Regulation S-ID, Identity Theft Red Flags Rules

Regulation S-ID: Identity Theft Red Flags (17 CFR Part 248, Subpart C) requires SEC-regulated financial institutions and creditors (including brokers, dealers, investment companies, and investment advisors) that offer or maintain covered accounts to develop and implement a written Identity Theft Protection Program designed to detect, prevent, and mitigate identity theft risks in connection with covered accounts, while card issuers must establish and implement written procedures to assess the validity of address changes when followed by requests for additional or replacement cards in a short period of time. Regulation S-ID, including the information collection requirements thereunder, is designed to better protect investors from the risks of identity theft by ensuring that SEC-regulated financial institutions maintain effective safeguards against identity theft that could harm consumers and threaten the safety and soundness of financial institutions. The SEC has used this information to examine compliance with identity theft prevention requirements during regulatory examinations. This collection fulfills recordkeeping and internal governance requirements where SEC-regulated entities must document their policies and procedures, but the documentation is maintained internally rather than reported directly to the SEC, though the SEC reviews these records during examinations to assess compliance with the regulation.

The latest form for Regulation S-ID, Identity Theft Red Flags Rules expires 2028-09-30 and can be found here.