In 1975, around the time of “May Day” (1 May 1975), which brought the end of fixed commission rates and the birth of registered clearing agencies for securities trading (1976), the U. S. Securities and Exchange Commission (“SEC”) created a designated unit to deal with the growth of trading and the oversight of broker/dealers. That unit, the Office of Compliance Inspections and Examinations (the “OCIE”), evolved and grew over time. It regularly issued Risk Alerts on specific topics aimed at Broker/Dealers and/or Investment Advisers, expecting that those addressees would take appropriate steps to prevent the occurrence of the identified risk, or at least mitigate its impact on customers. On Sept. 15, 2020, the OCIE issued a Risk Alert entitled “Cybersecurity: Safeguarding Client Accounts against Credential Compromise,” which emphasized the importance of compliance with SEC Regulation S-ID, the “Identity Theft Red Flags Rule,” adopted May 20, 2013, under Sections of the Securities Exchange Act of 1934 (the “34 Act”) and the Investment Advisers Act of 1940, as amended (the “40 Act”). See, in that connection, the discussion of this and related SEC cyber regulations in my Nov. 19, 2020, Blog “Credential Stuffing: Cyber Intrusions into Client Accounts of Broker/Dealers and Investment Advisors.”
The SEC was required to adopt Regulation S-ID by a provision in the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, which amended a provision of the Fair Credit Reporting Act of 1970 (“FCRA”) to add both the SEC and the Commodity Futures Trading Commission to the federal agencies that must have “red flag” rules. That “red flag” requirement for the seven federal prudential bank regulators and the Federal Trade Commission was made part of the FCRA by a 2003 amendment. Until Wednesday, July 27, 2022, the SEC had (despite the Sept. 15, 2020, Risk Alert) brought only one enforcement action for violating the “Red Flag” Rule (in 2018 when customers of the firm involved suffered harm from the identity thefts). In 2017, however, the Commission created a new unit in its Division of Enforcement to better address the growing risks of cyber intrusion in the U.S. capital markets, the Crypto Assets and Cyber Unit (“CACU”). That unit almost doubled in size recently with the addition of 20 newly assigned persons, as reported in an SEC Press Release of May 3, 2022. There the Commission stated the Unit “will continue to tackle the omnipresent cyber-related threats in the nation’s [capital] markets.” Also, underscoring the ever-increasing role played by the SEC in overseeing the operations of broker/dealers and investment advisers, the OCIE was renamed the Division of Examinations (“Exams”) on Dec. 17, 2020, elevating an “Office” of the SEC to a “Division.”
Examinations of three broker/dealers by personnel from Exams led the CACU to investigate all three, resulting in the institution of Administrative and Cease-and Desist Proceedings against each of the respondents for violations of Regulation S-ID. In those proceedings, the Commission alleged that the Identity Theft Protection Program (“ITPP”), which each respondent was required to have, was deficient. Regulation S-ID, including its Appendix A, sets forth both the requirements for an ITPP and types of red flags the Program should consider, and in Supplement A to Appendix A, includes examples of red flags from each category of possible risks. An ITPP must be in writing and should contain the following:
- Reasonable policies and procedures to identify, detect and respond appropriately to relevant red flags of the types likely to arise considering the firm’s business and the scope of its brokerage and/or advisory activities; and those policies and procedures should specify the responsive steps to be taken; broad generalizations will not suffice. Those policies and procedures should also describe the firm’s practices with respect to theft identification, prevention, and response, and direct that the firm document the steps to be taken in each case.
- Requirements for periodic updates of the Program, including updates reflecting the firm’s experience with both a) identity theft; and b) changes in the firm’s business. In addition, the updates should address changes in the types and mechanisms of cybersecurity risks the firm might plausibly encounter.
- Requirements for periodic review of the types of accounts offered and the risks associated with each type.
- Provisions directing at least annual reports to the firm’s board of directors, and/or senior management, addressing the program’s effectiveness, including identity theft-related incidents and management responses to them.
- Provisions for training of staff in identity theft and the responses required by the firm’s ITPP.
- Requirements for monitoring third party service providers for compliance with identity theft provisions that meet those of the firm’s program.
The ITPP of each of the three broker/dealers was, as noted, found deficient. The first, J.P. Morgan Securities, LLC (“MORGAN”), organized under Delaware law and headquartered in New York, New York, is a wholly owned subsidiary of JPMorgan Chase & Co. (described by the Commission as “a global financial services firm” in its July 27, 2022, Order Instituting Administrative and Cease-and-Desist Proceedings [the “Morgan Order”]). Morgan is registered with the Commission as both a broker/dealer (since Dec. 13, 1985) and an investment adviser (since April 3, 1965). As recited in the Morgan Order, the SEC found Morgan offered and maintained customer accounts “primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions.” The order further notes that from Jan. 1, 2017, through Dec. 31, 2019, Morgan’s ITPP did not meet the requirements of Regulation S-ID because it “merely restated the general legal requirements” and did not specify how Morgan would identify a red flag or direct how to respond to it. The Morgan Order notes that although Morgan did take action to detect and respond to incidents of identity theft, the procedures followed were not in Morgan’s Program. Further, Morgan did not periodically update its program, even as both the types of accounts offered, and the extent of cybersecurity risks changed. The SEC also found Morgan did not adequately monitor its third-party service providers, and it failed to provide any identity theft-specific training to its staff. As a result, Morgan had violated Regulation S-ID. The order noted that Morgan “has undertaken substantial remedial acts, including auditing and revising … [its Program].” Nonetheless, Morgan was ordered to cease and desist from violating Regulation S-ID, was censured, and was ordered to pay a civil penalty of $1.2 million.
