- J.P. Morgan Securities grabbed language and examples from the federal Identity Theft Red Flags Rule and called that part of its identity-theft policy, the Securities and Exchange Commission said in announcing a settlement agreement with the company last week for violating Regulation S-ID.
- The SEC credited the company for its handling of identity theft risks but its approach was independent of its written policy.
- “Although JPMS did take actions to detect and respond to potential and actual incidents of identity theft, the procedures describing those actions were not included or incorporated by reference in [its policy],” the agency said. The company agreed to settle for a $1.2 million fine.
The SEC promulgated Regulation S-ID in 2013 after identity-theft laws were expanded as part of Dodd-Frank banking reform in 2010. The law requires financial institutions and broker-dealers to have written policies to prevent bad actors from assuming customers’ identities to access their accounts.
Red flags typically include documents that appear to have been altered or forged and suspicious address changes.
The policies that J.P. Morgan wrote for its two covered lines of business appeared to be perfunctory, the SEC suggested.
“Both Programs merely (i) restated the general legal requirements (such as ‘identify relevant red flags’ and ‘respond appropriately to any red flags that are detected to prevent and mitigate identity theft’), [and] (ii) listed verbatim all the illustrative examples of identity theft red flags provided in Appendix A to Regulation S-ID,” the agency said.
What’s more, none of the policies explained how the company was to identify any of the red flags or respond to them to prevent and remediate identity theft, the SEC said.
Nor did the policies contain anything on keeping the policies updated if the company identified new red flags based on its customers’ experiences, among other weaknesses.
In the settlement agreement, the SEC credited the company for auditing and then revising its programs to address the weaknesses. In addition to improving its policies and procedures, it added greater oversight of its service providers and improved training, two other identified weaknesses.
"Today’s actions are reminders that [companies] must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft," Carolyn Welshhans, acting chief of SEC’s cyber enforcement unit, said in a statement.