It’s not just upfront financial losses and reputational damage that U.S. banks and investment firms need to worry about when it comes to cyber risk. Increasingly, financial regulators are levying large fines for banks that fail to manage their security and authentication protocols and processes.
Recently, JP Morgan Chase & Co., UBS and online broker TradeStation faced charges from the Securities and Exchange Commission (SEC) over having “deficient customer identity programs,” while U.S. Bancorp was fined by the Consumer Financial Protection Bureau (CFPB) for opening “unauthorized accounts.” The three financial firms agreed to pay more than a combined $2.5 million in fines.
According to investment regulator the SEC, the two banks and the online broker all violated the so-called Identity Theft Red Flags Rule, or Regulation S-ID — which aims to protect investors from the risk of identity theft — for nearly three years from early 2017 to late 2019.
“All three financial institutions were charged with not including reasonable policies and procedures to identify red flags for identity theft through customer accounts," according to eMarketer. “The financial institutions’ programs also lacked policies and procedures on how to respond to identity theft red flags once they were identified.” JPMorgan, the largest U.S. bank with nearly $3 trillion in assets, was also charged with “failure to provide effective oversight of service providers and to train staff on how to effectively implement its identity theft prevention program.”
Meanwhile, UBS did not perform periodical reviews on new and existing customer accounts in order to plan how its identity theft program should be applied, nor did the international bank “properly train staff on program implementation or include its board of directors in oversight,” eMarketer said. TradeStation did not alert its board of directors of their oversight duties and did not exercise oversight of service providers, according to the SEC.
The three cited financial institutions agreed to be censured and not to commit future violations. The trio of financial firms all agreed to pay fines, $1.2 million for JPM; $925,000 for UBS; and $425,000 for TradeStation.
CFPB fines US Bank $37.5 million for opening unauthorized accounts
Separately, regulatory consumer watchdog CFPB fined U.S. Bank $37.5 million last week, in a consent order, which cited the Minneapolis-based institution’s having allegedly used customers’ credit reports without permission to open unauthorized bank accounts in their names, according to a CFPB release. In addition, U.S. Bank will need to remunerate affected customers. Much like Wells Fargo & Co. and other banks and investment companies previously, U.S. Bank apparently set employee sales goals, offering incentives to those staffers who opened the greatest number of checking, savings, credit card and line of credit accounts.
These compliance issues have pointed out that security concerns may stem, in some cases, from financial providers themselves, as well as bad actors. These incidents put retail and business customers on notice that they must be watchful of their own account and credit reports, and manage their identity and access carefully. Dubious of wholly trusting their financial institutions entirely, customers are increasingly open to using emerging technologies to protect their identities.
Indeed, nearly three-fourths (73%) of consumers via multiple devices are interested in using “alternative authentication methods” to log in, and thereby better protect their accounts and their identity, according to a June 2022 report from PYMNTS and Entersekt. (Alternative authentication methods may include multi-factor authentication, biometrics and single sign-on.) The research also found that two-thirds of U.S. digital banking users would prefer to know that their sensitive financial data is secure over having more simplified and convenient access to accounts.
