When issuing new joint identity theft rules earlier this month, the CFTC and SEC clarified that a fund board does not have to reapprove its current identity theft program if it meets the requirements of the new rules.
Most funds already have identity theft programs in place to comply with regulations previously issued by the FTC. The new CFTC/SEC rules were issued after the Dodd-Frank Act transferred identity theft rulemaking authority to those agencies. Under both the old and new rules, boards are required to approve their funds’ identity theft program. However, the adopting release clarifies that a board does not have to reapprove their current program if it meets the requirements of the new rules (which are largely similar to the former FTC rules): “We agree that if a financial institution or creditor already has [an identity theft program (“Program”)] in place, the board is not required to reapprove the existing Program . . . , provided the Program otherwise meets the requirements of the final rules.”