“Red Flags in the Mind Set”: SEC Sanctions Three Broker/Dealers for Identity Theft Deficiencies

In 1975, around the time of “May Day” (1 May 1975), which brought the end of fixed commission rates and the birth of registered clearing agencies for securities trading (1976), the U. S. Securities and Exchange Commission (“SEC”) created a designated unit to deal with the growth of trading and the oversight of broker/dealers. That unit, the Office of Compliance Inspections and Examinations (the “OCIE”), evolved and grew over time. It regularly issued Risk Alerts on specific topics aimed at Broker/Dealers and/or Investment Advisers, expecting that those addressees would take appropriate steps to prevent the occurrence of the identified risk, or at least mitigate its impact on customers. On Sept. 15, 2020, the OCIE issued a Risk Alert entitled “Cybersecurity: Safeguarding Client Accounts against Credential Compromise,” which emphasized the importance of compliance with SEC Regulation S-ID, the “Identity Theft Red Flags Rule,” adopted May 20, 2013, under Sections of the Securities Exchange Act of 1934 (the “34 Act”) and the Investment Advisers Act of 1940, as amended (the “40 Act”). See, in that connection, the discussion of this and related SEC cyber regulations in my Nov. 19, 2020, Blog “Credential Stuffing: Cyber Intrusions into Client Accounts of Broker/Dealers and Investment Advisors.”

The SEC was required to adopt Regulation S-ID by a provision in the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, which amended a provision of the Fair Credit Reporting Act of 1970 (“FCRA”) to add both the SEC and the Commodity Futures Trading Commission to the federal agencies that must have “red flag” rules. That “red flag” requirement for the seven federal prudential bank regulators and the Federal Trade Commission was made part of the FCRA by a 2003 amendment. Until Wednesday, July 27, 2022, the SEC had (despite the Sept. 15, 2020, Risk Alert) brought only one enforcement action for violating the “Red Flag” Rule (in 2018 when customers of the firm involved suffered harm from the identity thefts). In 2017, however, the Commission created a new unit in its Division of Enforcement to better address the growing risks of cyber intrusion in the U.S. capital markets, the Crypto Assets and Cyber Unit (“CACU”). That unit almost doubled in size recently with the addition of 20 newly assigned persons, as reported in an SEC Press Release of May 3, 2022. There the Commission stated the Unit “will continue to tackle the omnipresent cyber-related threats in the nation’s [capital] markets.” Also, underscoring the ever-increasing role played by the SEC in overseeing the operations of broker/dealers and investment advisers, the OCIE was renamed the Division of Examinations (“Exams”) on Dec. 17, 2020, elevating an “Office” of the SEC to a “Division.”

Examinations of three broker/dealers by personnel from Exams led the CACU to investigate all three, resulting in the institution of Administrative and Cease-and Desist Proceedings against each of the respondents for violations of Regulation S-ID. In those proceedings, the Commission alleged that the Identity Theft Protection Program (“ITPP”), which each respondent was required to have, was deficient. Regulation S-ID, including its Appendix A, sets forth both the requirements for an ITPP and types of red flags the Program should consider, and in Supplement A to Appendix A, includes examples of red flags from each category of possible risks. An ITPP must be in writing and should contain the following:

  1. Reasonable policies and procedures to identify, detect and respond appropriately to relevant red flags of the types likely to arise considering the firm’s business and the scope of its brokerage and/or advisory activities; and those policies and procedures should specify the responsive steps to be taken; broad generalizations will not suffice. Those policies and procedures should also describe the firm’s practices with respect to theft identification, prevention, and response, and direct that the firm document the steps to be taken in each case.
  2.  Requirements for periodic updates of the Program, including updates reflecting the firm’s experience with both a) identity theft; and b) changes in the firm’s business. In addition, the updates should address changes in the types and mechanisms of cybersecurity risks the firm might plausibly encounter.
  3. Requirements for periodic review of the types of accounts offered and the risks associated with each type.
  4. Provisions directing at least annual reports to the firm’s board of directors, and/or senior management, addressing the program’s effectiveness, including identity theft-related incidents and management responses to them.
  5. Provisions for training of staff in identity theft and the responses required by the firm’s ITPP.
  6. Requirements for monitoring third party service providers for compliance with identity theft provisions that meet those of the firm’s program.

