Bates Research | 05-20-21
FINRA Warns Members of Increase in Online Account Takeovers and to Follow Rules on Arbitration Agreements; Seeks Diversity and Inclusion Improvements
In a sign of ramped-up concern, FINRA urged members to ensure that cybersecurity programs and practices are in place to protect customers from online account takeover attempts. The regulator also issued Notices reminding firms to follow disclosure and other rules on pre-dispute arbitration agreements and asking market participants for comments on any rules that may create unintended barriers to diversity and inclusion in the broker-dealer industry. Here’s a recap.
Cybersecurity and the Increased Threat of Online Account Takeovers
On May 12, 2021, FINRA issued a Notice warning member firms about the increasing number of attacks by bad actors on customer’s online brokerage accounts (aka “customer account takeovers” or “ATOs”). The regulator reminded firms of their obligations to protect customer information and described numerous cybersecurity practices that firms have been implementing to mitigate the risks from these attacks.
The prevalence of ATO attempts suggests a need for urgency. The ATO incident reports describe numerous risks from fraudsters who use (i) compromised or stolen login information to access online brokerage accounts, (ii) “synthesized identities” to open new accounts, (iii) phishing emails and other “social engineering” methods to acquire personal information, and (iv) sophisticated new automated tools (e.g. mobile emulators) to access online accounts. FINRA concluded that the increase in these attacks is due to an increase in the number of online accounts, a “proliferation of mobile devices and applications,” and an increase in online transactions, due in part to pandemic-related physical office limitations.
In a helpful chart, FINRA summarized core broker-dealer obligations to protect sensitive customer information and to satisfy customer verification and anti-money laundering (“AML”) rules. Specifically, the regulator cites the Know Your Customer (“KYC”) requirements; customer records safeguards and written policies and procedure requirements under SEC Reg S-P (“Privacy of Consumer Financial Information”); detection, prevention and mitigation of identity theft on “covered accounts” under SEC Reg S-ID (“Identity Theft Red Flag Rules”); AML obligations under Customer Identification Program (“CIP”) rules and under other AML compliance program regulations—including FINRA related supervisory obligations over handling of transmittals requests, for example, and FinCEN suspicious activity reports (“SARs”) filing requirements.
Though careful not to endorse any particular strategy to mitigate the risks of ATOs, FINRA observed how firms were deploying risk-based approaches for “validating new customers’ identities, authenticating logins to firm systems and performing customer-requested actions (e.g., transactions in an account), coupled with strong back-end monitoring and robust procedures to respond quickly to identified customer ATOs.”
Specifically, FINRA reviewed firm tactics:
- Verifying customers’ identities when first establishing online accounts (e.g. by validating identifying information like social security numbers, using credit reporting agencies or other third parties).
- Authenticating customers’ identities at login (primarily through multifactor authentication, but also by using “adaptive authentication”—when logging in from a new device or when executing a higher risk transaction—and “supplemental authentication” using SMS text codes or other phone or third-party verification).
- Monitoring and control, including surveillance of individual accounts and across accounts looking for “anomalies” (e.g. failed log-ins, large purchases, third party wires, email changes or unexpected attachments, unusual withdrawals) as well as back-end efforts to prevent moving money out of customer accounts (e.g. requiring phone confirmations in case of suspicious activity).
- Relevant internal procedures, including developing a special fraud group to investigate ATOs, frequent communications with customers, reviewing customer activity across accounts upon suspicion of an ATO, and reminding customers of best security practices.
- Threat detection, including using automated processes (e.g. using firewalls and instituting controls on suspicious activity).
- Practices to restore access to customer accounts, including safeguards for distinguishing between customer lockouts and bad actor attempts at an ATO (e.g. two-factor authentication on password resets, text message codes, security questions).
- Practices to educate customers on security.
In an appendix to the Notice, FINRA offers a glossary of commonly used cyber-terms. As bad actors and market security tools become more sophisticated, keeping up with these terms becomes increasingly important.
