SEC Files Charges Against Banks for Not Following Identity Theft Red Flags Rule

Identity theft is costly to both businesses and consumers. The SEC has the Red Flags Rule in order to help reduce the risk of identity theft.

Jennifer Farrington - Author

Jul. 28 2022, Published 12:27 p.m. ET

SEC seal
Source: Getty Images

The SEC has a rule known as the identity theft Red Flags Rule, which is designed to protect the identities of individuals who entrust certain businesses with sensitive information such as Social Security numbers, birth dates, and more.

Article continues below advertisement
Article continues below advertisement

The rule generally applies to banks and some creditors and require these entities to establish a program that's able to detect when the threat of identity theft arises and of course, ways to mitigate consumer risk. Here’s a breakdown of the SEC’s Red Flags Rule and what happens when a bank or creditor violates the rule.

The SEC’s identity theft Red Flags Rule is critical for keeping data safe.

identity theft protection
Source: Getty Images

When you hand over personal information such as your name, birth date, Social Security number, and address to a bank or creditor you’re seeking a line of credit from, you expect that entity to keep your information safe. Thanks to the Red Flags Rule, banks and most creditors are required to do just that.

Article continues below advertisement

To clarify, the SEC defines a creditor as “a person that regularly extends, renews or continues credit, or makes those arrangements.”

Certain institutions have to follow the Red Flags Rule.

The Red Flags Rule requires businesses that maintain “covered accounts” to “develop and implement a written Program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account,” according to the SEC.

Article continues below advertisement
Article continues below advertisement

A covered account includes personal bank accounts, credit card accounts, or any other type of financial account “for which there is a reasonably foreseeable risk to customers.”

Article continues below advertisement

Businesses must include certain elements in their Red Flags Rule programs.

The SEC requires that financial institutions and creditors include four elements in their programs to ensure they comply with the SEC’s identity theft Red Flags Rule criteria. The four elements include:

Article continues below advertisement

1. The business’s program must establish policies and procedures that are able to “identify the red flags of identity theft that may occur in [a business’s] day-to-day operations,” according to the Federal Trade Commission (FTC).

2. The program must possess the capability of effectively detecting the red flags it has identified.

Article continues below advertisement

3. The program must lay out the actions the business will take when red flags of identity theft are detected.

4. The program must outline how the business will stay current with new threats that arise.

The SEC is flexible in terms of how the programs are designed. It takes into account the size and complexity of the businesses that are required to comply with the Red Flags Rule.

The SEC has filed charges against Chase, UBS, and TradeStation over identity theft violations.

On July 27, 2022, the SEC announced that it has filed separate charges against J.P. Morgan Securities LLC, UBS Financial Services Inc., and TradeStation Securities, Inc. after “deficiencies” were detected in their programs.

Article continues below advertisement
Article continues below advertisement

The SEC press release also states that between January 2017 and October 2019, the firms’ programs didn't include “reasonable policies and procedures to identify relevant red flags of identity theft in connection with customer accounts or to incorporate those red flags into their programs.”

Although none of the three parties admitted to or denied the SEC's findings, each is required to pay the following fine:

  • JP Morgan: $1.2 million
  • UBS: $925,000
  • TradeStation: $425,000

The FTC, along with several other agencies, is responsible for enforcing the SEC’s identity theft Red Flags Rule.


Latest Banking News and Updates

    Opt-out of personalized ads

    © Copyright 2024 Market Realist. Market Realist is a registered trademark. All Rights Reserved. People may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.