Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 14, FINRA issued Regulatory Notice 22-29, alerting member firms about the increasing number and sophistication of ransomware incidents. FINRA explained that the proliferation in ransomware attacks can be attributed in part to the increased use of technology and continued adoption of cryptocurrencies that bad actors use to conceal their identities when collecting ransom payments. Moreover, bad actors who purchase attack services on the dark web “have helped execute attacks on a much larger scale and make attacks available to less technologically savvy bad actors,” FINRA said. Under Rule 30 of the SEC’s Regulation S-P, firms are required to maintain written policies and procedures designed to reasonably safeguard customer records and information, FINRA stated, adding that FINRA Rule 4370 (related to business continuity plans and emergency contact information) also applies to ransomware attacks that include service denials and other interruptions to firms’ operations. The notice provides questions for firms to consider when evaluating their cybersecurity programs and outlines common attack types and considerations for firms’ ransomware threat defenses, as well as additional ransomware controls and relevant resources.
Recently, FINRA announced that it is conducting a targeted exam of firm practices regarding retail communications on crypto asset products and services for the time period of July 1, 2022 through September 30, 2022. In the targeted exam letters, FINRA requested, among other things, that firms or their affiliates provide: (i) all retail communications on the firm’s behalf that refer to, relate to, or concern a crypto asset or service involving the transaction or holding of a crypto asset; (ii) written supervisory procedures concerning the review, approval, record keeping, and dissemination of communications; and (iii) any compliance policies, manuals, training materials, compliance bulletins, and any other written guidance.
On October 6, FINRA issued Regulatory Notice 22-21, alerting member firms to the rising trend of fraudulent account transfers of customer accounts using the Automated Customer Account Transfer Service (ACATS)—an automated system that facilitates the transfer of customer account assets from one member firm to another. FINRA explained that “ACATS fraud is related to the growing threat of new accounts being opened online or through mobile applications using stolen or synthetic identities,” and may occur when the identity of a legitimate customer of a carrying member is stolen by a bad actor to open a brokerage account online or through a mobile app at a receiving member. Bad actors, FINRA warned, may open a new account using stolen information only or through a combination of stolen and false information, and will try to move the ill-gotten assets to an external account at a different financial institution. FINRA reminded members of regulatory obligations that may apply to ACATS fraud, including know-your-customer rules, Bank Secrecy Act/AML requirements, and the Identity Theft Red Flags Rule.
On September 29, FINRA issued Regulatory Notice 22-20, announcing revisions to its Sanctions Guidelines to ensure they align with the levels of sanctions imposed in FINRA disciplinary proceedings and reflect the differences between types of respondents. Among other things, the revised guidelines: (i) differentiate current guidelines for individuals and firms; (ii) establish separate fine ranges for firms based on size; (iii) remove the upper limit of the fine range for mid- and large-size firms “to reflect the settlement amounts that FINRA frequently seeks for these types of violations and the fact that these guidelines address the most serious violations that FINRA pursues”; (iv) create six new AML guidelines (the revisions specify that the guidelines “have no upper limit on the fine range for mid-size and large-size firms for AML violations that involve the failure to reasonably monitor to report suspicious transactions”); (v) include a discussion of non-monetary sanctions for firms; (vi) create “single fine ranges for all actions in the Quality of Markets guidelines and other select guidelines”; (vii) establish a $5,000 minimum fine for all firms regardless of size; and (viii) delete certain infrequently used guidelines.
On September 9, FINRA settled charges with a broker dealer (respondent) for alleged failures in its anti-money laundering (AML) compliance program. According to the letter of acceptance, waiver, and consent, the respondent allegedly failed to, among other things: (i) establish a reasonably designed AML program; (ii) implement a customer identification program; (iii) reasonably supervise for potentially manipulative trading; and (iv) preserve and maintain certain electronic communications. Additionally, FINRA found that the respondent unreasonably relied on manual reviews of the daily trade blotter to identify market manipulation. FINRA’s order includes alleged violations of FINRA Rule 2010, Rule 3110, Rule 3310(a)-(b) and Rule 4511. FINRA also determined that the respondent violated Securities Exchange Act of 1934 Section 17(a) and Rule 17a-4(b)(4). The respondent agreed to pay a $450,000 civil monetary penalty to FINRA and is prohibited from providing market access for two years.
Recently, FINRA issued Regulatory Notice 22-18 reminding member firms of their obligation to supervise for digital signature forgery and falsification. FINRA reported it has received a rising number of reports claiming registered representatives and associated persons have been forging or falsifying customer signatures, as well as those of colleagues or supervisors in some instances. Issues have been flagged in “account opening documents and updates, account activity letters, discretionary trading authorizations, wire instructions and internal firm documents related to the review of customer transactions.” FINRA advised member firms to review outlined methods and scenarios for identifying digital signature forgery or falsification in order to mitigate risk and meet regulatory obligations.
