Three Firms Sanctioned For Inadequate Identity Theft Programs
Privacy, identity theft and similar issues can be key for firms that have files containing personal data of clients. The Commission addressed the question of identity theft with the adoption of Regulation S-ID in 2013. The first enforcement action was brought against a broker-dealer five years later.
On July 27, 2022, the Commission filed three settled actions against brokers centered on violations of Regulation S-1D. The proceeding brought against J.P. Morgan Securities LLC, Adm. Proc. File No. 3-20936 is typical.
Respondent is a broker based in New York City. The firm is a registered broker-dealer and investment adviser. It is a wholly owned subsidiary of JPMorgan Chase & Company, a global financial services firm.
From January 2017 through the end of 2019 the firm failed to comply with Rule 201 of Regulation S-ID because its written identity theft prevention programs for the applicable lines of business failed to include reasonable policies and procedures to: 1) identify relevant red flags for the covered accounts; 2) respond appropriately to detected red flags; and 3) ensure that each program was updated periodically to reflect changes in identity theft risks to customers.
Regulation S-ID requires that an identity theft program include reasonable policies and procedures to: identify relevant red flags; detect those red flags; respond appropriately to them; and ensure that the program is updated to evolving risks in the area.
The identification of red flags is key to the regulation. In this regard the firm must consider factors that are specific to it in order to identify red flags that are relevant to business and the nature and scope of the pertinent activities. Factors to consider include the type of accounts offered by the firm and the methods it provides to open covered accounts and access to them as well as the firm’s experience with identity theft.
The Appendix to the Regulation contains guidelines to assist firms in formulating and maintaining an identity theft prevention program that complies with the regulation. The Appendix contains lists of red flags that a firm should consider when creating a program. The firm is required to incorporate those which are appropriate to its business and the risks.
The Regulation also requires that the firm periodically consider the evolution of identity theft over time to update the red flags adopted as part of its program. The adopting firm must have a written program and implement it by methods such as training and appropriate oversight.
In this proceeding Respondent had accounts under two lines of business covered with identity theft programs. Each program was deficient. For example, while each had red flags, they were not based on firm specific factors. Rather, the programs were essentially restatements of the general legal requirements. Likewise, neither program had policies or procedures to ensure that the programs were updated periodically with new red flags based on customer experience. And, appropriate oversight was not conducted.
In resolving this matter, the firm undertook remedial efforts by, in part, adopting improved polices and policies and procedures. To resolve the proceedings Respondent consented to the entry of a cease-and-desist order based on Rule 201 of Regulation S-ID and a censure. The firm also agreed to pay a penalty of $1.2 million. See also In the Matter of UBS Financial Services, Inc., Adm. Proc. File No. 3-20937 (July 27, 2022)(based on violation of same regulation; resolved with a cease-and-desist-order based on Regulation S-ID, a censure, and payment of a penalty in the amount of $925.000); In the Matter of TradeSatation Securities, Inc., Adm. Proc. File No. 3-20938 (July 27, 2022)(similar to above; resolved with the entry of a cease-and-desist order based on Regulation S-ID, a censure and payment of a fine in the amount of $425,000).