Brokers, advisers fall short in protecting clients from identity theft

Brokers, advisers fall short in protecting clients from identity theft
The SEC finds that some firms use generic compliance programs that aren't tailored to the particular hacking dangers their accounts face.
DEC 06, 2022

Some brokerages and investment advisory firms are just going through the motions when it comes to protecting investors from identity theft, an SEC probe shows.

Financial firms are failing to establish and follow through on policies and procedures designed to prevent hackers from stealing their clients’ and customers' personal information, according to a risk alert released Monday by the Securities and Exchange Commission.

The SEC warning was based on the findings of an examination sweep to monitor compliance with Regulation S-ID, or the Identity Theft Red Flags Rule. The regulation was promulgated in 2013 and applies to so-called “covered accounts,” which are defined as those a financial institution maintains for personal, family or household purposes that permit multiple payments or transactions.

The red flag rule requires brokerages and advisory firms to develop and implement an identity theft protection program. SEC exam staff found that some firms failed to determine whether the rule applied to any of their accounts or failed to conduct a reassessment after merging with another firm.

The shortcomings led to online and retirement accounts being omitted from compliance with the red flag rule, the alert states.

Another deficiency involved implementing a generic program that didn’t target red flags specific to a firm’s business model.

“For example, some firms created written programs that had generic language for identifying, detecting and responding to and updating red flags but the programs did not include any actual red flags identified by the firms,” the alert states.

The SEC also noted training deficiencies.

"Some trainings appeared to be insufficient because the training was limited to a single sentence telling employees to be aware of identity theft," the alert states.

The SEC is not only looking for specificity in compliance but also wants to see that firms are adapting their policies and procedures as they go through mergers or consolidations, said Ignacio Sandoval, a partner at Morgan Lewis.

For instance, they may reduce their branch offices but take on new online accounts, which creates possible new hacking vulnerabilities.

“The threats are dynamic,” said Sandoval, a former special counsel in the SEC Division of Trading and Markets. “They change over time. Firms need to be cognizant of these changes. You need to go back and rework your policies and procedures, retrain folks and reconsider what your program looks like.”

The risk alert comes as the SEC is warning firms to strengthen their cyber defenses. It also follows an enforcement case earlier this year in which the agency imposed $2.5 million in fines on J.P. Morgan Securities, UBS Financial Services Inc. and TradeStation Securities Inc. for red-flag program deficiencies.

The SEC also is working on a cybersecurity proposal and has another one on its regulatory agenda.

“I think what comes out in the exam findings is going to inform rulemaking,” Sandoval said.

‘IN the Office’ with Stifel CEO Alex David

Latest News

Trepidation at SEC as Trump workforce overhaul casts shadow on agency
Trepidation at SEC as Trump workforce overhaul casts shadow on agency

While the regulator's lawyers may be exempt, a federal effort to purge workers is causing uncertainty across its broader employee base.

Prime Capital Financial, Carnegie expand Eastern footprints
Prime Capital Financial, Carnegie expand Eastern footprints

The two national RIA firms are bolstering their presence separately in Georgia and Connecticut with new billion-dollar acquisitions.

Embattled TD Bank eyes $14B raise in Schwab stake exit
Embattled TD Bank eyes $14B raise in Schwab stake exit

The banking giant is looking to sell its interest in the online brokerage giant amid the continuing fallout of its historic money-laundering settlement with federal regulators.

Next-gen woman advisor managing $200M switches from UBS to Sanctuary Wealth
Next-gen woman advisor managing $200M switches from UBS to Sanctuary Wealth

Advisor joins the Partnered Independence model for new firm launch.

How did US institutional investors navigate the choppy waters of Q4, 2024?
How did US institutional investors navigate the choppy waters of Q4, 2024?

Median return for institutions managing a combined $1.4T revealed.

SPONSORED Taylor Matthews on what's behind Farther's rapid growth

From 'no clients' to reshaping wealth management, Farther blends tech and trust to deliver family-office experience at scale.

SPONSORED Why wealth advisors should care about the future of federal tax policy

Blue Vault features expert strategies to harness for maximum client advantage.