SEC fines J.P. Morgan, UBS, TradeStation total of $2.5 million for lax ID theft prevention

The Securities and Exchange Commission announced Wednesday that it imposed a total of $2.5 million in fines on J.P. Morgan Securities, UBS Financial Services Inc. and TradeStation Securities Inc. for deficiencies related to their efforts to protect customers from identity theft.

The agency alleged that each firm lacked adequate policies and procedures to detect and respond to ID theft in customer accounts between approximately January 2017 and October 2019. The agency also said the firms failed to update their programs to reflect changes in ID theft risk.

The SEC charged each of the firms with violating the Identify Theft Red Flags Rules, also known as Regulation S-ID, which was finalized in 2013. The agency fined J.P. Morgan $1.2 million; UBS $925,000; and TradeStation $425,000.

“Regulation S-ID is designed to help protect investors from the risks of identity theft,” Carolyn M. Welshhans, acting chief of the SEC Enforcement Division’s crypto assets and cyber unit, said in a statement. “Today’s actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft.”

The firms neither admitted nor denied the SEC’s findings. In addition to the penalties, they agreed to cease and desist from future violations of the SEC ID theft rule and to a censure.

UBS said it has fixed the problem the SEC case highlighted.

“UBS is pleased to have resolved this matter regarding certain aspects of its legacy Identity Theft Prevention Program,” UBS spokesperson Jonathan Humphreys said in a statement. “Protecting the privacy and security of our client data is of the utmost importance to UBS. The SEC did not find that any clients were impacted and acknowledged that UBS had made substantial enhancements to its program.”

Spokespersons for J.P. Morgan and TradeStation did not respond to requests for comment.

The SEC also found deficiencies at the firms related to service provider arrangements, staff training and the involvement of their boards in the oversight, development and implementation of an ID theft program. SOURCE