The U.S. Securities and Exchange Commission (SEC) charged a trio of brokerage firms for alleged deficiencies in their programs to guard against identity theft.

Separately, the SEC charged J.P. Morgan Securities LLC, UBS Financial Services Inc., and TradeStation Securities Inc. for violating the regulator’s rules on spotting identity theft risks.

The regulator’s orders found that, from January 2017 to October 2019, the firms’ identity theft prevention programs “did not include reasonable policies and procedures to identify relevant red flags of identity theft in connection with customer accounts or to incorporate those red flags into their programs.”

The orders also found the firms didn’t have procedures to respond appropriately to red flags, or to ensure that their programs were updated to reflect evolving identity theft risks.

The firms all settled the cases without admitting or denying the SEC’s findings.

Each firm agreed to cease and desist from future violations and to pay monetary penalties. JPMorgan agreed to pay US$1.2 million, UBS agreed to a US$925,000 penalty, and TradeStation to US$425,000.

“Today’s actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft,” said Carolyn Welshhans, acting chief of the SEC enforcement division’s crypto assets and cyber unit.