FINRA Risk Monitoring Program: What’s New for 2023?
Every year, FINRA announces areas of compliance it will prioritize when performing routine examinations of firm practices. FINRA chooses these areas based on deficiencies the regulator has noted throughout the year. By reviewing the 2023 Report on FINRA’s Examination and Risk Monitoring Program, readers can get an idea of where brokerage firms may have failed to enforce essential regulatory rules.
2023 will see a particular focus on Financial Crimes, especially in these three areas:
- Enhancing Cybersecurity
- Anti-Money Laundering Practices
- Manipulative Trading Prevention
Cybersecurity
According to a report in The Wall Street Journal, more than half of surveyed U.S. brokerage firms “said they had been targeted by email scams aimed at tricking them into wiring away client money.” 26% of these firms reported losses of more than $5,000, which they then had to restore for their customers. This year, FINRA is looking at how firms protect themselves – and their customers’ personal information – from scammers.
One of FINRA’s notices from 2022 warns brokerage firms of ransomware attacks. Ransomware attacks steal sensitive data and hold it hostage for a price. Attackers often start with a phishing email that includes a link to malware. Once the firm employee inadvertently downloads the malware, the attack begins, siphoning off customer data.
This year, FINRA will ask firms questions like, “What steps has your firm taken to prevent a cybsersecurity intrusion, such as a ransomware attack? In the event your firm experiences an intrusion, how will it restore critical data from backups?
Cyber Attack Response
Firms should have a response plan in case of a cyber attack. The firm should immediately notify the FBI and produce a Suspicious Activity Report (SAR). Brokerage firms must be on the lookout for fraudulent wire transfers and phishing attempts. Phishing attempts in the past have included fake emails to firms that spoof an official FINRA email.
Identity Theft Prevention
FINRA has uncovered instances of firms failing to identify unauthorized copying of customer data, in addition to instances where firms have failed to monitor outbound emails to look for sensitive customer data that a broker might be sending to someone outside the firm.
Firms will have to answer questions about how they ensure only authorized employees and customers have access to firm systems. FINRA also wants to know how firms verify identities for their customers.
Anti-Money Laundering, Fraud, and Sanctions
FINRA Rule 3310 requires firms to monitor for any red flags of money laundering. in compliance with Bank Secrecy Act. Anti-money laundering (AML) rules include procedures that ensure brokerage firms review red flags for criminal activity.
Fraudulent Transfers of Accounts Through ACATs
FINRA issued a notice in 2022 alerting brokerage firms to the prevalence of fraud using Automated Customer Account Transfer Service (ACATs). In these instances, fraudsters create accounts using the stolen identity of a legitimate customer. Using the fake account, the bad actor requests a transfer of funds to an account outside of the brokerage firm.
FINRA 2023 Examination Question: “Does your firm have reasonably designed AML procedures to detect red flags of identity theft or synthetic identity fraud in connection with account openings?”
“Small Cap” Initial Public Offering and Pump-and-Dump Scams
The 2023 Risk Monitoring Program warns of an “Emerging Risk Area”: Manipulative trading in small-cap IPOs. “Small-cap” refers to companies with a market capitalization typically under $1 billion. These smaller companies are more often at the center of “pump and dump” schemes, which are designed to generate interest in a cryptocurrency or a low-price stock. Once the fraudsters manage to sufficiently inflate the price, they sell all their shares, leaving the duped investors with a worthless investment.
Inadequate Due Diligence
FINRA firms are required to assess the risk associated with a certain profile. This includes information about the client’s business, such as whether they trade significant volumes of low-priced securities. Firms should also report to their AML department any incidents that may require a Suspicious Activity Report, such as fraudulent wire transfers.
Manipulative Trading
Firms are required to supervise their brokers and look for any signs of manipulative trading, such as front running or wash trading.
- Front running describes a broker using insider information about a large trade – a trade that will impact share prices – and then buys or sells according to the upcoming change in price.
- Wash trading involves buying and selling the same shares in order to falsely inflate the interest in a particular stock.
Here is a sample exam question from “Manipulative Trading” section:
“Does your firm monitor for red flags of potential coordination among customers? For example, unrelated accounts being opened and depositing shares at the same time, or multiple customer accounts accessed from the same IP address?”
If the accounts are being accessed from the same IP address, it is a red flag that bad actors are coordinating to trade shares at the same time in order to inflate prices.
How Can Investors Protect Themselves?
FINRA’s 2023 Risk Monitoring Program will hopefully result in an increased number of fines and regulatory actions against firms that fail to uphold FINRA standards in these areas. But these exams should also serve as a reminder that brokerage firms are not infallible, and investors should keep careful watch over their account statements to ensure they have not suffered unexpected losses. If you notice unexplained losses, your first call should be to a securities attorney. Call (877) 600-0098 or email info@kurtalawfirm.com.