SEC and CFPB charged leading US banking institutions over deficient customer identity programs and opening unauthorized accounts
Major American finance institutions got in trouble with regulators. SEC charged J.P. Morgan Securities, UBS Financial Services, and online broker TradeStation Securities, Inc. for shortfalls in their programs to prevent customer identity theft. At the same time, Consumer Financial Protection Bureau (CFPB) fined U.S. Bank for using customers’ credit reports without permission to open unauthorized bank accounts in their names.
JPMorgan, UBS, and TradeStation had each violated the Identity Theft Red Flags Rule, or Regulation S-ID from January 2017 to October 2019. In particular,
- they did not introduce appropriate policies and procedures to identify red flags of ID theft with customer accounts
- their programs didn’t feature reasonable response policies to follow detected identity theft red flags
- providers didn’t ensure that the programs were updated periodically to reflect changes in identity theft risks
- JPMorgan also failed to exercise oversight of service provider arrangements and train staff to effectively implement identity theft prevention programs
- UBS did not perform periodical reviews on new and existing customer accounts, nor did it properly train staff on program implementation or include its board of directors in oversight
- TradeStation also neglected to include its board of directors in oversight duties and did not oversee service providers
Each firm agreed to pay the following penalties: JPMorgan: $1.2 million, UBS: $925,000, and TradeStation: $425,000.
Meanwhile, CFPB took action against U.S. Bank for illegally accessing its customers’ credit reports as well as opening accounts, credit cards, and lines of credit without customers’ permission. The watchdog issued a $37.5 million consent order against the bank.
Allegedly, U.S. Bank pressured and incentivized its employees to sell multiple products and services to its customers, including imposing sales goals as part of their employees’ job requirements. In response, U.S. Bank employees unlawfully accessed customers’ credit reports and sensitive personal data to apply for and open unauthorized accounts.