Philadelphia — The Guiliano Law Group, P.C. is lead counsel, and has recently filed several cases or claims before the Financial Industry Regulatory Authority or FINRA on behalf of several investors recently falling victim to sophisticated cyber-fraud, resulting in the losses of all or most of the investors’ life-savings. The cases are unrelated, but in each case, the losses could have been prevented, had the securities broker-dealers followed FINRA Rules, and indeed their own rules or internal written supervisory procedures, concerning the designation of a trusted contact person and the suspicious transfer of customer funds.
In one case, the victim cleaned out his joint account, several of his retirement accounts, and the retirement accounts belonging to his wife, in order to purchase crypto assets. According to the Statement of Claim, the investor was induced to make a small investment in a crypto-currency fund, which quickly appreciated in value, and then was convinced to invest more funds, which again grew exponentially. However, after the investor depleted his accounts (and his related accounts), and was convinced to mortgage his home to make additional investments, which also quickly increased in value, the crypto currency platform (using the modified name of a reputable firm) completely disappeared.
The securities broker-dealer, who has a duty to “know its customer,” however, did absolutely nothing, as the couple’s retirement accounts were decimated, resulting in massive penalties and tax liabilities. The funds were also sent to unknown individuals in suspect jurisdictions, but again the broker-dealer did nothing, except eventually freeze the accounts, only after the funds were all gone. The customers in fact were unable to even access their accounts, unless they were able to prove to the broker-dealer that their computer was not infected by malware.
In another case, also recently filed, an elderly widow was having computer issues, and most likely as the result of spear-fishing scheme, she was instructed to call federal authorities. These authorities, with the customer’s permission, were able to access her computer remotely, and identify her financial accounts. With the assistance of the impersonators, the widow was instructed to move her funds into certain “safe” accounts, in “real assets,” under the control of the scammers, wiping out all or substantially all of the customer’s savings and retirement assets. Again, the securities broker-dealer, who failed to require that the customer provide a “trusted contact person” as required under FINRA rules, did absolutely nothing, as the widow’s retirement account was liquidated, again resulting in massive penalties and tax liabilities.
These are not isolated cases.
Americans over the age of 60 lost $982 million last year to tech support scams, according to the Federal Bureau of Investigation’s Internet Crime Complaint Center.
As was recently reported in the New York Times, David Welles, a retired lawyer, had spent hours struggling with his new iPad when he searched for tech support. But the number he found on Google wasn’t Microsoft – it connected him to scammers posing as support to “fix” his email. Mr. Welles installed remote access software on his iPhone and laptop, giving scammers control of his devices and access to stored credentials, which they used to wire $85,000 from his Citibank account. The bank refused to reimburse David Welles, saying the transfer was made using his Citibank online credentials and initiated from a registered device ID.
Welles, 87, believed he was contacting Microsoft customer support to get help with his iPad when the horror unfolded. He found a number on Google and had no clue that he was getting in touch with a hacker. The fraudster gained his trust and helped him install a remote access software onto his cell phone and laptop, where he kept his usernames and passwords.
“A big mistake,” Welles told the New York Times. “All of a sudden, on the laptop, I could see it going blank, and little lights flashing around.” The hacker used the software to steal $85,000 from Welles’ checking account at Citibank. When Welles and his assistant called the bank at 8 pm, the bank didn’t even mention that the sum of money had been wired from his account just hours earlier. The next day, Welles received a call from a man who identified himself as Michael Wink, asking whether he had initiated a $85,000 wire transfer. Wink reassured Welles that he didn’t need to call the bank because it was being handled – but it was the hacker who was calling. Welles and his assistant then called Citibank, which confirmed that $85,000 had been withdrawn from his account yesterday. The bank put a recall on the transfer, but it was too late. Citibank also refused to refund Welles his money because the transfer came from his account. “Based on the information provided and the results of our research, the transfer was made using your Citibank online credentials and were initiated using their registered device ID,” the bank told Welles in a letter. “As a result, we’re unable to honor your claim.”
Citi declined to comment to the New York Times on the specifics of the case, but the situation raises questions on whether the money could have been recovered if Citi had flagged the transaction earlier.
