As we previously discussed, FINRA issued guidance to member firms and their associated persons in April 2020 to remain “vigilant in their surveillance against cyber threats and take steps to reduce the risk of cyber events.” On May 5, 2020, FINRA issued Regulatory Notice 20-13 (“Reg. Notice 20-13”), reminding firms and their associated persons that the COVID-19 pandemic affects nearly every aspect of the economy, the financial markets and our personal lives. As a result, the pandemic creates numerous opportunities for fraud or scams to which firms and their registered representatives may unknowingly become exposed, and they need “to be aware of and take appropriate measures to address the increased risks and challenges created by the COVID-19 pandemic”. Reg. Notice 20-13 focuses on four common scams targeting firms and their associated persons:
Scams or fraudsters may focus on firms offering online account opening and may specifically focus on firms that recently began to offer online account opening services. Fraudsters will attempt to take advantage of the pandemic and use stolen or fraudulent identities to establish accounts to divert congressional stimulus funds, PPP loans or even unemployment payments. Fraudsters may often use synthetic identification - legitimate Social Security numbers (SSNs) with false names, addresses and dates of birth – to open an account. By using a synthetic identity, the fraud may go undetected for a longer period of time. The scam may involve opening the account with a stolen or synthetic identity, funding the account from a stolen or fraudulent bank account, and then withdrawing the funds from the newly established account as soon as it is funded. The withdrawal of funds may take several forms, including: making ATM withdrawals or purchases on debit cards for the brokerage account; linking the brokerage account to a third-party bank account or an account at another financial institution that provides pre-paid debit card products and services; or simply transferring the funds out of the account.
In addition to strict compliance with FINRA Rules 2090 (Know Your Customer) and 4512 (Customer Account Information), as well as with the Bank Secrecy Act and the regulations addressed in FINRA Rule 3310 (Anti-Money Laundering Compliance Program), FINRA also suggests the following to address risks relating to fraudulent account openings and money transfers:
The use of remote offices and telework arrangements increases opportunities for individuals to impersonate firms and associated persons in communicating with customers. This could be through the creation of a website or some other fraudulent online presence, in an attempt to obtain a customers’ personal or account information. FINRA suggests a variety of methods to address risks related to imposter scams, including:
Remote offices and telework arrangements increase the opportunity for fraud involving firms’ IT Help Desks. These may include fake, unsolicited calls to or from the IT Help Desk requesting passwords and/or log-in information for purposes of a “reset”, or to discuss home preparedness (how to log-in, etc.). The scam then uses this ill-gotten information to access the firm’s network in a variety of ways, including the theft of funds from client accounts.
Associated persons should take extra precautions when receiving unsolicited calls or emails that appear to come from their firm’s IT Help Desk, especially if the caller or email asks the associated person to click a link, enter a web address or download software to their computer. In this scenario, associated persons should call the IT Help Desk on its official number to confirm the veracity of the original communication. In addition, employees should immediately report any suspicious activity to the firm.
Remote offices and telework arrangements also allow individuals to pose, via email or text message, as firm leadership. In doing so, they may request, for example, fund transfers for payment of accounts payable invoices. Another example is “the gift card procurement scam”, where someone posing as a manager or executive emails a subordinate with a request to provide them funds so that they may secretly purchase gift cards as a surprise award for staff.
FINRA suggests that firms alert their staff to monitor for potential red flags, such as:
FINRA has also observed that some firms address such risks by including an “external” banner to highlight emails received from outside the firm. Finally, FINRA reminds firms that while there may not be a regulatory requirement to report every incident described in Reg. Notice 20-13, FINRA urges firms to protect customers and other firms by immediately reporting scams and any other potential fraud. The full text of Reg. Notice 20-13 can be found here .