Anatole France wrote that "The law, in its majestic equality, forbids rich and poor alike to sleep under bridges, to beg in the streets, and to steal loaves of bread." Remember that - we'll come back to it.
A dozen years ago, Congress tucked into the Dodd-Frank Act a provision tasking the SEC and the CFTC with protecting clients of the firms they regulate against identity theft. In 2013, the SEC promulgated Regulation S-ID. Section 201 of Reg. S-ID requires firms to establish written policies and procedures "designed to detect, prevent, and mitigate identity theft" from customer accounts. https://www.law.cornell.edu/cfr/text/17/part-248/subpart-C. Those policies and procedures "must be appropriate to the size and complexity of the financial institution . . . and the nature and scope of its activity." Reg. S-ID further specifies that that any policies and procedures identify, detect and respond to "red flags" in accounts. It even has an Appendix A containing guidelines on how to implement a good compliance policy, including "non-comprehensive" examples of red flags that firms "may consider" including in their policies.
The SEC didn't bring its first enforcement action based on Reg. S-ID until five years later. In September 2018, it charged Voya Financial with having violated Reg. S-ID in the wake of a hack that compromised the identity of over 5,000 of its customers. https://www.sec.gov/litigation/admin/2018/34-84288.pdf. Then crickets for the next four years.
So, it actually is news that three Reg S-ID cases were settled the same day after a four-year hiatus. It is also news for another reason: The trio of cases did not involve any identity theft. There is no indication and any account at any of the firms was compromised. All three cases arose strictly from perceived deficiencies in those firms' Reg S-ID policies and procedures.
The first case involved JP Morgan Securities. According to the settled Order, Morgan's program "merely (i) restated the general legal requirements (such as 'identify relevant red flags' and 'respond appropriately to any red flags that are detected' . . . ), [and] (ii) listed verbatim all the illustrative examples of identity theft red flags provided in Appendix A . . . ." https://www.sec.gov/litigation/admin/2022/34-95367.pdf. Now, one would think that if you incorporate the legal requirements into your policies and you crib from the SEC's own laundry list of red flags, you'd be safe, like parroting back a teacher's pet phrases back on a school exam. But that, it turns out, was exactly the problem.
The SEC found Morgan deficient because its policies did not explain how to identify any of the red flags it listed; and when it did actually respond to potential identity thefts, it apparently ignored its own procedures and came up with solutions on the fly. Moreover, it never updated its policies to account for its actual experiences, and at least in 2017 it never trained anyone on the policies and procedures.
In other words, JP Morgan seems not to have taken Reg. S-ID seriously enough to really think about the policies and procedures it was adopting. That looks to be the theme that runs through all three cases.
Consider the SEC's next target, UBS Financial Services. https://www.sec.gov/litigation/admin/2022/34-95368.pdf. UBS had an anti-identity-theft program in place since 2008 - long before Reg. S-ID - but it did not substantially upgrade that program after Reg. S-ID was implemented. As a result, like JP Morgan, UBS "did not identify or incorporate any relevant red flags or include, incorporate, or reference any policies and procedures addressing and responding to red flags." Also like JP Morgan, UBS did not conduct any training. Also of note, the SEC found that UBS's board minutes showed that the identity theft program was never discuss by the board of directors.
And finally TradeStation Securities, Inc., an online broker. It too cribbed all its red flags from Appendix A, but did not tailor those red flags to its business. In particular, the SEC noted that TradeStation dutifully copies Appendix A's red flag that a customer's physical appearance when opening an account should look like the picture on their ID card, even though nearly all of its accounts were opened online. Similarly, TradeStation copied Appendix A's red flags involving credit reports, even though it never checked credit reports. https://www.sec.gov/litigation/admin/2022/34-95369.pdf.
So what can we glean from all this?
First, you can't just copy the regulation into your policies and procedures; you have to tailor them to your actual business.
Second, you can't just enact policies and forget about them; you need to update them as your business changes, as technology changes and as your own experience grows.
Third, you have to continually administer your policies through management oversight, regular training of personnel and periodic reports to the board of directors to make sure you aren't dodging it.
If you're an old hand at compliance, by now you should be saying, "Duh . . . I knew all that." Of course you did. We all did, and presumably every single compliance professional at JP Morgan, UBS and TradeStation did. So explain that to me!
No? Well, I will. There are just too many damn regulations to keep track of, and no firm can be expected to be abreast of every one of them all the time. You can bet that if JP Morgan can't be 100% compliant, no one can.
But here's where it really gets interesting. In bringing these three cases all together, the SEC unwittingly invited us to compare and contrast. It is hard to say that one firm was any worse an offender of Reg S-ID than any other. They all just went through the motions, paying mere lip service to the Reg. Yet JP Morgan was fined $1.2 million; UBS $925,000; and TradeStation $425,000. Why? You can be forgiven for thinking that the bigger you are, the harder you fall. That's fair, no?
It would be. But don't just look at the fines, look at the proportions to size. There are lots of ways to measure size, but just for simplicity, let's consider assets under management. JP Morgan reportedly has $3.1 trillion AUM, so its $1.2 million fine was 0.000039% of its AUM. TradeStation, however, is estimated to have about $10 billion AUM, so its fine of $425,000 was 0.00425%. In numbers that even a five-year-old would understand, if JP Morgan had been fined the same percentage of AUM as TradeStation, it would have had to pay $131,750,000, and conversely if TradeStation paid the same proportion of its AUM as JP Morgan, its fine would have been $3,871. I guarantee you TradeStation felt the pain of its fine. As for JP Morgan, in the last quarter of 2021, it made about $1.2 million in net earnings -- that's profit -- every half-hour of every business day. See https://www.pionline.com/money-management/jp-morgan-assets-under-management
So, yeah, the SEC was annoyed that these firms paid mere lip service to Reg S-ID, and who could blame it? But this too should annoy us - that regulation tends to favor the richest of the regulated. They are the ones who lobby for the regulations they can tame, who generally set the "best practices" that everyone else must follow, and who can afford the resulting compliance regimes that their smaller competitors can't. Doesn't it then add insult to injury when the burden of regulatory sanctions also falls disproportionately on the small? That is one way the rich get richer, and in these three cases we see how the SEC, even if with the best of intentions, helps them do it. Anatole France would have understood all too well.
ABOUT THE AUTHOR