.svg)
The Securities and Exchange Commission (SEC) has charged J.P. Morgan, UBS and securities broker TradeStation on separate counts for deficiencies in their programmes aimed at preventing customer identity theft.
According to the SEC’s orders, from January 2017 to October 2019, the firms’ identity theft prevention programmes did not include reasonable policies and procedures to identify relevant red flags in connection with customer accounts or incorporate those red flags into their programmes.
In addition, the SEC said that the firms’ programmes did not include reasonable policies and procedures to respond appropriately to detected identity theft red flags or to ensure that they were updated periodically to reflect changes in risks to customers.
The SEC is charging the firms via Regulation S-ID, or the Red Flags Rule.
"Regulation S-ID is designed to help protect investors from the risks of identity theft," said Carolyn M. Welshhans, acting chief of the SEC Enforcement Division's Crypto Assets and Cyber Unit.
It aims to ensure financial institutions appropriately monitor and mitigate against this possibility.
Welshhans said that the actions should act as a reminder that broker-dealers and investment advisers must design and operate identity theft prevention programmes that are appropriately tailored to their businesses.
“They should update them in response to the increased threat and changing nature of identity theft."
The separate charges for the financial institutions are varied.
The J.P. Morgan order finds that the firm failed to exercise appropriate and effective oversight of all service provider arrangements and failed to train staff to effectively implement one of its identity theft prevention programmes in 2017.
Meanwhile, the UBS order finds that the firm failed to periodically review new or existing types of customer accounts to determine whether and how its identity theft prevention programme should apply to them.
It also failed to adequately involve the board of directors in the oversight, development, implementation and administration of the programme, and like J.P. Morgan, failed to train its employees to effectively implement it.
The SEC’s orders find that each firm violated Rule 201 of Regulation S-ID.
Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations of the charged provision, to be censured, with J.P. Morgan paying $1.2m, UBS paying $925,000 and TradeStation paying $425,000.
