The SEC’s orders find that each firm violated Rule 201 of Regulation S-ID. Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations of the charged provision and to be censured. JPMorgan will pay a $1.2 million penalty; UBS, a $925,000 penalty; and TradeStation, $425,000 penalty.
According to the SEC’s orders, from at least January 2017 to October 2019, the identity theft prevention programs of all three firms lacked reasonable policies and procedures to identify relevant red flags and incorporate those red flags into its program; respond appropriately to detected red flags to prevent and mitigate identity theft; and ensure that the Program was updated periodically to reflect changes in identity theft risks to customers.
In the JP Morgan consent order, the SEC further found that the firm failed to exercise appropriate and effective oversight of all service provider arrangements; and train staff to effectively implement identify theft prevention program in 2017.
In the UBS consent order, the SEC found the firm failed to “periodically review new or existing accounts to determine whether they were covered accounts; failed to adequately involve the board of directors or a senior management level employee “in the oversight, development, implementation, and administration of the program,” and failed to train its employees to effectively implement the program.”
In the TradeStation consent order, the SEC found the firm similarly “failed to adequately involve its board of directors in the oversight, development, implementation, and administration of its identity theft prevention program,” as well as failed to exercise appropriate and effective oversight of service provider arrangements.
In a press release, Carolyn Welshhans, acting chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, said, the actions “are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft.” 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.