The Securities and Exchange Commission and the Commodity Futures Trading Commission have adopted rules that require most broker-dealers, mutual funds, investment advisers, and certain other regulated entities to create programs to prevent identity theft. The new rules become effective May 20, 2013, and entities regulated by the new rules must comply by November 20, 2013.

Regulated entities subject to the rules must develop identity theft prevention programs to detect “red flags” signaling potential identity theft, to respond appropriately to such red flags, and to periodically update detection programs as identity theft risks change.

Among other requirements, the Red Flag Rules apply to “financial institutions” that offer or maintain “covered accounts.” “Covered accounts” are defined broadly to include personal accounts designed to permit multiple transactions and any account with a reasonably foreseeable risk of identity theft to customers. “Financial institutions” include any entity that holds a transaction account belonging to a consumer on which the account holder can make withdrawals to pay third parties. Examples cited by the SEC include:

  1. a broker-dealer that offers custodial accounts;
  2. a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and
  3. an investment adviser that directly or indirectly holds transaction