JPMorgan, UBS among trio accused of shoddy ID theft protection

JPMorgan Securities, UBS Financial Services, and TradeStation Securities aren't doing enough to thwart crooks who want to steal customers' identity, says America's financial watchdog.

The SEC on Wednesday announced it charged the investment management firms with deficiencies in their identity theft prevention systems. These systems are supposed to stop fraudsters from, say, opening accounts in their victims' names.

All three have been fined with no admission of liability: JPMorgan will pay $1.2 million, UBS will cough up $925,000, and TradeStation's penalty totals $425,000.

To put these figures in perspective, JPMorgan Chase posted $48.3 billion in profit [PDF] last year,  UBS' annual profit hit $7.5 billion in 2021, and TradeStation recorded a $31.7 million net loss (from $210 million revenue) for its most recent fiscal year.

In other words: a mild annoyance rather than a deterrent.

In addition to the money, the three firms promised to stay on the right side of the law. Crucially, the trio did not "admit or deny" the SEC's allegations they broke Rule 201 of Regulation S-ID, which requires the trading outfits to have in place measures “designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account."

The SEC said its investigators found that, between January 2017 and October 2019, the three firms' identity theft prevention programs did not include "reasonable policies and procedures" to, among other things, detect red flags indicating likely identity theft, and then prevent and mitigate this risk.

• Info on 1.5m people stolen from US bank in cyberattack
• Feds raid dark web market selling data on 24 million Americans
• FBI: Cyber-scams cost victims $6.9b-plus worldwide in 2021
• There are 24.6 billion pairs of credentials for sale on dark web

Specific to JPMorgan, the watchdog claimed [PDF] the financial giant failed to "exercise appropriate and effective oversight of all service provider arrangements," and that it didn't train staff on how to implement its identity theft prevention program.

Meanwhile, UBS also didn't provide sufficient training for its employees and failed to review customer accounts to see if its identity theft prevention program should apply to them, according to the SEC [PDF]. 

Additionally, the regulator said both UBS and TradeStation [PDF] failed to involve their boards of directors in the development and administration of their identity theft prevention programs.

"Today's actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft," Carolyn Welshhans, acting chief of the SEC enforcement division's crypto-assets and cyber unit, said in a canned statement.

The SEC allegations come as identity theft becomes a growing problem for individuals and businesses, according to the FBI's most recent annual Internet Crime Report.

The study revealed 51,629 identity theft complaints were made last year to the Feds, compared to 43,330 in 2020 — that's a 19 percent increase. These crimes cost businesses and individuals more than $278 million in losses last year, according to the bureau. ®