Cybertheft is the fastest growing crime in the U.S.
Cybersecurity threats also continue to be one of the most significant risks for investors and securities broker-dealers. According to the Financial Industry Regulatory Authority or FINRA, the frequency, sophistication and variety of attacks continue to increase, and include customer account intrusions, ransomware attacks and cyber-enabled fraud.
Many times an investor may find their on-line account frozen, and when it is unfrozen discover the unauthorized transfer of funds to third parties. The investor’s electronic mail addresses and contact information may be changed to conceal this activity.
Under the “Customer Protection Rule,” SEC Rule 15c3-3, securities broker-dealers have a regulatory responsibility to safeguard and protect customer funds and securities from third parties. The firms also have a responsibility to protect customer funds and securities from fraud. Regulatory Notice 12-05, Customer Account Protection (January 2012).
In fact, FINRA has cautioned its members that “online firms should also consider conducting computerized surveillance of account activity to detect suspicious transactions and activity [sic][g]iven the global nature of online brokerage activity.” Special NASD Notice to Members 02-21 (April 2002).
These responsibilities also arise from the “Know Your Customer,” responsibilities and “Red flags” include, but are not limited, to circumstances where the transactions appea out of the ordinary or the customer’s account has inflows of funds or other assets well beyond the known income or resources of the customer.
FINRA Rules require that securities broker-dealers must have and enforce policies and procedures governing the withdrawal or transmittal of funds or assets from customer accounts, including instructions from an investment adviser or other third party purporting to act on behalf of the customer. See also, Regulatory Notice 09-64 (Nov. 2009)(“FINRA firms must have and enforce policies and procedures governing the withdrawal or transmittal of funds or assets from customer accounts, including instructions from an investment adviser or other third party purporting to act on behalf of the customer”); FINRA Regulatory Notice 12-05 (Jan. 2012)(“firms must have adequate policies and procedures to review and monitor all disbursements it makes from customers’ accounts, including but not limited to third-party accounts, outside entities or an address other than the customer’s primary address”).
On May 16, 2019, FINRA issued Regulatory Notice 19-18, reminding members of their obligations to monitor and report suspicious activity, providing a series of red flags that would alert firms to issues involving: (i) customer due diligence and interactions with customers; (ii) deposits in securities; (iii) red flags in securities trading; (iv) red flags in money movement; (v) red flags in insurance products; and (vi) various other potential red flags associated with the account or account activity. Regulatory Notice 19-18 (May 16, 2019)(emphasis added).
Regulatory Notice 19-18 also provides members a “non-exhaustive” list of “Potential Red Flags,” that broker-dealers are required to investigate in connection with “Money Movements” including, instances where:
• There is wire transfer activity that is unexplained, repetitive, unusually large, shows unusual patterns or has no apparent business purpose.
• Wire transfer activity, when viewed over a period of time, reveals suspicious or unusual patterns.
• The customer makes high-value transactions not commensurate with the customer’s known income or financial resources.
• The customer “structures” deposits, withdrawals below a certain amount to avoid reporting or recordkeeping requirements.
• There is an unusual use of trust funds in business transactions or other financial activity.
Regulatory Notice 19-18 at 7. (May 16, 2019). Regulatory Notice 19-18 also reminds members that “the failure to detect and investigate, and file suspicious activity reports with FinCEN constitutes a violation of FINRA Rules 3310 and 2010.”
In August 2022, FINRA established the Cyber and Analytics Unit (CAU) to enhance our ability to proactively address the evolving sophisticated cyber threat landscape and growth of the crypto-asset market. CAU has a team that examines member firms’ cybersecurity risk management through reviews of their controls, a team responsible for conducting investigations of cyber-related fraud and a team that investigates and examines crypto-asset activity.
In December 2022, FINRA issued Regulatory Notice 22-29 (FINRA Alerts Firms to Increased Ransomware Risks) to provide firms with questions they can use to evaluate their cybersecurity programs, information about possible additional ransomware controls and relevant resources.
Regulatory Obligations
Rule 30 of SEC Regulation S-P requires member firms to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.
Regulation S-ID (Identity Theft Red Flags) requires member firms to develop and implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of “covered accounts.”
FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to member firms’ operations.
In addition to member firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop and maintain reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale ofoperations.
Cybersecurity incidents, such as account takeovers, ransomware or network intrusions, and any related exposure of customer information or fraudulent financial activity can expose member firms to financial losses, reputational risks and operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370, 3110 (Supervision) and 3120 (Supervisory Control System), as well as Exchange Act Rules 17a-3 and 17a-4. Report on FINRA’s Examination and Risk Monitoring Program (January 2023).
If you have suffered losses as the result of cybertheft or the fraudulent or unauthorized removal or withdrawal from your securities account you should consult with qualified counsel to determine your rights and responsibilities.
For more information, please see N. Guiliano, et al., Broker-Dealer Liability For 3rd Party Scams, Public Investors Advocate Bar Association, 32nd Annual Meeting (October 26, 2023)..
To learn more about FINRA Securities Arbitration, and the legal process, please visit us at securitiesarbitrations.com.
Guiliano Law Group, P.C.
Our practice is limited to the representation of investors. We accept representation on a contingent fee basis, meaning there is no cost to you unless we make a recovery for you. There is never any charge for a consultation or an evaluation of your claim. For more information, contact us at (877) SEC-ATTY.