ICI Files Comment Letter with SEC on Proposed "Red Flag" Identity Theft Rules (pdf)

May 1, 2012 Elizabeth M. Murphy, Secretary U.S. Securities and Exchange Commission 100 F Street, NE Washington, D.C. 20549-1090 Re: Proposed Identity Theft Red Flags Rule; File No. S7-02-12 Dear Ms. Murphy: The Investment Company Institute1 appreciates the opportunity to express our support for the identity theft red flag rules proposed by the Securities and Exchange Commission (Commission or SEC).2 We commend the Commission for proposing requirements that are consistent with those that have applied to certain SEC registrants since 2008 pursuant to rules of the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). This consistency will facilitate registrants’ transition from compliance with the FTC’s rule to the Commission’s rule with little or no disruption or added expense. As discussed in the Commission’s Release, Section 114 of the FACT Act required the FTC to adopt identity theft red flag rules applicable to financial institutions, including SEC registrants. The FACT Act specified that the rules require financial institutions to establish and maintain guidelines to guard against identity theft, establish reasonable policies and procedures to implement these guidelines, and identify possible risks to account holders. These rules are intended to protect individuals from the risk of theft, loss, and abuse of their personal information.3 1 The Investment Company Institute is the national association of U.S. investment companies, including mutual funds, closed-end funds, exchange-traded funds (ETFs), and unit investment trusts (UITs). ICI seeks to encourage adherence to high ethical standards, promote public understanding, and otherwise advance the interests of funds, their shareholders, directors, and advisers. Members of ICI manage total assets of $13.4 trillion and serve over 90 million shareholders. 2 See SEC Release No. IC-29969 (February 28, 2012) (the “Release”). Our comments are limited to the provisions of proposed Rule 248,201 (“Proposed Rule”). 3 In 2007, when the FTC rules were adopted, there was uncertainty regarding the extent to which the rules applied to registered investment companies. To address this uncertainty, the Institute worked with the staffs of both the FTC and the Commission to clarify the rules’ scope and application to registered investment companies. This, in turn, enabled registered investment companies to implement the rules in accordance with the FACT Act and the FTC’s requirements. Elizabeth M. Murphy, Secretary May 1, 2012 Page 2 When the Dodd-Frank Wall Street Reform and Consumer Protect Act was enacted in 2010, it transferred from the FTC to the Commission the requirement to adopt and implement identity theft rules and guidelines for SEC registrants. Consistent with this mandate, the Commission published the Release. We are quite pleased that, as noted above, the Commission’s rule is wholly consistent with the rules the FTC has had in place since 2007. Indeed, the Commission’s Release expressly notes that, if adopted, its proposed rules and guidelines “would not contain new requirements not already in [the FTC’s] final rules, nor would they expand the scope of those rules to include new entities that were not already previously covered by the [FTC’s] rules.”4 We commend the Commission for taking this approach. As a result, there should be no need for SEC registrants to revise their guidelines or policies and procedures in response to the Commission’s rule; nor should the Commission’s rulemaking disrupt registrants’ existing identity theft programs.5 To further ensure this result, the Institute recommends that the Commission clarify in its adopting release one issue related to the Proposed Rule. Like the current FTC rule, subdivision (e)(1) of the Proposed Rule would require each SEC registrant, which includes registered investment companies, to obtain approval of its “initial” identity theft program from either its board of directors or an appropriate committee of the board.6 We recommend that the Commission clarify in any adopting release that the term “initial” only captures those identity theft prevention programs established after the effective date of the final rule. Registered investment companies that are currently subject to the FTC’s rule already will have had their identity theft prevention programs approved by their boards (or an appropriate committee thereof). Given this and the fact that the current FTC requirements are the same as the proposed Commission requirements, it seems unnecessary and duplicative for these companies to again seek board approval. Our recommended clarification would enable these entities both to avoid the time and expense involved in obtaining board approval of their existing identity theft programs and ensure, consistent with the Commission’s intent, a seamless transition from the FTC’s to the Commission’s rule.7 ■ ■ ■ ■ 4 Release at pp. 9-10. 5 We are particularly pleased with the proposed rules’ flexible, principles-based approach. This approach will enable each registrant to tailor its program to its own operations, thereby facilitating its ability to design an effective program that is appropriate to its size, complexity, and the nature and scope of its operations. 6 See SEC Proposed Rule 248.201(e)(1) and FTC Rule 681.2(e)(1). 7 We note that that, like the requirements under the FTC’s rules, the Proposed Rule’s requirement for annual reporting to the board, a board committee, or senior management addresses ongoing oversight of existing identity theft programs. Elizabeth M. Murphy, Secretary May 1, 2012 Page 3 The Institute appreciates the opportunity to express our support for the Commission’s proposed rule. We commend the Commission for designing its rule to be substantively identical to the FTC’s rule thereby avoiding any disruptions resulting from the transfer of regulatory authority. Sincerely, /s/ Tamara K. Salmon Senior Associate Counsel cc. The Honorable Mary L. Schapiro The Honorable Elisse B. Walter The Honorable Luis A. Aguilar The Honorable Troy A. Paredes The Honorable Daniel M. Gallagher