June 2015 – Mitch Atkins FINRA Rules Consulting

FINRA reports that there has been a steady increase in the number of incidents in which criminals attempt to scam broker-dealers and their clients.

FINRA says that one way crooks do this is that they target a legitimate broker-dealer by building a website that looks very similar to that of the broker-dealer’s or a registered representative’s site. They will then capture information the customer enters into that site and use it to defraud the investor.

FINRA has also reported that it has seen an increase in the number of instances in which a fraudster poses as a customer requesting funds from his or her account. In a typical example, the criminal will obtain information about the customer’s email account by hacking into the email. Then the criminal sends an email to the broker-dealer requesting that it wire funds to an account overseas, often urgently and often stating that he/she won’t be available for the next 8 hours because he/she is boarding an international flight. This is in hopes that the broker-dealer does not call to verify the transfer. And once these funds are wired, they are almost never recovered. Thieves sometimes also do this with requests for checks to be issued on the customer’s account.

Broker-dealers should ensure that their internal control procedures related to customer requests for funds are effective. Many broker-dealers require a telephone conversation with a customer for disbursement requests over a certain amount that are not being sent to the address of record. Further, during these conversations, customers are required to provide identifying information. To prevent change of address scams where a crook asks to change the address and then requests a check, FINRA requires that broker-dealers take certain steps to ensure there are adequate controls around customer address change requests. Firms must sent notice of any change of address to the customer at the old address (and to the registered representative) on or before the 30^th day after the date the firm received the notice of the change. Those requirements can be found in SEC Rule 17a-3(a)(17)(i)(B)(3) or just click here.

FINRA recommends that broker-dealers, “Immediately contact the SEC and FINRA” and “Report to the FBI” in the event that they believe that their professional identity is being employed in a scam. If your firm has been a victim of such an attack, visit FINRA’s page on Customer Information Protection for a checklist of steps to take.

If you have questions about internal financial controls, Mitch Atkins, FINRA’s former South Region Director has extensive experience in this area. Call Mitch Atkins, Principal at FirstMark Regulatory Solutions, at 561-948-6511.

Subsequent to the events of 9/11, NASD developed the Rule 3500 series which was approved by the SEC on April 7, 2004. This series of rules was developed to require NASD members to develop and maintain emergency preparedness plans and procedures. Also, subsequent to hurricanes Katrina, Rita and Wilma which struck the mainland U.S. in 2005, NASD implemented requirements related to emergency contact information that must be maintained with FINRA through Rule 1160 and the FINRA Contact System.

Today, FINRA’s Rule 4370 covers Business Continuity Plans and Emergency Contact Information. FINRA requires each of its members to have procedures in place that are designed to ensure that the member is able to meet its obligations to customers, including other broker-dealers and counterparties. This plan must be maintained on a current basis, and should be updated whenever the broker-dealers operations change materially, but not less than annually. Many broker-dealers handle this as part of their annual review of supervisory controls.

FINRA allows members flexibility when it comes to designing their business continuity plans. However, Rule 4370 specifies certain minimum requirements including: data back-up and recovery, mission critical systems, financial and operational assessments, alternative methods of communicating with customers and employees, critical business constituent, bank and counter-party impact, regulatory reporting, communications with regulators, and how the broker-dealer will ensure that customers have prompt access to their funds and securities.

As with most requirements of this type, a member must have a written plan and it must be approved in writing by a member of senior management who is also a registered principal of the firm. Certain elements of the plan must be disclosed to customers at the time the account is opened and on any website maintained by the firm. FINRA requires that its members designate an emergency contact and that they maintain the currency of this contact information.

When an actual emergency happens, experience has shown that broker-dealers who have robust business continuity plans that are tested regularly will experience much less disruption than those who do not take this requirement seriously. A canned BCP that is not tailored to the firm’s operations will at best cause confusion during a real emergency, and at worst result in serious disruption, possible reputational damage and regulatory disciplinary action.

If you have questions about how a BCP may be best designed for your firm, Mitch Atkins, FINRA’s former South Region Director is now Principal at FirstMark Regulatory Solutions and can be reached by calling 561-948-6511.