Enforcement News: SEC Charges Broker-Dealers/Investment Advisers With Deficiencies Relating to the Prevention of Customer Identity Theft

• Posted on: Aug 1 2022

By: Jeffrey M. Haber

The growth of information technology and electronic communication over the past few decades has made it increasingly easy to collect, maintain, and transfer personal information.¹ With the advancement of technology, the public faces repeated threats to the integrity and privacy of their personal information. The federal government has taken steps to help protect individuals, and to help individuals protect themselves, from the risks of theft, loss, and abuse of their personal information. 

The Fair Credit Reporting Act of 1970 (“FCRA”),² as amended in 2003,³ required several federal agencies to issue joint rules and guidelines regarding the detection, prevention, and mitigation of identity theft for entities that are subject to their respective enforcement authorities (also known as the “identity theft red flags rules”). The FCRA did not require or authorize the Securities Exchange Commission (“SEC”) and the Commodities Futures Trading Commission (“CFTC”) to issue identity theft red flags rules. Instead, the FRCA applied to entities that registered with the CFTC and SEC, such as futures commission merchants, broker-dealers, investment companies, and investment advisers.

In 2010, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), which, among other things, amended the FCRA to add the CFTC and SEC to the list of federal agencies that must jointly adopt and individually enforce identity theft red flags rules. In February 2012, the SEC and CFTC jointly proposed for public notice and comment identity theft red flags rules and guidelines and card issuer rules. On May 20, 2013, the SEC and CFTC jointly adopted Regulation S-ID: Identity Theft Red Flags (“Regulation S-ID” or “Reg. S-ID”).⁴ The compliance date for Reg. S-ID was November 20, 2013.

Regulation S-ID requires financial institutions, including broker-dealers and investment advisers registered with the Commissions that offer or maintain one or more covered accounts, to develop and implement a written identity theft prevention program “that is designed to detect, prevent, and mitigate identity theft” in connection with the opening of a covered account or any existing covered account.⁵ The program “must be appropriate to the size and complexity of the financial institution … and the nature and scope of its activities.”⁶

Under Regulation S-ID, an identity theft prevention program must include reasonable policies and procedures to: (i) identify relevant “red flags” for the covered accounts and incorporate them into the program;⁷ (ii) detect the red flags that have been incorporated into the program; (iii) respond appropriately to any red flags that are detected pursuant to the program; and (iv) ensure that the program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the firm from identity theft.⁸

A written identity theft prevention program may incorporate by reference policies outside of the program in order to satisfy the requirements of Regulation S-ID, but such incorporation by reference must be explicit.⁹

With respect to the identification of relevant red flags, Regulation S-ID requires firms to consider several factors specific to the firm in order to identify red flags that are relevant to the firm’s business and the nature and scope of its activities, such as the types of covered accounts it offers or maintains, methods it provides to open covered accounts, methods it provides to access covered accounts, and its previous experiences with identity theft.¹⁰

Appendix A to Regulation S-ID, which contains guidelines intended to assist firms in the formulation and maintenance of an identity theft prevention program that satisfies the requirements of Regulation S-ID, lists categories of red flags that a firm should consider incorporating in its program “as appropriate.”¹¹ Supplement A to Appendix A further provides a non-comprehensive list of examples of red flags from each of these categories that the firm “may consider incorporating into its Program, whether singly or in combination … in connection with covered accounts.”¹² The firm must consider these examples of red flags and include in its identity theft prevention program those that are appropriate.¹³

With respect to responding to detected red flags in order to prevent and mitigate identity theft, Regulation S-ID requires an identity theft prevention program to include policies and procedures that “provide for appropriate responses” to detected red flags “that are commensurate with the degree of risk posed.”¹⁴ In determining an appropriate response, a firm “should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer’s account records … or notice that a customer provided account information” to someone under false pretenses.¹⁵

With respect to periodically updating a written identity theft prevention program, Appendix A provides that firms should consider factors such as: (i) the firm’s experiences with identity theft; (ii) changes in methods of identity theft; (iii) changes in methods to detect, prevent or mitigate identity theft; (iv) changes in the types of accounts offered or maintained; and (v) changes in the firm’s structure or service provider arrangements.¹⁶ 

Regulation S-ID also requires firms to provide for the continued administration of the written identity theft prevention program by training staff, as necessary, to effectively implement the program, and by exercising appropriate and effective oversight of service provider arrangements.¹⁷ With respect to the oversight of service provider arrangements in connection with one or more covered accounts, the firm should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.¹⁸ 

[Ed. Note: the foregoing discussion comes from the adopting release for Reg. S-ID and the orders discussed below.]

