SEC Files Charges Against Banks for Not Following Identity Theft Red Flags Rule

The SEC has a rule known as the identity theft Red Flags Rule, which is designed to protect the identities of individuals who entrust certain businesses with sensitive information such as Social Security numbers, birth dates, and more.

The rule generally applies to banks and some creditors and require these entities to establish a program that's able to detect when the threat of identity theft arises and of course, ways to mitigate consumer risk. Here’s a breakdown of the SEC’s Red Flags Rule and what happens when a bank or creditor violates the rule.

When you hand over personal information such as your name, birth date, Social Security number, and address to a bank or creditor you’re seeking a line of credit from, you expect that entity to keep your information safe. Thanks to the Red Flags Rule, banks and most creditors are required to do just that.

To clarify, the SEC defines a creditor as “a person that regularly extends, renews or continues credit, or makes those arrangements.”

The Red Flags Rule requires businesses that maintain “covered accounts” to “develop and implement a written Program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account,” according to the SEC.

A covered account includes personal bank accounts, credit card accounts, or any other type of financial account “for which there is a reasonably foreseeable risk to customers.”

The SEC requires that financial institutions and creditors include four elements in their programs to ensure they comply with the SEC’s identity theft Red Flags Rule criteria. The four elements include:

1. The business’s program must establish policies and procedures that are able to “identify the red flags of identity theft that may occur in [a business’s] day-to-day operations,” according to the Federal Trade Commission (FTC).

2. The program must possess the capability of effectively detecting the red flags it has identified.

3. The program must lay out the actions the business will take when red flags of identity theft are detected.

4. The program must outline how the business will stay current with new threats that arise.

The SEC is flexible in terms of how the programs are designed. It takes into account the size and complexity of the businesses that are required to comply with the Red Flags Rule.

On July 27, 2022, the SEC announced that it has filed separate charges against J.P. Morgan Securities LLC, UBS Financial Services Inc., and TradeStation Securities, Inc. after “deficiencies” were detected in their programs.

The SEC press release also states that between January 2017 and October 2019, the firms’ programs didn't include “reasonable policies and procedures to identify relevant red flags of identity theft in connection with customer accounts or to incorporate those red flags into their programs.”

Although none of the three parties admitted to or denied the SEC's findings, each is required to pay the following fine:

• JP Morgan: $1.2 million
• UBS: $925,000
• TradeStation: $425,000

The FTC, along with several other agencies, is responsible for enforcing the SEC’s identity theft Red Flags Rule.