The ITPP of each of the three broker/dealers was, as noted, found deficient. The first, J.P. Morgan Securities, LLC (“MORGAN”), organized under Delaware law and headquartered in New York, New York, is a wholly owned subsidiary of JPMorgan Chase & Co. (described by the Commission as “a global financial services firm” in its July 27, 2022, Order Instituting Administrative and Cease-and-Desist Proceedings [the “Morgan Order”]). Morgan is registered with the Commission as both a broker/dealer (since Dec. 13, 1985) and an investment adviser (since April 3, 1965). As recited in the Morgan Order, the SEC found Morgan offered and maintained customer accounts “primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions.” The order further notes that from Jan. 1, 2017, through Dec. 31, 2019, Morgan’s ITPP did not meet the requirements of Regulation S-ID because it “merely restated the general legal requirements” and did not specify how Morgan would identify a red flag or direct how to respond to it. The Morgan Order notes that although Morgan did take action to detect and respond to incidents of identity theft, the procedures followed were not in Morgan’s Program. Further, Morgan did not periodically update its program, even as both the types of accounts offered, and the extent of cybersecurity risks changed. The SEC also found Morgan did not adequately monitor its third-party service providers, and it failed to provide any identity theft-specific training to its staff. As a result, Morgan had violated Regulation S-ID. The order noted that Morgan “has undertaken substantial remedial acts, including auditing and revising … [its Program].” Nonetheless, Morgan was ordered to cease and desist from violating Regulation S-ID, was censured, and was ordered to pay a civil penalty of $1.2 million.

The second broker/dealer charged was UBS Financial Services Inc.(“UFS”), a Delaware corporation dually registered with the Commission as both a broker/dealer and an investment adviser since 1971. UFS, headquartered in Weehawken, New Jersey, is a subsidiary of UBS Group AG, a publicly traded major financial institution incorporated in Switzerland. In 2008, UBF adopted an ITPP (the “UBF Program”) pursuant to the 2003 amendments to the FCRA. The program applied both to UBF and to other affiliated entities and branch offices in the U.S. and Puerto Rico “which offered private and retail banking, mortgage, and private investment services that operated under UBS Group AG’s Wealth Management Americas’ line of business.” See my blog published on Aug. 22, 2022, “Only Sell What You Know: Swiss Bank Negligence is a Fraud on Clients,” for information about the origins and history of UBS Group AG.

The July 27, 2022, SEC Order instituting Administrative and Cease-and-Desist Proceedings against UBF (the “UBF Order”) stated that UBF made no change to the UBF Program when, in 2013, it became subject to Regulation S-ID, or thereafter from Jan. 1, 2017, to Dec. 31, 2019, other than to revise the list of entities and branches it covered. The Commission found UBF failed to update the UBF Program even as the accounts it offered changed, and without considering if some accounts offered by affiliated entities and branches are not “covered accounts” within regulation S-ID. The UBF Program did not have reasonable policies and procedures to identify red flags, taking into consideration account types and attendant risks, and did not specify what responses were required. The SEC also found the program wanting for not providing for periodic updates, especially addressing changes in accounts and/or in cybersecurity risks. The annual reports to the board of directors “did not provide sufficient information” to assess the UBF Program’s effectiveness or the adequacy of UBF’s monitoring of third-party service providers; indeed, the UBF Order notes the “board minutes do not reflect any discussion of compliance with Regulation S-ID.” In addition, UBF “did not conduct any training of its staff specific” to the UBF Program, including how to detect and respond to red flags.  As a result, the Commission found UBF in violation of Regulation S-ID. Although the Commission again noted the “substantial remedial acts” undertaken by UBF, including retaining “an outside consulting firm to review its Program” and to recommend change, the SEC nonetheless ordered UBF to cease and desist from violating the Regulation, censured UBF, and ordered it to pay a civil penalty of $925,000.

