Memo #
34235

Sec Sanctions Three Distributors For Red Flag Violations
| Print

[34235]

July 28, 2022

TO: Broker/Dealer Advisory Committee
CCO Advisory Issues Subcommittee
Operations Committee
Transfer Agent Advisory Committee RE: Sec Sanctions Three Distributors For Red Flag Violations

 

Yesterday, the SEC's Division of Enforcement announced the settlement of enforcement actions it brought against three firms: two dually-registered as a broker-dealer and investment adviser and one broker-dealer.[1]  While the respondents in each of these cases neither admitted nor denied the violations, the SEC found they occurred and sanctioned the firms for committing them.  The facts in each of these cases is slightly different but they all allege that the Respondents failed to have identity theft prevention programs that failed to comply with the requirements of Regulation S-ID.  Each of the actions also notes that each firm "has undertaken substantial remedial acts, including auditing and revising" their Programs.  The facts of each of these cases and the sanctions imposed are briefly discussed below.

JP Morgan[2]

In the action against JP Morgan, a dually registered broker-dealer and investment adviser, the SEC found that, for calendar years 2017-2019, the firm's written identity theft prevention program failed to include reasonable policies and procedures to:

  • Identify  relevant red flag for the types of covered accounts it maintained;
  • Respond appropriately to detect red flags to prevent and mitigate identity theft; and
  • Ensure that the program was updated periodically to reflect changes in identity theft risks to customers.

In particular, the firm failed to:

  • Incorporate policies or procedures that described how identity theft red flags were to be (1) identified or (2) appropriately responded to once identified.  Instead, their policies and procedures merely restated the regulation's general legal requirements (e.g., "Identify red flags");
  • Describe the actions the firm took when it responded to potential and actual incidents of identity theft;
  • Update it procedures when necessary or have a written process for determining whether and when such updates were necessary;
  • Appropriately and effectively oversee its service providers.  While the firm had policies and procedures requiring it to assess its service providers annually to determine if they detected and reported identity theft red flags, the firm failed to monitor its service providers' activities to ensure that they were being conducted in accordance with policies and procedures designed to detect, prevent, and mitigate identity theft; and
  • Provide any identity theft prevention program-specific training to the staff for the calendar year 2017. 

Based on these violations, the firm was censured, ordered to cease and desist from further violations, and fined it $1.2 million. 

UBS[3]

UBS is a dually-registered broker-dealer and investment adviser and, like JP Morgan's violations, UBS' violations occurred from 2017-2019.  The SEC found that UBS's identity theft prevention program was adopted in November 2008.  From then until October 2019, UBS failed to make any material changes to its program.  The firm did, however, in March 2017, revise its program to add a reference to "the SEC's Regulation S-ID."  According to the SEC, the firm failed to:

  • Provide sufficient detail regarding its program's requirements.  For example, while the firm's program provided that a "response to and mitigation of identity theft consists of two parts," (i.e., responses to identity theft attempts and implementation of additional account protections), it did not include policies and procedures on these two parts;
  • Have reasonable policies and procedures requiring the updating of its program's policies and procedures;
  • Update its program despite significant changes in external cybersecurity risks; and
  • Provide the firm's board of directions sufficient information about the program in the annual report the firm provided to the board about the program.  These reports failed to discuss the risks of identity theft at UBS or the firm's service providers, significant identity theft-related incidents and management's response, or metrics related to identity theft that would enable the board to effectively oversee the program.

Based on these violations, the firm was censured, ordered to cease and desist from committing further violations, and fined $925,000.

TradeStation Securities[4]

TradeStation is a registered broker-dealer based in Florida.  While the violations the firm committed occurred between 2017-2019, the SEC found that, since May 2013, the firm made no material changes to its Red Flag Identity Theft Prevention Program.  In addition to this failure, the SEC found that the firm failed to:

  • Design a program that was tailored to the firm, its business, and its customers.  Instead, its program only identified those red flags that were provided as non-comprehensive examples, in the Appendix to Regulation S-ID.  For example, while the firm's program referenced red flags related to a customer's physical appearance, because nearly all of the firm's accounts were opened online, the firm did not have the ability to compare a customer's physical appearance with his or her identification.  Similarly, while the program referenced eight other red flags regarding information received from consumer reporting agencies, the firm failed to obtain and review consumer reports when opening accounts;
  • Respond appropriately to red flags or provide details on what review should be conducted when a red flag was identified.  Instead, the program merely required "additional due diligence" be conducted without detailing what that consisted of who to contact in connection with it;
  • Adequately provide for the continued administration of the program.  For example, the firm failed to provide reports about its program to its board, a committee of the board, or senior management.  The only reports provided to the board or senior management were limited to risk tolerance breaches triggered when a fraud incident caused losses of more than $50,000 in the previous quarter; and
  • Include or incorporate by reference any policies and procedures for the oversight of service providers to ensure that their activities were conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

Based on these violations, the firm was censured, ordered to cease and desist, and fined $425,000.

 

 

 

Tamara K. Salmon
Associate General Counsel
 

 

endnotes

[1] See SEC Charges JP Morgan, UBS, and TradeStation for Deficiencies Relating to the Prevention of Customer Identity Theft, Press Release 2022-131 (July 27, 2022), which is available at: https://www.sec.gov/litigation/admin/2022/34-95367.pdf.

[2]  See In the Matter of J.P. Morgan Securities, LLC., Administrative Proceeding File No. 3-20936 ( July 27, 2022), which is available at: https://www.sec.gov/litigation/admin/2022/34-95367.pdf.

[3]  See In the Matter of UBS Financial Services, Inc., Administrative Proceeding File No. 3-20937 (July 27, 2022), which is available at: https://www.sec.gov/litigation/admin/2022/34-95368.pdf.

[4]  See In the Matter of TradeStation, Administrative Proceeding No. 3-20938 (July 27, 2022), which is available at: https://www.sec.gov/litigation/admin/2022/34-95369.pdf.