Compliance
Compliance Corner: TradeStation, JP Morgan Securities; UBS Financial Services

The latest compliance news: regulatory developments, punishments, guidance, permissions and new product and service offerings.
Last week, the Securities
and Exchange Commission separately charged JP Morgan
Securities LLC, UBS Financial Services, and TradeStation
Securities for deficiencies in their programs to prevent customer
identity theft.
The SEC said that from “at least January 2017 to October
2019,” the firms’ identity theft prevention programs did not
include reasonable policies and procedures to identify relevant
red flags of identity theft in connection with customer accounts
or to incorporate those red flags into their programs.
Without admitting or denying the SEC’s findings, each firm agreed
to cease and desist from future violations of the charged
provision, to be censured, and to pay the following penalties: JP
Morgan: $1.2 million, UBS: $925,000, and TradeStation:
$425,000.
The regulator also said that the firms’ programs did not include
reasonable policies and procedures to respond appropriately to
detected identity theft red flags, or to ensure that the programs
were updated periodically to reflect changes in identity theft
risks to customers.
The watchdog’s actions come at a time when regulators are seeking
to thwart cybersecurity attacks on the financial system, as well
as crack down on the use of private messaging channels such as
WhatsApp for business purposes.
"Regulation S-ID is designed to help protect investors from the
risks of identity theft," Carolyn M Welshhans, acting chief of
the SEC Enforcement Division's Crypto Assets and Cyber Unit,
said. "Today’s actions are reminders that broker-dealers and
investment advisors must design and operate identity theft
prevention programs that are appropriately tailored to their
businesses and update them in response to the increased threat
and changing nature of identity theft."
JP Morgan
The SEC said that JP Morgan did not “exercise appropriate and
effective oversight” of all service provider arrangements and
failed to train staff to effectively implement one of its
identify theft prevention programs in 2017.
UBS
The Swiss bank “failed to periodically review new or existing
types of customer accounts to determine whether and how its
identity theft prevention program should apply to them; failed to
adequately involve the board of directors in the oversight,
development, implementation, and administration of the program;
and failed to train its employees to effectively implement the
program,” the SEC said.
TradeStation
In the case of TradeStation, the SEC said the firm failed to
adequately involve its board of directors in the oversight,
development, implementation, and administration of its identity
theft prevention program and failed to exercise appropriate and
effective oversight of service provider arrangements.