JP Morgan and others settle with SEC over inadequate ID protection

Financial institutions JP Morgan, UBS and TradeStation all settled with the Securities and Exchange Commission over accusations that their identity theft protection protocols were not up to the legally required standards.

In the case of JP Morgan, the SEC said its program spent a lot of time describing legal obligations to identify red flags, as well as provided some examples copy/pasted from the SEC's own documents, but did not actually explain how someone at JP Morgan was to identify any red flags or how to respond. While JP Morgan has taken action on identity theft, this seemed to be more of an ad-hoc response versus something part of a consistent program.

When it came to UBS, the SEC complaint said that its program had been compliant with the identity theft protection requirements of the Fair and Accurate Credit Transactions Act of 2003, implemented in 2007, but did not make any material changes when the rules were updated via Regulation S-ID in 2013. Further, it did not periodically review accounts to see whether they were covered by the new Regulation S-ID. Also like JP Morgan, its program did not really go over how exactly someone was meant to identify and respond to red flags.

For TradeStation Securities, the SEC said that it simply did not have or otherwise incorporate by reference reasonable policies and procedures to identify relevant red flags and incorporate them into its program. The SEC noted that what policies were there were not appropriate to its business model: For instance, while the broker-dealer talked about making sure that the photograph or physical description of the person is consistent with their identification, nearly all the company's accounts were opened online, meaning no one would have even had the opportunity to compare their physical appearance to their ID. When it came to actual red flags identified, the company instructed people to just perform additional due diligence with no specifics as to what things should actually be done. The SEC further stated that the board was only informed of identity theft cases when they exceeded $50,000 per quarter.

The Securities and Exchange Commission flag flies in front of a building.
SEC headquarters
Bloomberg News

"Regulation S-ID is designed to help protect investors from the risks of identity theft," said Carolyn Welshhans, acting chief of the SEC Enforcement Division's Crypto Assets and Cyber Unit in a statement. "Today’s actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft."

The SEC’s orders find that each company violated Rule 201 of Regulation S-ID. Without admitting or denying the findings, each company agreed to cease and desist from future violations of the charged provision, to be censured, and to pay the following penalties: JPMorgan: $1.2 million, UBS: $925,000, and TradeStation: $425,000.

For reprint and licensing requests for this article, click here.
Technology SEC Identity theft protection Regulation and compliance
MORE FROM ACCOUNTING TODAY