The SEC and the CFTC have jointly adopted rules requiring certain entities, including investment companies, to develop and implement written identity theft prevention programs that are designed to detect, prevent, and mitigate identity theft in connection with covered accounts. Most investment companies currently have identity theft prevention programs, because they were required by previous FTC rules (the Dodd-Frank Act transferred identity theft rulemaking responsibility and enforcement authority from the FTC to the SEC and CFTC for entities they regulate). The new rules are largely similar to those issued by the FTC, but include some additional examples and guidance to help entities comply with the rules.
A summary of the new rules by John Baker from Stradley Ronon can be found on his FundLaw blog here.