SEC Extends Anti-ID Theft Rules for Banks
Published Date: 3/27/2025
Notice
Summary
The SEC wants to keep the identity theft rules (Regulation S-ID) going strong by extending the paperwork collection for financial firms and card issuers. These companies must keep updating their identity theft prevention plans, train their staff, and double-check address changes on credit or debit cards. No big changes or new costs, just continuing the good fight against identity theft with your feedback welcomed by the deadline.
Analyzed Economic Effects
6 provisions identified: 1 benefits, 5 costs, 0 mixed.
Identity-Theft Program Requirements
If your SEC-registered firm qualifies as a “financial institution” or “creditor,” you must create and periodically update an identity theft prevention Program approved by your board or senior management, have staff report periodically to the board, and train staff to implement the Program. Card issuers must also have policies to verify and notify cardholders about address-change requests when replacement or additional cards are requested.
Per-New-Entity One-Time Costs
SEC staff estimates each newly-formed financial institution or creditor will need 2 hours (costing $1,022) to do an initial assessment of covered accounts, plus 29 hours (costing $16,980) to develop and obtain board approval of a Program and train staff. Those are one-time burdens for newly-formed entities.
Aggregate One-Time Burden For New Firms
SEC staff estimates the aggregate initial one-time burden for newly-formed SEC-regulated entities will be 15,143 hours at a total cost of $8,786,158.
Per-Entity Annual Compliance Burdens
Each financial institution or creditor is estimated to have an annual burden of 1 hour (costing $511) to assess whether it offers covered accounts. Entities that maintain covered accounts would also incur an annual 2.5 hours to prepare/present a board report and 7 hours to review and update the Program, which SEC staff estimates will cost $9,429 per such entity annually.
Aggregate Annual Paperwork Burden
SEC staff estimates the total ongoing annual information collection burden of Regulation S-ID is 111,173 hours, with a total estimated annual cost of $90,470,555.
Card-Issuer Address-Change Rule Not Expected To Apply
Section 248.202 (change-of-address requirements for card issuers) applies only to entities that issue credit or debit cards, but SEC staff states that SEC-regulated entities generally do not issue cards and thus does not expect any SEC-regulated entities will be subject to the information-collection requirements of section 248.202; staff therefore estimates no hour or cost burden related to section 248.202 for SEC-regulated entities.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in