FINRA Addresses Online Fraud In The Face Of COVID-19

From Ulmer’s Broker-Dealer Law Corner Blog
By Frances Floriano Goins

I am fairly certain that at least every once in a while, you appreciate hearing from someone a bit less snarky than me.  If so, then you’re in luck!  Please enjoy this post from my partner, and my co-leader of Ulmer’s Financial Services practice group, Fran Goins, about FINRA’s response to COVID-19. – Alan Wolper

Online fraud is a bigger business than ever in the current pandemic environment. Far from “self-isolating,” fraudsters are seeing online work as an opportunity to take advantage of firms and their customers, using stolen personal information to set up phony accounts and divert funds from customers. FINRA has not remained silent, publishing an Information Notice addressed to firms on March 26, 2020 and Regulatory Notice 20-13 on May 5, 2020, following up with new a FAQ for investors on May 11, 2020.

In response to pandemic-engendered business issues, FINRA had already updated its Business Continuity Planning FAQ on March 24, 2020 to confirm that members and their associated persons were permitted to use remote offices or telework arrangements during the COVID-19 pandemic. The FAQ noted, however, that members who chose to utilize such arrangements would be expected to maintain appropriate supervisory systems and documentation.

The follow-up Information Notice titled, “Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-19),” flags measures that firms should employ when having to close offices and work offsite in the wake of state stay-at-home orders. It addresses basic protective measures for associated persons and firms dealing with the new work arrangements. Associated persons are encouraged to update security on office and home networks, update software and operating systems on home computers and mobile devices, learn to recognize common phishing and business email scams, and understand the firm’s incident response plan, including who to call in the case of a breach. Firms are encouraged to beef up network security controls to provide staff with a secure connection to the work environment and review who needs to access sensitive systems and data, provide training to staff regarding potential scams and attacks, and provide well trained IT personnel to support staff working remotely.

In May, FINRA issued an additional set of COVID-19 updates and guidance to firms and investors. Regulatory Notice 20-13, addressed to firms, notes the “heightened threat of frauds and scams” that firms and their customers may be exposed to during the pandemic. These include: (1) fraudulent account openings and money transfers; (2) firm imposter scams; (3) IT Help Desk scams; and (4) business email compromise schemes. While none of these scams are new, the use of stolen or synthetic customer information and phishing emails to trick firms and their customers is even more prevalent in the current environment. The Notice suggests detailed, specific measures that firms should take to avoid becoming victims of such scams, including:

  • Using enhanced customer identification programs;
  • Monitoring for fraud during account opening;
  • Using careful bank account verification procedures and restrictions on fund transfers;
  • Continuing to monitor after accounts are opened;
  • Collaborating with clearing firms to handle ACH transactions;
  • Filing appropriate SARS reports;
  • Assessing compliance programs;
  • Safeguarding customer “records and information” pursuant to Reg S-P; and
  • Training staff to recognize scams such as firm imposter, IT Help Desk, and business email compromise schemes.

FINRA’s most recent guidance addressed to investors is titled, “Fraud & Your Investment Accounts During the COVID-19 Pandemic.” It largely tracks the Notice to firms, but also contains “Investor Tips” urging investors to review and monitor their accounts and credit reports to flag unusual or unauthorized transactions; safeguard credentials and control account access; verify the identity of anyone who contacts them purportedly on behalf of their firm through independent means; learn to recognize “red flags” that may indicate a business email compromise; and report any suspicious activity to FINRA, the SEC, the FBI, and local authorities.

Scammers and hackers take advantage of any unusual event to up their game, and nothing is more unusual than the current pandemic environment. FINRA’s comments and suggestions point out the dangers of remaining complacent. Firms, members, and investors should take heed.