The Securities and Exchange Commission (SEC) on Wednesday separately settled charges with three financial institutions that each allegedly failed to provide reasonable policies and procedures to identify relevant red flags of customer identity theft.
JPMorgan Securities, UBS Financial Services, and TradeStation Securities were each faulted by the SEC for violations of Regulation S-ID. JPMorgan agreed to pay $1.2 million in its settlement, while UBS and TradeStation were fined $925,000 and $425,000, respectively.
Each firm, without admitting or denying the SEC’s findings, agreed to cease and desist from future violations and to be censured.
The details: Regulation S-ID has been effective since 2013. Rule 201 of the regulation requires registered broker-dealers to develop and implement an ID theft prevention program “designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.”
The ID theft programs at each of JPMorgan, UBS, and TradeStation failed to identify and respond appropriately to red flags and weren’t updated as frequently as required, according to the SEC. The agency noted these deficiencies occurred from at least January 2017 to October 2019 in each case.
At JPMorgan, the firm’s program did not describe actions it would undertake to detect and respond to potential and actual incidents of ID theft, according to the SEC’s order. The firm was further alleged to have failed in its oversight of service providers regarding the processing of customer information and training of its own staff to implement one of its ID theft programs in 2017.
At UBS and TradeStation, the firms did not make material changes to their respective ID theft programs from the effective date of Regulation S-ID to the end of the relevant period, the SEC stated. UBS and TradeStation were also each faulted for alleged deficiencies in board oversight and program administration, while UBS was further criticized regarding its training of staff to respond to ID theft red flags.
Each of the three firms were acknowledged for since auditing and revising their ID theft programs. UBS and TradeStation each voluntarily retained an outside consulting firm to review their respective programs and adopted all relevant recommendations.
“Today’s actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft,” said Carolyn Welshhans, acting chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, in a press release.
Firm responses: “We are committed to protecting our clients from identity theft and fraud,” said JPMorgan in an emailed statement. “The deficiencies described … were addressed years ago and there was no finding of client impact. The firm is in full compliance with regulatory requirements.”
“UBS is pleased to have resolved this matter regarding certain aspects of its legacy identity theft prevention program,” the firm said in an emailed statement. “Protecting the privacy and security of our client data is of the utmost importance to UBS. The SEC did not find that any clients were impacted and acknowledged that UBS had made substantial enhancements to its program.”
TradeStation did not reply to a request for comment.