On Sept. 27, regulators from the Securities and Exchange Commission (SEC) handed out more than $2 billion in fines to Wall Street firms in a shocking move that targeted some of the largest financial institutions in the world. Companies such as Bank of America (BAC), Barclays (BCS), Citigroup (C), Goldman Sachs (GS) and JP Morgan (JPM) were all forced to pay close to $200 million dollars each in a ruling that many called excessive.
Surprisingly, the massive fines had nothing to do with traditional financial crimes such as insider trading, tax evasion, or securities fraud. Instead, the SEC charged the firms for using the popular messaging app WhatsApp to conduct to send internal messages, and for failing to record these communications surrounding their bank's business.
Although many in the finance world were quick to point out that the banks had not been found guilty of any crimes, the SEC viewed the off the record chats as an attempt to hide information from regulators.
Speaking on the case, SEC chair Gary Gensler stated, “Finance, ultimately, depends on trust." According to the government, the banks had broken that trust when they stopped keeping records of their communications and moved them off their servers to messaging apps.
The SEC's ruling has highlighted the agency's increasing focus on ensuring that the data banks, and other large financial institutions, hold is protected from malicious actors and accessible to regulators.
Growing Crackdown on Data
Financial regulators across various government agencies have recently tightened guidance due to widespread data breaches and cyberattacks that have resulted in significant harms to consumers, including monetary loss and identity theft.
In addition to the SEC, in early August the Consumer Financial Protection Bureau (CPFB) released a memo providing guidance to consumer protection enforcers on when firms could be held liable for lapses in data security.
Specifically, the CFPB said financial companies are at risk of violating data rules, such as the Consumer Financial Protection Act, if they fail to have adequate measures to protect against data security incidents.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” said Rohit Chopra, CFPB director. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
What is Know Your Client (KYC)?
If you're wondering why major financial companies have so much customer data in the first place, the answer lies with the Customer Identification Program (CIP) that every financial firm is required to undertake when registering new clients.
Implemented as a result of the Patriot Act in 2001, the CIP is enforced by the SEC and requires that each new customer provide detailed financial information before opening an investment or banking account.
A company's CIP is used to verify financial information from customers to ensure that they are neither criminals or bad actors. To do this, companies must obtain four pieces of identifying information about a client, including name, date of birth, address, and identification number.
While the program is meant to maintain compliance requirements with government standards, a byproduct of KYC is that banks have tons of personal information on file. And in recent months, its become clear that this data is not being effectively safeguarded from hacking or theft.
JP Morgan, UBS Fail to Protect Customers
In July, a high-profile case involving finance giants JP Morgan and UBS showed that the SEC was serious about protecting customer data.
According to the SEC investigation, from at least January 2017 to October 2019, the two firms’ identity theft prevention programs "did not include reasonable policies and procedures to identify relevant red flags of identity theft in connection with customer accounts or to incorporate those red flags into their programs."
JP Morgan was also found to be deficient in training staff to effectively implement its identity-theft prevention programs - putting the personal data of hundreds of thousands of its customers at risk.
Carolyn M. Welshhans, Acting Chief of the SEC Enforcement Division's Crypto Assets and Cyber Unit, commented on the ruling, "Today’s actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft."
As a result, JPMorgan was forced to pay $1.2 million, while UBS was fined $925,000.
Morgan Stanley Loses Customer Data
In another shocking example of mismanaging of customer data, Morgan Stanley was forced to pay $35 million in fines after the SEC found that the company failed to properly dispose of storage devices that contained its customers PII.
As far back as 2015, Morgan Stanley's moving and storage company, which it hired to transport company equipment, sold to a third party thousands of devices including servers and hard drives. The hard drives were eventually resold on an internet auction site without removal of the customer PII.
In a strange twist, some of the hard drives ended up with an IT consultant in Oklahoma who informed Morgan Stanley he had purchased hard drives from an online auction site and that he had access to the data on the devices. The company was then forced to purchase the hard drives back from the consultant for an undisclosed price (which could have been in the hundreds of thousands).
Not only did the company Morgan Stanley hired have no experience or expertise in data destruction services, but according to the SEC’s order, over several years, Morgan Stanley failed to properly monitor the moving company’s work. So far the firm has not recovered the vast majority of the devices.
Speaking on the case, Gurbir Grewal, Director of the SEC's enforcement division, called Morgan Stanley's failures "astonishing." He added, “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”
What Does This Mean for Smaller Firms?
The failures of financial giants such as JP Morgan, UBS, Morgan Stanley, and others raise an important question for consumers: If these companies can't effectively safeguard customer data, do smaller financial firms stand a chance of protecting their clients' PII?
The good news is that the human factor is often the biggest vulnerability in the data protection chain. Training both lower level employees, C-suite executives, and all those who come into contact with sensitive data can go a long way towards protecting customers.
In any case, it's clear that that the SEC will no longer tolerate such slip ups in the future.