this element allows financial institutions or creditors to respond and adapt to new forms of identity theft and the attendant risks as they arise,” the SEC wrote  in the rule.

Categories of red flags that financial institutions and creditors must consider including in their programs, as appropriate, include: alerts, notifications, or other warnings received from consumer reporting agencies or service providers; presentation of suspicious documents, such as documents that appear to have been altered or forged; presentation of suspicious personal identifying information, such as a suspicious address change; unusual use of, or other suspicious activity related to, a covered account; and notice from customers, victims of identity theft, law enforcement authorities, or others persons regarding possible identity theft.

The rules require financial firms to provide staff training and oversight of service providers. Approval of the initial written program – and oversight of its development, implementation, and administration – is required from either the board of directors, a committee of the board, or if the entity does not have a board, from a designated senior management employee. Oversight of the program can be designated as a responsibility of the company's chief compliance officer.

Nationally recognized statistical rating organizations, self-regulatory organizations, municipal advisers, and municipal securities dealers, are not specifically listed as subject to the new requirements as they are less likely to qualify as financial institutions or creditors. An entity that initially determines it does not need to have a program in place, however, is required to periodically reassess whether it must develop and implement a one in light of changes in the accounts it offers or maintains

The final rules will become effective 30 days after publication in the Federal Register; the compliance date will be six months after the effective date.