The third member of this broker/dealer trio is TradeStation Securities, Inc. (“TSS”), a Florida corporation headquartered in Plantation, Florida, that, according to the July 27, 2022, SEC Order Instituting Administrative and Cease-and-Desist Proceedings (the “TSS Order”), “provides primarily commission-free, directed online brokerage services to retail and institutional customers.” TSS has been registered with the SEC as a broker/dealer since January 1996. Their ITPP, too, was found deficient. The ITPP implemented by TSS (the “TSS Program”) essentially ignored the reality of TSS’s business as an online operation. For instance, the TSS Program cited only the red flags offered as “non-comprehensive examples in Supplement A to Appendix A” and not any “relevant to its business and the nature and scope of its brokerage activities.” Hence, the TSS Program cited the need to confirm the physical appearance of customers to make certain it was consistent with photographs or physical descriptions in the file. But an online broker/dealer would have scant opportunity to see a customer or a new customer in person, even when opening an account. Nor did TSS check the Supplement A red flag examples cited in the TSS Program when opening new customer accounts. The TSS Program directed only that “additional due diligence” should be performed if a red flag were identified, rather than directing specific responsive steps to be taken, such as not opening an account in a questionable situation. There were no requirements for periodic updates of the TSS Program. Indeed, “there were no material changes to the Program” after May 20, 2013, “despite significant changes in external cybersecurity risks related to identity theft.” At this point in the TSS Order, the Commission cited a finding in the Federal Register that “[a]dvancements in technology … have led to increasing threats to the integrity … of personal information.” The SEC found that TSS did not provide reports about the TSS Program and compliance with Regulation S-ID either to the TSS board or to a designated member of senior management, and that TSS had no adequate policies and procedures in place to monitor third-party service providers for compliance with detecting and preventing identity theft. The order is silent on the extent of TSS’s training of staff to deal with identity threats, but considering the other shortcomings, presumably such training was at best haphazard. The Commission found that TSS violated Regulation S-ID. Although the TSS Order noted (as with the other Proceedings) the “substantial remedial acts” undertaken by TSS, including retaining “an outside consulting firm” to aid compliance, the Commission nonetheless ordered TSS to cease-and-desist from violating the Regulation, censured TSS, and ordered it to pay a civil penalty of $425,000.

These three enforcement actions on the same day, especially ones involving two of the world’s leading financial institutions, signal a new level of attention by the Commission to cybersecurity risks to customers of broker/dealers and investment advisers, with a focus on the risks inherent in identity theft. As one leading law firm writing about these three actions advised, “[f]irms should review their ITPPs placing particular emphasis on identifying red flags tailored to their business and on conducting regular compliance reviews to update those red flags and related policies and procedures to reflect changes in business practices and risk.” That sound advice should be followed NOW, before the CACU comes calling.

For more Financial, Securities, and Banking Law news, click here to visit the National Law Review.

©2022 Norris McLaughlin P.A., All Rights Reserved

New York Enhances Employee and Consumer Privacy Rights Under its Social Security Number Protection Law

Four years ago, New York enacted a Social Security Number Protection Law, N.Y. Gen. Bus. Law, §399-dd, aimed at combating identity theft by requiring employers to better safeguard employee social security numbers in their possession.  (Click here for our summary of the law).  Now, New York is going one step further with its passage of two new Social Security Number Protection laws.

First a note: as of November 12, 2012, §399-dd – the original Social Security Protection Law – will be re-codified as new §399-ddd, and it will also add the statutory language of the first of these two new laws, which prohibits employers from hiring inmates for any job that would provide them with access to social security numbers of other individuals.

The second law, which is codified as a separate new §399-ddd, enhances the requirements for safeguarding employee social security number while also adding similar protections for consumers.  This law prohibits companies from requiring employees and consumers to disclose their social security numbers or to refuse any service, privilege or right to the employee or customer for refusing to make that disclosure, unless (i) required by law, (ii) subject to one of its many exceptions, or (iii) encrypted by the employer.  This law also applies to any numbers derived from the individual’s social security number, which means that it extends, for example, to situations where the company asks the individual for the last four digits of their number.  It is unclear whether this law will prove effective in accomplishing its objectives.

First, it contains an exception with the potential to swallow the rule – where the individual consents to the use of the social security number, which many individuals may freely provide absent knowledge of this law’s protections.  Even with an employee’s consent, however, employers must still be mindful that other provisions of the original Social Security Number Protection Law requires them to institute certain safeguards to protect against the number’s disclosure.  And further, even if the employer obtains the employee’s consent, the original law still prohibits employers from utilizing an employee’s social security account number on any card or tag required for the individual to access products, services or benefits provided by the employer.

Second, the penalties for violations are minimal – up to $500 for the first violation and $1,000 for each violation thereafter, and can be avoided where the employer shows the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations.  Further, there is no private right of action, and only the Attorney General can enforce the law.