On July 20, FINRA announced that it has amended its rules to permit, and in some cases to require, electronic service and filing of documents in disciplinary and other proceedings and appeals. FINRA also announced that it amended its rules to require parties in proceedings before the Office of Hearing Officers to file and serve the parties with their current email address and contact information at the time of their first appearance, and to file and serve any change in email address or contact information during the course of the proceeding. The amendments are effective August 22.
On June 29, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), which ordered a New York-based member firm to pay $2.8 million to settle allegations that it sent customers inaccurate trade confirmations. According to FINRA, from November 2008 through the present, the firm allegedly sent customers roughly “270 million confirmations that inaccurately disclosed the firm’s execution capacity, the customer’s price, the market center of execution, or whether the trade was executed at an average price.” FINRA attributed the inaccuracies to 11 underlying issues, including technology issues, a drafting error, and a misunderstanding of regulatory guidance that allegedly went undetected for at least five years. Additionally, FINRA claimed that from at least November 2008 through March 2020, the firm failed to establish and maintain a supervisory system, including written procedures, to achieve compliance with the confirmation requirements, and claimed this alleged failure “persisted even though, by mid-2017, [the firm] was aware due to FINRA examinations of multiple systemic issues resulting in tens of millions of inaccurate confirmations.” Rather than implementing a “reasonable” supervisory system, FINRA contended that the firm took a year to set up a system and procedures that monitored only whether confirmations were delivered, not whether they were accurate. The firm neither admitted nor denied the findings set forth in the AWC agreement but accepted and consented to the entry of FINRA’s findings and censure and agreed to certify within 120 days that it corrected the identified issues.
On June 2, the Financial Industry Regulatory Authority (FINRA) announced it had entered into a Letter of Acceptance, Waiver, and Consent (AWC), which ordered a New York-based member brokerage firm to pay more than $15.2 million in restitution and interest to customers who were steered by a software flaw in its automated system into purchasing higher-priced mutual fund shares when other shares were available at substantially lower costs. According to FINRA, the firm’s system, which is designed to restrict a customer’s purchase of Class C shares when lower cost Class A shares are available, allegedly “failed to correctly identify and implement applicable purchase limits on Class C shares,” thus causing thousands of customers to purchase Class C shares and incur fees and charges. The firm neither admitted nor denied the findings set forth in the AWC agreement but accepted and consented to the entry of FINRA’s findings and agreed to convert shares where applicable. FINRA stated that it “did not impose a fine due to the firm’s extraordinary cooperation and substantial assistance with the investigation.”
On March 22, a decision was entered in a disciplinary proceeding between FINRA’s Department of Enforcement and a securities firm over whether the firm engaged in unauthorized trading and misused customer funds in response to mounting financial challenges in 2018. FINRA’s extended hearing panel alleged that the firm, in light of declining profits, informed customers that it would stop carrying retail accounts and levied “unreasonable and unnecessary” fees in a discriminatory manner on retail customers who did not close their accounts—including a $5,000 monthly account fee—without providing proper notice. According to the panel, the monthly fee was applied in a discriminatory manner, wherein the fee was waived for profitable accounts and certain customers. Other customers were required to pay a portion or all of the monthly fee in order to regain possession of other holdings. Moreover, the panel claimed that in most instances, “customers were not even aware of the $5,000 monthly account fee, let alone that the firm was taking their cash and securities to cover it.”
The firm argued that the monthly fee should be considered reasonable because it resulted from an “arm’s-length agreement” between the firm and its customers, but the panel rejected the firm’s defense, pointing out that customers did not agree to the fee “as part of a contract freely negotiated at arm’s length between sophisticated parties with equal bargaining power.” The panel further asserted that, among other things, the firm also allegedly charged customers unfair prices in securities transactions, moved securities from customer accounts to firm accounts without authorization, and executed an unauthorized capital withdrawal disguised as a payment.
In issuing its decision, the panel found no mitigating factors but identified several aggravating factors, including that the firm “continued a disturbing pattern of misconduct” after a temporary cease and desist order was issued. The firm is ordered to pay more than $2.3 million in restitution and must permanently cease and desist from converting or misusing customer funds or securities, effecting unauthorized transactions in customer accounts, charging unreasonable or discriminatory fees, or causing harm to investors, among others. The panel cautioned that it was “highly likely” that the firm’s misconduct would recur if it remained a FINRA member firm and stressed that expulsion was “the only alternative for protecting the investing public.” The firm denied all allegations.