SEC and CFTC Publish Proposed Identity Theft Red Flag Rules for Public Comment

On February 28, 2012, the Securities and Exchange Commission ("SEC") and the Commodity Futures Trading Commission ("CFTC") issued proposed rules and guidelines, requiring broker-dealers, mutual funds, and other SEC- and CFTC-regulated entities to create programs to detect and respond appropriately to "red flags" commonly associated with identity theft. Since 2008, these entities have been subject to red flag regulations, adopted and enforced by the Federal Trade Commission ("FTC") and five other federal financial regulatory agencies, that apply to all "financial institutions" and "creditors." In 2010, the Dodd-Frank Act transferred authority to implement and enforce these regulations from the FTC to the SEC and CFTC for all SEC- and CFTC-regulated entities. Although Congress did not provide a list of entities that are affected by this change, the SEC has indicated that the new regulations also would apply to broker/dealers registered under the Securities Exchange Act, investment companies registered under the Investment Company Act, and investment advisers registered under the Investment Advisers Act.

Apart from the change in enforcement power, the proposed rules are substantially similar to the rules adopted by the FTC. The regulation will continue to cover "financial institutions" and "creditors" that offer or maintain "covered accounts," including all accounts that "a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions" as well as "any other account … for which there is a reasonably foreseeable risk to customers … from identity theft." Proposed § 162.30(b)(3) (CFTC); proposed § 248.201(b)(3) (SEC). Moreover, the new regulation adopts the four-part framework outlined in the FTC's regulation, requiring companies to: (i) identify patterns, practices, or specific activities that indicate the possible existence of identity theft in connection with a covered account; (ii) detect red flags when they occur; (iii) develop appropriate policies and procedures to respond when red flags are detected; and (iv) periodically update their program to reflect any changes in risk.

The proposed regulation will be open for comment for 60 days. You can read the proposed regulation on the SEC's web site here.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at

Veronica K. McGregor
San Francisco

Katherine S. Ritchey
San Francisco

Mauricio F. Paez
New York

Elaine Wallace
San Francisco

Karen Gal-Or
San Francisco

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.