Ways Firms Can Safeguard Against the Risk of Fraudulent LOA's. FINRA reports a sharp rise in stolen customer funds, based on incident reports submitted by member firms, which frequently note that the incidents occurred when customers use personal email accounts to submit instructions.  This has led FINRA to surmise those customer email accounts had been compromised.  In its latest Regulatory Notice, FINRA, in part, recommends that firms reassess their pols and procedures to ensure they are adequately protect customer assets from such risks.

FYI: The FBI, FS-ISAC (Fincl Svcs Info. Sharing and Analysis Center), and I3C (Internet Crime Complaint Center) combined on a recent Fraud Alert describing a similar trend.

Detailed Discussion. Firms received customer email containing LOA instructions for the firm to wire customer funds to 3rd-party accounts.  The emails must have appeared legitimate and contained all required information - including required signature verification pages.  The firms would then process the wire transfers from the customer account to 3rd-party accounts, as per the LOA instructions. Affected customers, at some point, would learn of the transactions:  (i) upon reviewing activity in their brokerage accounts - online, or after receiving month-end account statements;  or, (ii) upon receiving confirmation of the wire transfer.  They then notified their brokers to complain or inquire about the unauthorized transaction(s) in their account.  After investigating, the broker's firms would, in turn, report the incident(s) to FINRA. Comprising Personal Email Accounts. Perpetrators would break into individual personal email accounts, where they could obtain customers’ brokerage information, contact information, and other information.  They presumably would then send emails that the customers had received previously from the firms - issuing replies from the customers’ personal email accounts with the fraudulent instructions.  The 3rd-party accounts that are to receive the transferred funds often are domiciled overseas. In some instances, FINRA found that firms released funds after unsuccessfully attempting to verify emailed instructions by phone.  In at least one case, the fraudulent email stressed the urgency of the requested transfer, pressuring the firm to release the funds before verifying the authenticity of the emailed instructions. What Firms Must Do - Policies and Procedures. NASD Rule 3012 (Supervisory Control System) and Incorporated NYSE Rule 401 (Business Conduct) require all firms to establish, maintain and enforce WSPs that, among other things, include procedures reasonably designed to review and monitor the transmittal of funds - e.g., wires or checks - or securities:

• from customer accounts to 3rd-party accounts - i.e., a transmittal that would result in a change of beneficial ownership;
• from customer accounts to outside entities - e.g., banks, investment companies;
• from customer accounts to locations other than a customer’s primary residence - e.g., P.O. Box, “in care of” accounts, alternate address; and
• between customers and RRs - including the hand-delivery of checks.

Pols and procedures a firm establishes under these rules must include “a means or method of customer confirmation, notification or follow up that can be documented.” NASD Rule 3012 further provides that a firm must identify in its WSPs any of these activities in which it does not engage, and document that additional supervisory policies and procedures for such activities must be in place before the firm can engage in them. FINRA addressed the scope of these obligations in Regulatory Notice 09-64, which highlighted a number of questions firms should consider in assessing the adequacy of their policies and procedures for verifying the validity of requests to withdraw or transfer customer funds. Among other things, FINRA noted that firms should ensure that their procedures adequately address the specific risks associated with each method the firm allows for transmitting instructions. One of the risks associated with accepting instructions to withdraw or transfer funds by email and other electronic means is that customers’ email accounts are susceptible to being breached by hackers or other intruders who may use the email accounts to commit fraud. Therefore, FINRA recommends that firms reassess their policies and procedures for accepting instructions to withdraw or transfer funds via electronic means to ensure that they are adequately designed to protect customer accounts from the risk that customers’ email accounts may be compromised and used to send fraudulent transmittal or withdrawal instructions. Among other things, FINRA recommends that such policies and procedures should:

• include a method for verifying that the email was in fact sent by the customer;
• be designed to identify and respond to “red flags,” including transfer requests that are out of the ordinary, requests that funds be transferred to an unfamiliar third party account, or requests that indicate urgency or otherwise appear designed to deter verification of the transfer instructions.

As FINRA noted in Regulatory Notice 09-64, firms must train their employees to follow all applicable policies and procedures rigorously. Firms’ policies and procedures should also include random sampling and testing of transfers and withdrawals to monitor for compliance. As noted in Regulatory Notice 09-64, the requirement that firms have supervisory procedures for reviewing and monitoring transfers of customer assets applies to both clearing and introducing firms. Firms should also consider advising customers to notify the firm if a customer discovers that his or her email account has been compromised. Firms receiving such notification should have a method for ensuring that the information is communicated and used effectively within the firm to protect both the customer accounts and the firm. Conclusion. Given the rise in incidents reported to FINRA involving fraud perpetrated through compromised customer email accounts, FINRA recommends that firms reassess their specific policies and procedures for accepting and verifying instructions to withdraw or transfer customer funds that are transmitted via email or other electronic means, as well as firms’ overall policies and procedures in this area. FINRA Staff Contacts. Direct questions to:  Patricia Albrecht, Office of General Counsel - (202) 728-8026;  Terry Miller, Member Regulation Dept - (202) 728-8159. For further details, go to:    [FINRA RegNote 12-05, January 2012].