Three Broker-Dealers Settle SEC Charges for Identity Theft Prevention Deficiencies

Three broker-dealers settled separate SEC charges for failing to implement an adequate supervisory system designed to prevent identity theft for covered accounts. The SEC alleged that while each of the broker-dealers maintained an identity theft prevention program, each program had deficiencies that put customer data at risk.

In the first Order, the SEC found that the broker-dealer's policies failed to (i) describe how red flags were identified and addressed or (ii) incorporate reports of previously identified red flags. Additionally, the firm failed to update its program or to provide adequate training to staff.

In the second Order and the third Order, the SEC determined that each of the broker-dealers failed to (i) update their programs, (ii) periodically review new and existing accounts to determine if they qualified as covered accounts, (iii) identify and respond to red flags and incorporate them into their programs and (iv) involve the boards of directors in the design and implementation of their programs.

As a result, the SEC determined that each broker-dealer was in violation of Rule 201 ("Duties regarding the detection, prevention and mitigation of identity theft") of Regulation S-ID ("Identity Theft Red Flags").

To settle the charges, all three broker-dealers have agreed to (i) separate cease-and-desist orders, (ii) separate censures and (iii) civil monetary penalties of $1,200,000, $925,000 and $425,000, respectively.