The second broker/dealer charged was UBS Financial Services Inc.(“UFS”), a Delaware corporation dually registered with the Commission as both a broker/dealer and an investment adviser since 1971. UFS, headquartered in Weehawken, New Jersey, is a subsidiary of UBS Group AG, a publicly traded major financial institution incorporated in Switzerland. In 2008, UBF adopted an ITPP (the “UBF Program”) pursuant to the 2003 amendments to the FCRA. The program applied both to UBF and to other affiliated entities and branch offices in the U.S. and Puerto Rico “which offered private and retail banking, mortgage, and private investment services that operated under UBS Group AG’s Wealth Management Americas’ line of business.” See my blog published on Aug. 22, 2022, “Only Sell What You Know: Swiss Bank Negligence is a Fraud on Clients,” for information about the origins and history of UBS Group AG.
The July 27, 2022, SEC Order instituting Administrative and Cease-and-Desist Proceedings against UBF (the “UBF Order”) stated that UBF made no change to the UBF Program when, in 2013, it became subject to Regulation S-ID, or thereafter from Jan. 1, 2017, to Dec. 31, 2019, other than to revise the list of entities and branches it covered. The Commission found UBF failed to update the UBF Program even as the accounts it offered changed, and without considering if some accounts offered by affiliated entities and branches are not “covered accounts” within regulation S-ID. The UBF Program did not have reasonable policies and procedures to identify red flags, taking into consideration account types and attendant risks, and did not specify what responses were required. The SEC also found the program wanting for not providing for periodic updates, especially addressing changes in accounts and/or in cybersecurity risks. The annual reports to the board of directors “did not provide sufficient information” to assess the UBF Program’s effectiveness or the adequacy of UBF’s monitoring of third-party service providers; indeed, the UBF Order notes the “board minutes do not reflect any discussion of compliance with Regulation S-ID.” In addition, UBF “did not conduct any training of its staff specific” to the UBF Program, including how to detect and respond to red flags. As a result, the Commission found UBF in violation of Regulation S-ID. Although the Commission again noted the “substantial remedial acts” undertaken by UBF, including retaining “an outside consulting firm to review its Program” and to recommend change, the SEC nonetheless ordered UBF to cease and desist from violating the Regulation, censured UBF, and ordered it to pay a civil penalty of $925,000.
The third member of this broker/dealer trio is TradeStation Securities, Inc. (“TSS”), a Florida corporation headquartered in Plantation, Florida, that, according to the July 27, 2022, SEC Order Instituting Administrative and Cease-and-Desist Proceedings (the “TSS Order”), “provides primarily commission-free, directed online brokerage services to retail and institutional customers.” TSS has been registered with the SEC as a broker/dealer since January 1996. Their ITPP, too, was found deficient. The ITPP implemented by TSS (the “TSS Program”) essentially ignored the reality of TSS’s business as an online operation. For instance, the TSS Program cited only the red flags offered as “non-comprehensive examples in Supplement A to Appendix A” and not any “relevant to its business and the nature and scope of its brokerage activities.” Hence, the TSS Program cited the need to confirm the physical appearance of customers to make certain it was consistent with photographs or physical descriptions in the file. But an online broker/dealer would have scant opportunity to see a customer or a new customer in person, even when opening an account. Nor did TSS check the Supplement A red flag examples cited in the TSS Program when opening new customer accounts. The TSS Program directed only that “additional due diligence” should be performed if a red flag were identified, rather than directing specific responsive steps to be taken, such as not opening an account in a questionable situation. There were no requirements for periodic updates of the TSS Program. Indeed, “there were no material changes to the Program” after May 20, 2013, “despite significant changes in external cybersecurity risks related to identity theft.” At this point in the TSS Order, the Commission cited a finding in the Federal Register that “[a]dvancements in technology … have led to increasing threats to the integrity … of personal information.” The SEC found that TSS did not provide reports about the TSS Program and compliance with Regulation S-ID either to the TSS board or to a designated member of senior management, and that TSS had no adequate policies and procedures in place to monitor third-party service providers for compliance with detecting and preventing identity theft. The order is silent on the extent of TSS’s training of staff to deal with identity threats, but considering the other shortcomings, presumably such training was at best haphazard. The Commission found that TSS violated Regulation S-ID. Although the TSS Order noted (as with the other Proceedings) the “substantial remedial acts” undertaken by TSS, including retaining “an outside consulting firm” to aid compliance, the Commission nonetheless ordered TSS to cease-and-desist from violating the Regulation, censured TSS, and ordered it to pay a civil penalty of $425,000.
These three enforcement actions on the same day, especially ones involving two of the world’s leading financial institutions, signal a new level of attention by the Commission to cybersecurity risks to customers of broker/dealers and investment advisers, with a focus on the risks inherent in identity theft. As one leading law firm writing about these three actions advised, “[f]irms should review their ITPPs placing particular emphasis on identifying red flags tailored to their business and on conducting regular compliance reviews to update those red flags and related policies and procedures to reflect changes in business practices and risk.” That sound advice should be followed NOW, before the CACU comes calling.
For more Financial, Securities, and Banking Law news, click here to visit the National Law Review.