The Gold Bar Scam
Similarly, an elderly Morgan Stanley client in Florida fell prey to a so-called “gold bar” scam. Marjorie Kessler, 76, claimed last year that Morgan Stanley violated two industry rules and “long-standing” industry standards designed to protect elderly clients. The scam artists told her to pack the gold bars in boxes and deliver them to a government courier who would meet her outside her condominium security gates and then deposit them in her escrow account in Washington D.C., according to the complaint.
This Is what happened to Kessler, according to her Statement of Claim. “During repeated phone calls during a two-week period, the scammers convinced Ms. Kessler that, in order to protect her savings, she had to rush to convert her money into cash and gold bars to be delivered to couriers and cryptocurrency which would be deposited In a US Treasury account under her new Social Security number,” according to the statement of claim. “Despite glaring red flags and obvious warning signs of financial exploitation, Ms. Kessler’s financial advisor authorized and facilitated Ms. Kessler’s sudden withdrawal
of $2.09 million in funds from a line of credit and the liquidation of assets from a life Insurance trust dur1ng a nine-day per10d In July and August 2023,” the claim alleges.
Morgan Stanley fell short in following the industry’s ”trusted contact person” standard, which identifies a person for the finn to call in certain circumstances, according to the client’s claim, as well as the financial exploitation of senior citizens rule. The latter allows broker-dealers to put a temporary hold on client transactions or disbursement of funds. Morgan Stanley wanted the claim dismissed, according to the arbitration award, and insisted that the fraud did not occur at Morgan Stanley.” According to Morgan Stanley “the firm should not be held responsible for her losses as Ms. Kessler made misstatements to her financial advisor about the purpose of the transfers, and authorized them to be sent to a third-party bank account held in her name.”
According to an article last year in the Washington Post, a gold bar scam occurs when fraudsters pose as federal agents and target victims online or by the phone. The scam artist tells the individual his or her account is no longer safe and then persuades the investor to buy gold bars and hand them over. Ms. Kessler won $843,000 in damages.
The financial advisor authorized the withdrawals despite the fact that Kessler specifically asked him to keep the withdrawals “secret” and not to disclose them to her son, who had been directly involved in every major decision in his mother’s investment accounts during the prior six years, according to the complaint. While the Finra arbitrators gave no explanation for the award, the reasoning was supposedly simple: they gave Morgan Stanley a pass for the first transaction out of Kessler’s account. but penalized them for the second.
Additional recent cases include claims against Ameriprise Financial and UBS Financial for the failure to protect customers from cyber-fraud. Chong Zhang of Rancho Cucamonga, a stockbroker registered with Ameriprise is the subject of a customer initiated, investment related FINRA securities arbitration against Ameriprise seeking $2 million in damages based upon the stockbroker’s failure to protect investors from a “scam that liquidated their accounts.” In another case, Diane Veenendaal, of Brookfield, Wisconsin, a UBS Financial stockbroker is also the subject of a customer initiated, investment related FINRA securities arbitration seeking $5 million in damages based upon the allegations that the broker failed to act in the customer’s best interest “by allowing fraudulent credit card charges and checks to be made from the account.”
The Response by Regulators
According to FINRA, Cybersecurity threats continue to be one of the most significant risks for investors and securities broker-dealers. FINRA has warned its members and the investing public that the frequency, sophistication and variety of attacks continue to increase, and include customer account intrusions, ransomware attacks and cyber-enabled fraud. Many times an investor may find their on-line account frozen, and when it is unfrozen discover the unauthorized transfer of funds to third parties. The investor’s electronic mail addresses and contact information may be changed to conceal this activity.
Under the “Customer Protection Rule,” SEC Rule 15c3-3, securities broker-dealers have a regulatory responsibility to safeguard and protect customer funds and securities from third parties. The firms also have a responsibility to protect customer funds and securities from fraud. Regulatory Notice 12-05, Customer Account Protection (January 2012).
In fact, FINRA has cautioned its members that “online firms should also consider conducting computerized surveillance of account activity to detect suspicious transactions and activity [sic][g]iven the global nature of online brokerage activity.” Special NASD Notice to Members 02-21 (April 2002).
