by T. GormanPosted on Posted in SECActions

Privacy, identity theft and similar issues can be key for firms that have files containing personal data of clients. The Commission addressed the question of identity theft with the adoption of Regulation S-ID in 2013. The first enforcement action was brought against a broker-dealer five years later.

On July 27, 2022, the Commission filed three settled actions against brokers centered on violations of Regulation S-1D. The proceeding brought against J.P. Morgan Securities LLC, Adm. Proc. File No. 3-20936 is typical.

Respondent is a broker based in New York City. The firm is a registered broker-dealer and investment adviser. It is a wholly owned subsidiary of JPMorgan Chase & Company, a global financial services firm.

From January 2017 through the end of 2019 the firm failed to comply with Rule 201 of Regulation S-ID because its written identity theft prevention programs for the applicable lines of business failed to include reasonable policies and procedures to: 1) identify relevant red flags for the covered accounts; 2) respond appropriately to detected red flags; and 3) ensure that each program was updated periodically to reflect changes in identity theft risks to customers.

Regulation S-ID requires that an identity theft program include reasonable policies and procedures to: identify relevant red flags; detect those red flags; respond appropriately to them; and ensure that the program is updated to evolving risks in the area.

The identification of red flags is key to the regulation. In this regard the firm must consider factors that are specific to it in order to identify red flags that are relevant to business and the nature and scope of the pertinent activities. Factors to consider include the type of accounts offered by the firm and the methods it provides to open covered accounts and access to them as well as the firm’s experience with identity theft.

The Appendix to the Regulation contains guidelines to assist firms in formulating and maintaining an identity theft prevention program that complies with the regulation. The Appendix contains lists of red flags that a firm should consider when creating a program. The firm is required to incorporate those which are appropriate to its business and the risks.

The Regulation also requires that the firm periodically consider the evolution of identity theft over time to update the red flags adopted as part of its program. The adopting firm must have a written program and implement it by methods such as training and appropriate oversight.

In this proceeding Respondent had accounts under two lines of business covered with identity theft programs. Each program was deficient. For example, while each had red flags, they were not based on firm specific factors. Rather, the programs were essentially restatements of the general legal requirements. Likewise, neither program had policies or procedures to ensure that the programs were updated periodically with new red flags based on customer experience. And, appropriate oversight was not conducted.

In resolving this matter, the firm undertook remedial efforts by, in part, adopting improved polices and policies and procedures. To resolve the proceedings Respondent consented to the entry of a cease-and-desist order based on Rule 201 of Regulation S-ID and a censure. The firm also agreed to pay a penalty of $1.2 million. See also In the Matter of UBS Financial Services, Inc., Adm. Proc. File No. 3-20937 (July 27, 2022)(based on violation of same regulation; resolved with a cease-and-desist-order based on Regulation S-ID, a censure, and payment of a penalty in the amount of $925.000); In the Matter of TradeSatation Securities, Inc., Adm. Proc. File No. 3-20938 (July 27, 2022)(similar to above; resolved with the entry of a cease-and-desist order based on Regulation S-ID, a censure and payment of a fine in the amount of $425,000).

Tagged with: ,

by T. GormanPosted on Posted in SECActions

Insider trading has been a key focus of SEC enforcement in recent months. This is consistent with the historical approach to enforcement by the agency over the years. In recent weeks, however, the agency appears to have become more aggressive in the area. One of the most recent examples of these cases involves a former Congressman from Indiana, SEC v. Buyer, Civil Action No. 1:22-cv-06279 (S.D.N.Y. Filed July 25, 2022).

Defendant Stephen E. Buyer is the principal of Steve Buyer Group, a business Mr. Buyer founded in 2011 after leaving the U.S. House of Representatives. The firm attempts to leverage Mr. Buyer’s congressional experience. It aids clients with issues related to matters such as Veterans Affairs and the telecommunications industry.

In 2018 and 2019, the former Congressman misappropriated material non-public information from two clients, using it to profitably trade. First in 2018 Mr. Buyer acted as a consultant for T-Mobile US, Inc. During his work he learned that T-Mobile planned to acquire Sprint Corporation. The planned acquisition was not public. Mr. Buyer misappropriated the material, non-public information. Prior to the deal announcement Mr. Buyer purchased 112,675 shares of Sprint stock at a cost of $568,000. Following the April deal announcement he had profits of $107,987.

Mr. Buyer also misappropriated material, non-public deal information the next year. In 2019 he acted as a consultant to Guidehouse LLP. The firm planned to acquire Navigant Consulting. Mr. Buyer misappropriated the inside information about the deal and used over $1 million to purchase 46,654 shares of Navigant stock. He used the accounts of his wife and son to make the acquisitions as well as one of a Friend. Following the deal announcement in August 2019 Mr. Buyer had profits of about $227,742. The complaint alleges violations of Exchange Act Section 19(b). The case is pending. See Lit. Rel. No. 25448 (July 25, 2022).

Tagged with: ,