On July 27, 2022, the SEC announced (here) that it separately charged J.P. Morgan Securities LLC, UBS Financial Services Inc., and TradeStation Securities, Inc. for deficiencies in their programs to prevent customer identity theft, in violation of the Regulation S-ID.

According to the SEC’s orders (here, here and here), from at least January 2017 to October 2019, the firms’ identity theft prevention programs did not include reasonable policies and procedures to identify relevant red flags of identity theft in connection with customer accounts or to incorporate those red flags into their programs. In addition, the SEC found that the firms’ programs did not include reasonable policies and procedures to respond appropriately to detected identity theft red flags, or to ensure that the programs were updated periodically to reflect changes in identity theft risks to customers.

The JPMorgan order (here) also found that the firm failed to exercise appropriate and effective oversight of all service provider arrangements and failed to train staff to effectively implement one of its identify theft prevention programs in 2017. 

The UBS order (here) also found that the firm failed to periodically review new or existing types of customer accounts to determine whether and how its identity theft prevention program should apply to them; failed to adequately involve the board of directors in the oversight, development, implementation, and administration of the program; and failed to train its employees to effectively implement the program.

The TradeStation order (here) also found that the firm failed to adequately involve its board of directors in the oversight, development, implementation, and administration of its identity theft prevention program and failed to exercise appropriate and effective oversight of service provider arrangements.

The SEC found that each firm violated Rule 201 of Regulation S-ID. Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations of the charged provision, to be censured, and to pay the following penalties: JPMorgan: $1.2 million, UBS: $925,000, and TradeStation: $425,000.

“Regulation S-ID is designed to help protect investors from the risks of identity theft,” said Carolyn M. Welshhans, Acting Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Today’s actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft.”

Jeffrey M. Haber is a partner and co-founder of Freiberger Haber LLP.

This article is for informational purposes and is not intended to be and should not be taken as legal advice.

Footnotes

1. See, e.g., “U.S. Government Accountability Office, Information Security: Federal Guidance Needed To Address Control Issues With Implementing Cloud Computing (May 2010), available at http://www.gao.gov/new.items/d10513.pdf; Department of Commerce, Internet Policy Task Force, Commercial Data Privacy and Innovation In The Internet Economy: A Dynamic Policy Framework, at Section I (2010), available at http://www.ntia.doc.gov/reports/2010/iptf_privacy_greenpaper_12162010.pdf.
2. See 15 U.S.C. 1681–1681x.
3. See Fair and Accurate Credit Transactions Act of 2003, Pub. L. 108-159, 117 Stat. 1952 (2003).
4. See Release Nos. 34-69359, IA-3582, IC-30456 (May 20, 2013) (here).
5. 17 C.F.R. § 248.201(d)(1). The rule defines “identity theft” as a fraud committed or attempted using the identifying information of another person without authority. 17 C.F.R. § 248.201(b)(9).
6. 17 C.F.R. § 248.201(d)(1).
7. “Red flags” are defined as “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” 17 C.F.R. § 248.201(b)(10).
8. 17 C.F.R. § 248.201(d)(2)(i)-(iv).
9. 17 C.F.R. § 248.201 Appendix A, Section I.
10. 17 C.F.R. § 248.201, Appendix A, Section II(a).
11. These categories are: (i) alerts, notifications, or warnings received from consumer reporting agencies; (ii) suspicious documents, such as documents that appear to have been altered or forged; (iii) suspicious personal identifying information, such as a suspicious address change; (iv) unusual use of, or other suspicious activity related to, a covered account; and (v) notice from customers, victims of identity theft, or law enforcement authorities. 17 C.F.R. § 248.201, Appendix A, Section II(c).
12. 17 C.F.R. § 248.201, Appendix A, Supplement A.
13. 17 C.F.R. § 248.201(f).
14. 17 C.F.R. § 248.201(d)(2)(iii).
15. 17 C.F.R. § 248.201, Appendix A, Section IV.
16. 17 C.F.R. § 248.201, Appendix A, Section V.
17. 17 C.F.R. § 248.201(e)(3)-(4).
18. 17 C.F.R. § 248.201, Appendix A, Section VI(c).