These responsibilities also arise from the “Know Your Customer,” responsibilities and “Red flags” include, but are not limited, to circumstances where the transactions appea out of the ordinary or the customer’s account has inflows of funds or other assets well beyond the known income or resources of the customer.
FINRA Rules require that securities broker-dealers must have and enforce policies and procedures governing the withdrawal or transmittal of funds or assets from customer accounts, including instructions from an investment adviser or other third party purporting to act on behalf of the customer. See also, Regulatory Notice 09-64 (Nov. 2009)(“FINRA firms must have and enforce policies and procedures governing the withdrawal or transmittal of funds or assets from customer accounts, including instructions from an investment adviser or other third party purporting to act on behalf of the customer”); FINRA Regulatory Notice 12-05 (Jan. 2012)(“firms must have adequate policies and procedures to review and monitor all disbursements it makes from customers’ accounts, including but not limited to third-party accounts, outside entities or an address other than the customer’s primary address”).
On May 16, 2019, FINRA issued Regulatory Notice 19-18, reminding members of their obligations to monitor and report suspicious activity, providing a series of red flags that would alert firms to issues involving: (i) customer due diligence and interactions with customers; (ii) deposits in securities; (iii) red flags in securities trading; (iv) red flags in money movement; (v) red flags in insurance products; and (vi) various other potential red flags associated with the account or account activity. Regulatory Notice 19-18 (May 16, 2019)(emphasis added).
Regulatory Notice 19-18 also provides members a “non-exhaustive” list of “Potential Red Flags,” that broker-dealers are required to investigate in connection with “Money Movements” including, instances where:
• There is wire transfer activity that is unexplained, repetitive, unusually large, shows unusual patterns or has no apparent business purpose.
• Wire transfer activity, when viewed over a period of time, reveals suspicious or unusual patterns.
• The customer makes high-value transactions not commensurate with the customer’s known income or financial resources.
• The customer “structures” deposits, withdrawals below a certain amount to avoid reporting or recordkeeping requirements.
• There is an unusual use of trust funds in business transactions or other financial activity.
Regulatory Notice 19-18 at 7. (May 16, 2019). Regulatory Notice 19-18 also reminds members that “the failure to detect and investigate, and file suspicious activity reports with FinCEN constitutes a violation of FINRA Rules 3310 and 2010.”
In August 2022, FINRA established the Cyber and Analytics Unit (CAU) to enhance our ability to proactively address the evolving sophisticated cyber threat landscape and growth of the crypto-asset market. CAU has a team that examines member firms’ cybersecurity risk management through reviews of their controls, a team responsible for conducting investigations of cyber-related fraud and a team that investigates and examines crypto-asset activity. In December 2022, FINRA issued Regulatory Notice 22-29 (FINRA Alerts Firms to Increased Ransomware Risks) to provide firms with questions they can use to evaluate their cybersecurity programs, information about possible additional ransomware controls and relevant resources.
Regulatory Obligations
Rule 30 of SEC Regulation S-P requires member firms to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.
Regulation S-ID (Identity Theft Red Flags) requires member firms to develop and implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of “covered accounts.” FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to member firms’ operations.
In addition to member firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers and expects firms to develop and maintain reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.
Cybersecurity incidents, such as account takeovers, ransomware or network intrusions, and any related exposure of customer information or fraudulent financial activity can expose member firms to financial losses, reputational risks and operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370, 3110 (Supervision) and 3120 (Supervisory Control System), as well as Exchange Act Rules 17a-3 and 17a-4. Report on FINRA’s Examination and Risk Monitoring Program (January 2023).
These claims are time sensitive. Victims of cyber-theft or on-line scams involving their brokerage accounts, should contact a lawyer to determine their rights and obligations.
For more information, please see N. Guiliano, et al., Broker-Dealer Liability For 3rd Party Scams, Public Investors Advocate Bar Association, 32nd Annual Meeting (October 26, 2023)..
Guiliano Law Group, P.C.
For more than thirty years, our practice is limited to the representation of investors. We handle all cases on a contingency fee basis meaning that there is no cost or obligation, unless we are able to make a recovery for you. There is never any charge for a consultation or a confidential evaluation of your claim. For more information, contact us at (877) SEC-ATTY.
