Skip to main content
close search
site logo
Dive Brief

J.P. Morgan’s copy-and-paste job no good as identity-theft policy, SEC says

Published Aug. 1, 2022
Robert Freedman's headshot
Lead Editor
J.P. Morgan's Fourth Quarter Income Drops Over 30 Percent
File photo: NEW YORK - JANUARY 16: The JPMorgan Chase building in midtown Manhattan is seen January 16, 2008 in New York City. JPMorgan Chase announced that fourth quarter income has dropped over 30 percent, more than many analysts expected. (Photo by Chris Hondros/Getty Images) Chris Hondros / Staff via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • J.P. Morgan Securities grabbed language and examples from the federal Identity Theft Red Flags Rule and called that part of its identity-theft policy, the Securities and Exchange Commission said in announcing a settlement agreement with the company last week for violating Regulation S-ID.
  • The SEC credited the company for its handling of identity theft risks but its approach was independent of its written policy. 
  • “Although JPMS did take actions to detect and respond to potential and actual incidents of identity theft, the procedures describing those actions were not included or incorporated by reference in [its policy],” the agency said. The company agreed to settle for a $1.2 million fine.

Dive Insight:

The SEC promulgated Regulation S-ID in 2013 after identity-theft laws were expanded as part of Dodd-Frank banking reform in 2010. The law requires financial institutions and broker-dealers to have written policies to prevent bad actors from assuming customers’ identities to access their accounts. 

Red flags typically include documents that appear to have been altered or forged and suspicious address changes.  

The policies that J.P. Morgan wrote for its two covered lines of business appeared to be perfunctory, the SEC suggested. 

“Both Programs merely (i) restated the general legal requirements (such as ‘identify relevant red flags’ and ‘respond appropriately to any red flags that are detected to prevent and mitigate identity theft’), [and] (ii) listed verbatim all the illustrative examples of identity theft red flags provided in Appendix A to Regulation S-ID,” the agency said. 

What’s more, none of the policies explained how the company was to identify any of the red flags or respond to them to prevent and remediate identity theft, the SEC said. 

Nor did the policies contain anything on keeping the policies updated if the company identified new red flags based on its customers’ experiences, among other weaknesses. 

In the settlement agreement, the SEC credited the company for auditing and then revising its programs to address the weaknesses. In addition to improving its policies and procedures, it added greater oversight of its service providers and improved training, two other identified weaknesses.

"Today’s actions are reminders that [companies] must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft," Carolyn Welshhans, acting chief of SEC’s cyber enforcement unit, said in a statement

Settlement agreements over identity-theft red-flag policy deficiencies with UBS and TradeStation were also announced last week.

Recommended Reading

Filed Under: Emerging Issues

Editors' picks

Company Announcements

View all | Post a press release
Breaches and Bots: Law Firms Face a Trust Crisis with Clients, New Integris Survey Reveals
From Integris
November 18, 2024
Trellis Launches Trellis AI to Revolutionize Trial Court Litigation
From Trellis
November 19, 2024
ContractCrab Launches AI Contract Review for In-House Legal Teams
From ContractCrab
November 14, 2024
Editors' picks
Latest in Emerging Issues
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell