Cybertheft is the fastest growing crime in the U.S.

financial industry regulatory authorityCybersecurity threats also continue to be one of the most significant risks for investors and securities broker-dealers.  According to the Financial Industry Regulatory Authority or FINRA, the frequency, sophistication and variety of attacks continue to increase, and include customer account intrusions, ransomware attacks and cyber-enabled fraud.

Many times an investor may find their on-line account frozen, and when it is unfrozen discover the unauthorized transfer of funds to third parties.  The investor’s electronic mail addresses and contact information may be changed to conceal this activity.

Under the “Customer Protection Rule,” SEC Rule 15c3-3, securities broker-dealers have a regulatory responsibility to safeguard and protect customer funds and securities from third parties. The firms also have a responsibility to protect customer funds and securities from fraud. Regulatory Notice 12-05, Customer Account Protection (January 2012).

In fact, FINRA has cautioned its members that “online firms should also consider conducting computerized surveillance of account activity to detect suspicious transactions and activity [sic][g]iven the global nature of online brokerage activity.” Special NASD Notice to Members 02-21 (April 2002).

These responsibilities also arise from the “Know Your Customer,” responsibilities and “Red flags” include, but are not limited, to circumstances where the transactions appea out of the ordinary or the customer’s account has inflows of funds or other assets well beyond the known income or resources of the customer.

finra imageFINRA Rules require that securities broker-dealers must have and enforce policies and procedures governing the withdrawal or transmittal of funds or assets from customer accounts, including instructions from an investment adviser or other third party purporting to act on behalf of the customer.  See also, Regulatory Notice 09-64 (Nov. 2009)(“FINRA firms must have and enforce policies and procedures governing the withdrawal or transmittal of funds or assets from customer accounts, including instructions from an investment adviser or other third party purporting to act on behalf of the customer”); FINRA Regulatory Notice 12-05 (Jan. 2012)(“firms must have adequate policies and procedures to review and monitor all disbursements it makes from customers’ accounts, including but not limited to third-party accounts, outside entities or an address other than the customer’s primary address”).

On May 16, 2019, FINRA issued Regulatory Notice 19-18, reminding members of their obligations to monitor and report suspicious activity, providing a series of red flags that would alert firms to issues involving: (i) customer due diligence and interactions with customers; (ii) deposits in securities; (iii) red flags in securities trading; (iv) red flags in money movement; (v) red flags in insurance products; and (vi) various other potential red flags associated with the account or account activity. Regulatory Notice 19-18 (May 16, 2019)(emphasis added).

Regulatory Notice 19-18 also provides members a “non-exhaustive” list of “Potential Red Flags,” that broker-dealers are required to investigate in connection with “Money Movements” including, instances where:

• There is wire transfer activity that is unexplained, repetitive, unusually large, shows unusual patterns or has no apparent business purpose.

• Wire transfer activity, when viewed over a period of time, reveals suspicious or unusual patterns.

• The customer makes high-value transactions not commensurate with the customer’s known income or financial resources.

• The customer “structures” deposits, withdrawals below a certain amount to avoid reporting or recordkeeping requirements.

• There is an unusual use of trust funds in business transactions or other financial activity.

Regulatory Notice 19-18 at 7. (May 16, 2019). Regulatory Notice 19-18 also reminds members that “the failure to detect and investigate, and file suspicious activity reports with FinCEN constitutes a violation of FINRA Rules 3310 and 2010.”

In August 2022, FINRA established the Cyber and Analytics Unit (CAU) to enhance our ability to proactively address the evolving sophisticated cyber threat landscape and growth of the crypto-asset market. CAU has a team that examines member firms’ cybersecurity risk management through reviews of their controls, a team responsible for conducting investigations of cyber-related fraud and a team that investigates and examines crypto-asset activity.

In December 2022, FINRA issued Regulatory Notice 22-29 (FINRA Alerts Firms to Increased Ransomware Risks) to provide firms with questions they can use to evaluate their cybersecurity programs, information about possible additional ransomware controls and relevant resources.

Regulatory Obligations

Rule 30 of SEC Regulation S-P requires member firms to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.

US SECRegulation S-ID (Identity Theft Red Flags) requires member firms to develop and implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of “covered accounts.”

FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to member firms’ operations.

In addition to member firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop and maintain reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale ofoperations.

Cybersecurity incidents, such as account takeovers, ransomware or network intrusions, and any related exposure of customer information or fraudulent financial activity can expose member firms to financial losses, reputational risks and operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370, 3110 (Supervision) and 3120 (Supervisory Control System), as well as Exchange Act Rules 17a-3 and 17a-4. Report on FINRA’s Examination and Risk Monitoring Program (January 2023).

The Electronic Fund Transfer Act

“The rapid growth of online and mobile banking in recent years has placed consumers in the crosshairs of increasingly sophisticated scams. Convincing impersonation scams by text message and over the phone, known as phishing, and mobile device hacks, such as SIM swaps, pose ever-present threats to consumers.” The State of New York v. Citibank N.A., Case No. 24 Civ. 0659 (S.D.N.Y Jan. 30, 2024).

The Electronic Fund Transfer Act (“EFTA”) 15 U.S.C. § 1693, as amended, effective June 21, 2020, establishes a basic framework of the rights, liabilities, and responsibilities of participants in the electronic fund and remittance transfer systems. The EFTA and its implementing Regulation E (“Reg. E”) are landmark protections that shift liability for unauthorized transfers from consumers to banks.

The EFTA governs any “electronic fund transfer,” (“EFT”) which it defines as any transfer of funds that is initiated through an electronic terminal, telephonic instrument, or computer that orders, instructs, or authorizes a “financial institution,” to debit or credit an account. 15 U.S.C. § 1693a(7).

Securities broker-dealers are “financial institutions,” as defined by the EFTA. Securities broker-dealers are not exempt. However, securities broker-dealers are excluded from the consumer protection provisions of the EFTA only where the “primary purpose” of the “transfer of funds is for the purchase or sale of a security or commodity, if the security or commodity is purchased or sold through a broker-dealer regulated by the Securities and Exchange Commission.” Subsection (c)(4) of §205.2.

The EFTA and Reg. E protect consumers from unauthorized EFTs and other errors. EFTs are unauthorized when they do not benefit consumers and are made by persons who are not the consumers or other authorized users. 15 U.S.C. § 1693a(12).

The EFTA’s consumer protections for unauthorized EFTs are a three-tiered structure that is based on when consumers provide notice of unauthorized EFTs:

a. First, when consumers notify the institution of unauthorized EFTs within two business days of discovering the EFTs, their losses are capped at $50 or less, and institutions must reimburse anything above $50. 15 U.S.C. § 1693g(a).

b. Second, when consumers notify institutions of unauthorized EFTs within sixty days of discovering the EFTs, their losses are capped at $500, but only if the institution proves that those losses would not have occurred had consumers reported the unauthorized EFTs within two business days rather than sixty. 15 U.S.C. § 1693g(a).

c. Third, when consumers do not notify institutions of unauthorized EFTs within 60 days of discovering the EFTs, their losses are not capped, but only if the institution proves that those losses would not have occurred had consumers reported the unauthorized EFTs within sixty business days rather than later. 15 U.S.C. § 1693g(a).

However, where the securities broker-dealer does not provide their customers with periodic customer statements, and instead, only provide “alternative to periodic statements” made available on-line, the 60-day period for reporting any unauthorized transfer begins on the earlier of the “date the consumer electronically accesses the consumer’s account” provided “that the electronic history made available to the consumer reflects the transfer.” or the “date the financial institution sends a written history of the consumer’s account transactions requested by the consumer under paragraph (b)(1)(iii) of this section in which the unauthorized transfer is first reflected.”

The Electronic Fund Transfer Act also provides for statutory damages including the recovery of of costs, and reasonable attorney’s fees as provided by the U.S. Code § 1693m (Civil liability).

If you have suffered losses as the result of cybertheft or the fraudulent or unauthorized removal or withdrawal from your securities account you should consult with qualified counsel to determine your rights and responsibilities.

For more information, please see N. Guiliano, et al., Broker-Dealer Liability For 3rd Party Scams, Public Investors Advocate Bar Association, 32nd Annual Meeting (October 26, 2023)..

To learn more about FINRA Securities Arbitration, and the legal process, please visit us at securitiesarbitrations.com.

Guiliano Law Group, P.C.

Our practice is limited to the representation of investors. We accept representation on a contingent fee basis, meaning there is no cost to you unless we make a recovery for you. There is never any charge for a consultation or an evaluation of your claim. For more information, contact us at (877) SEC-ATTY.