The Securities and Exchange Commission charged J.P. Morgan Securities, UBS Financial Services and TradeStation Securities, an online brokerage, for failing to meet the standard of Reg S-ID, the commission’s Identity Theft Red Flags Rule.
The collective penalties totaled more than $2 million, which one securities attorney acknowledged was a pittance considering the size of the firms, suggesting the charges were intended as an industrywide message encouraging registrants to ensure their own standards are up to par.
“Today’s actions are reminders that broker/dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft,” said Carolyn M. Welshhans, the acting chief of the SEC Enforcement Division's Crypto Assets and Cyber Unit, in a statement.
The SEC alleges the three firms’ identity theft prevention protocols failed to include “reasonable policies and procedures” to pinpoint red flags. In the case of J.P. Morgan, the SEC claimed the firm’s two prevention programs had “substantial deficiencies,” with its programs merely restating general legal requirements, and listing verbatim examples provided by the SEC in Reg S-ID.
“None of the incorporated policies and procedures listed in either program explained how (J.P. Morgan) was to identify any of the enumerated red flags to respond to the red flags in order to prevent and mitigate identity theft,” the order read.
The SEC alleged UBS did not make any material changes to its identity theft prevention programs after Reg S-ID went into effect in May 2013, only updating their policies in March 2017 with a reference to the commission’s rule as one of the “related regulations” with which their program had to comply. During the time in question in the three orders (ranging from about January 2017 to October 2019), UBS failed to periodically review new or existing accounts to see if they fell under Reg S-ID mandates.
Likewise, TradeStation failed to make material changes to its identity theft programs in the wake of Reg S-ID’s 2013 effective date, only later marking as red flags the examples listed in Reg S-ID that were described as “non-comprehensive” by the commission. This could lead to situations like an example the SEC described, in which TradeStation’s program included a potential red flag as a situation where a photograph or physical description on an identification was inconsistent with that of the applicant presenting an identification. But most accounts were opened online, so the firm would have no opportunity to compare physical appearances.
In a statement, a J.P. Morgan spokesperson said the firm was “committed” to protecting clients from fraud.
“The deficiencies described today were addressed years ago and there was no finding of client impact,” the spokesperson said. “The firm is in full compliance with regulatory requirements.”
A UBS spokesperson said the firm was pleased to have resolved the issue, saying that protecting clients' privacy was "of the utmost importance" to the firm.
"The SEC did not find that any clients were impacted and acknowledged that UBS had made substantial enhancements to its program,” the spokesperson said.
Representatives from TradeStation did not respond to requests for comment.
The commission brought its first enforcement action related to Reg S-ID in 2018, with Voya Financial Advisors agreeing to pay $1 million to settle charges for failing to prevent a leak of personal information for more than 5,000 customers. The cyber intruders eventually used the compromised information to create new customer profiles and get access to three customers’ account documents.
But enforcement actions related to Reg S-ID are largely few and far between, according to Max Schatzow, an attorney and co-founder of RIA Lawyers. But the fines involved in these newest actions (totaling $1.2 million for J.P. Morgan, $925,000 for UBS and $425,000 for TradeStation) were minimal compared with the organizations’ size. Schatzow noted the alleged violations didn’t include actual investment losses, but instead related to things like wire fraud, requests and transfers.
“The reality is, if the SEC wanted to, they could probably bring this exact same action against every firm in the industry if they were really adamant about it,” he said. “They hand select a few larger registrants, and they try to send a message to the industry every now and then, saying ‘look, this is important. You should be taking it seriously, and we’re going to do the same.’”
To settle the charges, the three firms did not admit nor deny the findings, but agreed to a censure and cease and desist, in addition to the monetary penalties.