Bates Compliance Cybersecurity Services
Mind the Rules on Mandatory Arbitration Agreements
On April 21, 2021, FINRA warned firms about the use of arbitration agreements for customer accounts. FINRA said it is raising these concerns after becoming aware that “customer agreements used by some member firms contain provisions that do not comply with FINRA rules.” The Notice highlighted several such provisions and encouraged firms to take prompt steps to ensure that they are rectified. Among other examples, FINRA emphasized that provisions in customer agreements:
- cannot dictate the location of an arbitration hearing;
- cannot be used to shorten or extend statutes of limitations, or require by whom such a question must be determined;
- cannot attempt to limit a customer’s right to pursue class actions in court, (e.g. requiring that a customer waives any right to bring a class action; or requiring that a claim be brought only in an individual capacity; or that the agreement to arbitrate constitutes a waiver of the right to seek a judicial forum.) FINRA underscores that the rules are intended to “prevent member firms from using an existing arbitration agreement to defeat class certification or participation.”
- cannot attempt to limit the ability of a customer to file a claim, limit the authority of arbitrators to make an award, or limit the member firm’s liability for consequential or punitive damages; and
- cannot contain indemnification or hold harmless provisions which protect the firm from all claims and losses arising out of the agreement.
In order to ensure that customers understand their rights, FINRA rules require adequate disclosure of the provisions in mandatory arbitration agreements. FINRA warns that failure to comply with these rules on customer agreements will subject a firm to disciplinary action.
FINRA Seeks Comments on Ways to Improve Diversity and Inclusion
On April 29, 2021, FINRA issued a Notice seeking comment from market participants on any of its “rules, operations and administrative processes that may create unintended barriers to greater diversity and inclusion in the broker-dealer industry.” This concern derives from “preliminary conversations” that may suggest unintended consequences or disparate impacts from FINRA’s rules or market activity.
Specifically, FINRA wants to hear about (i) rules or practices, circumstances or operations that might have disparate impacts on broker-dealers (based on “national origin, language, age, gender, race, color, ethnicity, socioeconomic status, religion or spiritual practice, disability, sexual orientation, gender identity, family structure or veteran status”) or that might discourage participation in the broker-dealer industry; (ii) the collection and publication of registered representative background data, and whether that may create an unintended barrier to diversity; and (iii) whether rules can be amended to foster diversity, inclusion and equal opportunity.
The Notice highlights FINRA diversity and inclusion initiatives and notes the board’s continuing support for broker-dealer-developed initiatives and programs to expand opportunities for historically underserved businesses and investors. Comments must be submitted by June 28, 2021.
Conclusion
The breadth of the FINRA Notices—issued within weeks of each other—is notable. Cybersecurity management, arbitration oversight and new outreach on diversity and inclusion represent a broad scope of concerns, all of them priorities. Addressing the explicit and ongoing cyber risk from bad actors is a pressing urgency. At the 2021 FINRA Annual Conference this week, one panelist on the “Fraud Detection and Prevention” panel specifically pointed out that “our information is on the dark web now. Old things like date of birth or address is not useful because criminals have the information and it could look perfect. It is incumbent on us to think differently and look beyond the customer I.D. elements.” Ensuring that arbitration agreements are in sync with FINRA rules and do not curtail the rights of customers to redress is a compliance and legal risk. Finally, the promotion of diversity and inclusion in the financial markets is everyone’s concern. Bates will continue to keep you apprised of FINRA developments as they occur.
Bates Compliance delivers guidance and tailored compliance consulting solutions to our broker-dealer, investment adviser and hybrid firm clients on an as-needed or ongoing basis. Our team—made up of experienced senior compliance, legal and former regulatory professionals—drafts and tests policies, procedures, and supervisory and compliance processes, recommending and implementing changes based on leading practices to enhance compliance and supervisory systems and to remediate regulatory, litigation and internal audit findings. For more information, please contact:
- Hank Sanchez, Managing Director, hsanchez@batesgroup.com | 504-450-9632
- David Birnbaum, Managing Director, dbirnbaum@batesgroup.com | 917-273-2682
Bates AML and Financial Crimes helps its clients meet their AML obligations through experience, resources, and ongoing guidance. Our services are tailored to the specific needs and requirements of our clients and that regulators are seeking, including in the areas of AML tuning and optimization, implementation of new systems, trade finance, and AI-driven process automation solutions, AML and sanctions system model validations; governance and oversight processes; redesign and updates to AML policies and procedures; AML and sanctions risk and gap assessments; regulatory response support; and staffing support for AML backlogs and lookbacks. For more information, please contact:
- Edward Longridge, Managing Director and Practice Leader, elongridge@batesgroup.com | 917-455-7765
- Dennis Greenberg, Managing Director, dgreenberg@batesgroup.com | 914-588-3965