Extracted from Law360
For investment firms and professionals, economic uncertainty and market volatility present a number of challenges, not the least of which are bad actors who seek to take advantage of disruptive forces at play. Add a further factor, the practical, and in many cases legal, inability to maintain normal business operations during the COVID-19 pandemic, and the supervisory challenges of financial firms have never been higher.
The Financial Industry Regulatory Authority, or FINRA, recently highlighted several common scams that its broker-dealer members and their customers may be exposed to during the COVID-19 pandemic. The FINRA notice urges brokerage firms to be vigilant of the heightened risks of fraudulent activity and provides practical guidance on ways some firms have policed against these scams.
Consistent with FINRA's investor-protection mandate, the majority of the notice is dedicated to highlighting scams involving fraudulent account and money transfers. The notice additionally describes scams involving employee-impostors, information technology help desks and business email compromises. There are a number of common factors among the processes and protections highlighted by FINRA that brokerage firms should heed.
Adapting to Risks Posed by Online-Only Processes
The remote work arrangements made necessary by the COVID-19 pandemic have disrupted a number of the normal processes associated with account opening and money transfers, including identity verification and account information validation.
For example, the remote work environment increases vulnerability to scammers who would seek to use stolen or synthetic identity information, as well as stolen account information.
Given that many firms are having to rely on entirely digital processes to verify identity and account documents, there are a variety of relatively basic, nondocumentary processes that brokers can leverage to guard against fraud, including direct customer contact, cross-checking information against consumer reporting agencies and checking references directly with other financial firms listed in application materials.
To guard against impostor and information technology help desk scams, firms can arrange video calls to confirm suspicious instructions, script question-and-answer validations based on information that only a customer or registered representative would know and instruct employees to verify unprompted messages from purported IT help desk employees by calling back the IT help desk to confirm the authenticity of the outreach.
If firms rely on calls to verify identity and instructions, previously validated contact information should be used as an added precaution against scams that may try to provide fraudulent contact information.
Leveraging Technological Processes
While remote work and digital-only processes can create added risks, the data and automated functionalities associated with those processes can provide enhanced means of detecting fraudulent activity.
Given the need for brokerage firms to rely on online-only account applications and instructions, firms can apply technology-based tools against the data generated by those processes, such as restrictions on automated approvals of multiple account applications or suspicious withdrawal amounts by a single customer, automated and manual checks for repetition or commonalities among multiple applications and flagging technological indicators of automated attacks, such as extremely rapid completion of account applications.
To guard against fraudulent fund transfers, firms can vet the IP addresses of transfer requests made online against locations consistent with the customer's known profile, impose holding periods for recently deposited customer funds and block rapid transfer of such funds to third-party accounts, using risk-based dollar thresholds to trigger these blocks.
An additional data point that firms can use to identify potential fraud is resumption of activity in inactive or unfunded accounts.
Finally, to the extent that firms have not yet deployed use of external banners on their email servers, this simple flag can provide an early and easy cue to unusual activity originating from outside sources.
Maintaining Human Vigilance and Training
Just as in the ordinary course of business, brokerage firms should maintain open lines of communications with employees and roll out or repeat necessary trainings for the increased risks posed by the remote-only work environment.
While FINRA's notice highlights a number of programmatic or automated tools that firms can leverage, human vigilance is extremely important in the context of fraudulent attempts to gain access to firm systems through impostor and IT help desk scams, as well as business email compromises.
Protection against these scenarios begins with enhanced training to customer- and public-facing staff, and any support staff that may assist remote workers with resetting access privileges, on the warning signs of social engineering schemes.
More generally, all employees should be cautioned about unprompted outreach from purported internal resources like IT personnel, or unusual requests from apparent insider or counterparty email addresses that are oddly timed, use unusual language or format, request out-of-the-ordinary purchases or fund transfers, or request urgency, privacy or secrecy.
Collaboration With Third Parties and Regulators
Given that fraudulent schemes often necessitate transfer to third-party accounts, brokerage firms should revisit how they communicate with important third parties, such as clearing agencies, regarding transfer of funds, and how information like automated clearinghouse payment instructions should best be relayed, who is authorized to transmit such information and ensuring clearing firms are informed of these restrictions.
In addition, while brokerage firms must remain aware of when they are required to file regulatory reports in response to fraudulent activity (namely, suspicious activity reports), brokerage firms should also consider whether their processes fully account for voluntary communications that may aid in the firm's response to fraudulent attacks (such as Internet Crime Complaint Center reports regarding fraudulent wire transfers made outside the U.S.).
Finally, brokers must be especially vigilant for fraudulent activity that evidences serious crimes such as terrorist financing or ongoing money-laundering schemes, and should immediately raise those activities to law enforcement in addition to filing a required suspicious activity report.
The challenge of navigating any crisis consists of not only successfully defending and mitigating active threats but using that experience and information to strengthen resiliency and responses to future incidents.
Broker-dealers are required at all times to maintain effective ongoing systems of supervision that incorporate plans for business continuity and cybersecurity, among other things, and FINRA's notifications regarding supervisory and systematic vulnerabilities have historically provided the roadmap of future investigatory and enforcement actions by the regulator.
Financial firms should carefully analyze their exposure to the specific scams and schemes identified by FINRA, take stock of how their relevant systems have fared during the pandemic and ensure that any lapses are addressed and documented in a manner consistent with those best practices identified by FINRA.