Security

Cyber-crime

JPMorgan, UBS among trio accused of shoddy ID theft protection

SEC extracts pocket change from bankers, wags finger, sends them on their way


JPMorgan Securities, UBS Financial Services, and TradeStation Securities aren't doing enough to thwart crooks who want to steal customers' identity, says America's financial watchdog.

The SEC on Wednesday announced it charged the investment management firms with deficiencies in their identity theft prevention systems. These systems are supposed to stop fraudsters from, say, opening accounts in their victims' names.

All three have been fined with no admission of liability: JPMorgan will pay $1.2 million, UBS will cough up $925,000, and TradeStation's penalty totals $425,000.

To put these figures in perspective, JPMorgan Chase posted $48.3 billion in profit [PDF] last year,  UBS' annual profit hit $7.5 billion in 2021, and TradeStation recorded a $31.7 million net loss (from $210 million revenue) for its most recent fiscal year.

In other words: a mild annoyance rather than a deterrent.

In addition to the money, the three firms promised to stay on the right side of the law. Crucially, the trio did not "admit or deny" the SEC's allegations they broke Rule 201 of Regulation S-ID, which requires the trading outfits to have in place measures “designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account."

The SEC said its investigators found that, between January 2017 and October 2019, the three firms' identity theft prevention programs did not include "reasonable policies and procedures" to, among other things, detect red flags indicating likely identity theft, and then prevent and mitigate this risk.

Specific to JPMorgan, the watchdog claimed [PDF] the financial giant failed to "exercise appropriate and effective oversight of all service provider arrangements," and that it didn't train staff on how to implement its identity theft prevention program.

Meanwhile, UBS also didn't provide sufficient training for its employees and failed to review customer accounts to see if its identity theft prevention program should apply to them, according to the SEC [PDF]. 

Additionally, the regulator said both UBS and TradeStation [PDF] failed to involve their boards of directors in the development and administration of their identity theft prevention programs.

"Today's actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft," Carolyn Welshhans, acting chief of the SEC enforcement division's crypto-assets and cyber unit, said in a canned statement.

The SEC allegations come as identity theft becomes a growing problem for individuals and businesses, according to the FBI's most recent annual Internet Crime Report.

The study revealed 51,629 identity theft complaints were made last year to the Feds, compared to 43,330 in 2020 — that's a 19 percent increase. These crimes cost businesses and individuals more than $278 million in losses last year, according to the bureau. ®

Send us news
2 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Vans claims cyber crooks didn't run off with its customers' financial info

Just 35.5M names, addresses, emails, phone numbers … no biggie

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

Unless you want to be the next Change Healthcare, that is

White House and lawmakers increase pressure on UnitedHealth to ease providers' pain

US senator calls cyber attack 'inexcusable,' calls for mandatory security rules

Beijing-backed cyberspies attacked 70+ orgs across 23 countries

Plus potential links to I-Soon, researchers say