Governor Cuomo signed the acts into law on August 14, 2012.  The inmate law will take effect on November 12, 2012 and the disclosure law will take effect thirty days later on December 12, 2012.  Now if he would only sign the recently passed wage deduction law.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

The Growing Corporate Threat of Taxpayer Identity Theft Fraud

The National Law Review recently published an article by Latour “LT” Laffferty of Fowler White Boggs P.A. regarding Identity Theft:

Identity theft continues to be a growing problem nationwide, but particularly in Florida which continues to lead the nation per capita in reported incidents of identity theft according to the Federal Trade Commission (FTC), a national clearinghouse for consumer fraud complaints. Taxpayer identity theft fraud, a subset of identity theft in general, is the most prevalent form of identity theft according to the FTC which reported that tax-related identity theft incidents increased from 51,702 in 2008 to 248,357 in 2010. This is a dramatic increase from the 35,000 instances of employment-related identity theft cases reported in 2007.

Taxpayer identity theft fraud involves not only the theft of someone’s identity but also the filing of a fraudulent tax return using the victim’s social security number to receive a tax refund often totaling more than $9,000.00. The IRS identified and prevented the issuance of more than $14 billion in fraudulent refunds in 2011. A 2008 report issued by the Treasury Inspector General for Tax Administration (TIGTA), an IRS watchdog, stated that the prevention of taxpayer identity theft fraud is an employer’s issue involving the security of their systems and data. According to TIGTA, 938,664 of the 2.1 million fraudulent tax returns filed in 2011 involved identity theft and totaled $6.5 billion. The stolen information includes the person’s name, date of birth and social security number or Medicare beneficiary number.

The latest twist, however, is that your own employees are in on the crime as law enforcement agencies are reporting that employees at many businesses that compile personal information are misappropriating and selling the information to thieves who are filing fraudulent tax returns. The Centers for Medicare and Medicaid Services (CMS) issued a Fraud Alert in February 2012 warning healthcare providers that perpetrators are misappropriating the identities of Medicare beneficiaries from “employers, schools, hospitals, and prisons” but any businesses that store personal information are at risk from current or prospective employees. Recent law enforcement arrests report finding suspects with massive quantities of tax refunds and lists of prospective employers to apply for jobs with the specific intent to steal taxpayer identities from their databases.

The reality of this emerging threat is that perpetrators are actually targeting organizations for employment so that they can specifically breach their data security and commit identity theft and aid those committing tax refund fraud. These organizations have both a fiduciary and legal duty to safeguard that personal information, but also a legal duty to notify those consumers who they can reasonably identify that their personal information has been stolen.

©2002-2012 Fowler White Boggs P.A.

Identity Theft Continues to Top FTC’s List of Consumer Complaints

Recently The National Law Review published an article by Rachel Hirsch of Ifrah Law regarding FTC’s Top Consumer Complaints:

For more than a decade, the Federal Trade Commission has been releasing its list of the top ten categories of consumer complaints received by the agency in the previous year. This list always serves as a good indication of the areas toward which the FTC may choose to direct its resources and increase its scrutiny.

For the 12th year in a row, identity theft was the number one complaint received by the FTC. Out of more than 1.8 million complaints the FTC received last year, 15% – or 279,156 – were about identity theft. Of those identity theft complaints, close to 25 percent were related to tax or wage-related fraud. The number of complaints related to identity theft actually declined in 2011 from the previous year, but this type of fraud still topped the list.

Most identity theft complaints came from consumers reporting that their personal information was stolen and used in government documents — often to fraudulently collect government benefits. Complaints about government document-related identity theft have increased 11% since 2009 and represented 27% of identity theft complaints last year. These numbers are likely to increase as concerns about consumer data privacy continue to garner the attention of the FTC.

After ID theft, the FTC’s top consumer complaints for 2011 were as follows:

• Debt collection complaints
• Prizes, sweepstakes, and lotteries
• Shop-at-Home and catalog sales
• Banks and lenders
• Internet services
• Auto-related complaints
• Imposter scams
• Telephone and mobile services
• Advance-fee loans and credit protection or repair

While credit cards are intertwined with many of the above complaints, complaints about credit cards themselves are noticeably absent from the 2011 list. In past years, credit card fraud was a major source of complaints from consumers. The drop in credit card-fraud-related complaints, however, is not surprising given the passage of the Credit CARD Act of 2009. This landmark federal legislation banned interest rate hikes “at any time for any reason” and limited the instances when rates on existing card balances could be hiked by issuers. The law also required lenders to give customers at least 45 days advance notice of significant changes in terms to allow card users time to shop around for better terms.

With the upcoming changes to the FTC’s advertising guidelines, there may very well be new additions to the consumer complaint list next year. Those complaints that already appear on the list are also likely to receive increased scrutiny.

© 2012 Ifrah PLLC