Announced on Jan 10th 2024.
The 2024 FINRA Annual Regulatory Oversight Report (the Report) provides member firms with insight into findings from FINRA’s Member Supervision, Market Regulation and Enforcement programs (collectively, “regulatory operations programs”). The Report reflects FINRA’s commitment to providing greater transparency to member firms and the public about our regulatory activities. (All information here is quoted from the report)
The report is attached in this link https://www.finra.org/sites/default/files/2024-01/2024-annual-regulatory-oversight-report.pdf
The 2021-2023 versions of the Report were published under its previous title (i.e., Report on FINRA’s Examination and Risk Monitoring Program). The new title represents FINRA’s ongoing efforts to increase both the integration among our regulatory operations programs and the utility of the Report for member firms as an information source they can use to strengthen their compliance programs.
As in the 2021-2023 Reports, this year’s Report addresses a broad range of topics. Notably, the Report introduces new content dedicated to crypto assets; new topics within the Market Integrity section (e.g., OTC Quotations in Fixed Income Securities, Advertised Volume); information related to artificial intelligence’s potential impact on firms’ regulatory obligations; and guidance concerning firms’ supervision and retention of off-channel communications.
Additionally, for each topical area covered, the Report continues to:
– identify the relevant rule(s)
– highlight key considerations for member firms’ compliance programs
– summarize noteworthy findings or observations from recent oversight activities
– outline effective practices that FINRA observed through its oversight activities
– provide additional resources that may be helpful to member firms in reviewing their supervisory procedures and controls and fulfilling their compliance
obligations.
FINRA Rule 3310(a) requires that member firms establish and implement AML policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions
FINRA Rule 3310(c) requires that the AML program provide for independent testing for compliance each calendar year (or every
two years in some specialized cases)
FINRA Rule 3310(e) requires that the program provide ongoing training for appropriate personnel
FINRA Rule 3310(f) requires that member firms’ AML programs include appropriate risk-based procedures for conducting ongoing customer due diligence.
Other requirements contained in the BSA’s implementing regulations include
- Maintaining a Customer Identification Program (CIP)
- Verifying the identity of legal entity customers
- Establishing due diligence programs to assess the money laundering risk presented by correspondent accounts maintained for foreign financial institutions
- Responding to information requests from FinCEN within specified timeframes
- suspicious activity detection and reporting, does it:
– appropriately monitor trading activity and money movements conducted or attempted by, at or through your firm;
– review the integrity of its data feeds
– assess scenario parameters as needed? - If your firm introduces customers and activity to a clearing firm, do your AML procedures reasonably address how your firm will communicate and share information with your clearing firm with respect to the filing of SARs?
- Does your firm maintain appropriate risk-based procedures for conducting ongoing Customer Due Diligence (CDD) to:
– understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile
– to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information?
Customer Onboarding
- Does your firm have reasonable AML procedures to collect identifying information and verify the identity of its customers under the CIP Rule, and the beneficial owners of all who are considered its legal entity customers under the CDD Rule?
- Does your firm use information gathered as part of CIP and CDD to help ensure compliance with other requirements, such as OFAC regulations?
- Does your firm have AML policies and procedures that can be reasonably expected to detect identity theft or synthetic identity fraud in connection with account openings, and has your firm considered the example red flags included in Regulation S-ID?
AML Independent Testing
Is your firm’s AML independent test performed by someone with a working knowledge of the BSA and its implementing regulations?
- Does your firm ensure that it is performing its independent AML test with the required frequency (once each calendar year for most firms)?
- Does your firm’s AML independent test confirm that your firm has established and implemented reasonably designed procedures for customer identification and verification, customer due diligence and suspicious activity reporting?
Findings and Effective Practices
Findings
Misconstruing Obligation to Conduct CIP and CDD: Failing to recognize that certain formal relationships established with the firm to effect securities transactions are customer relationships (and, consequently, not conducting CIP or CDD as required).
Inadequate Verification of Customer Identities: Failing to collect identifying information at the time of account opening and reasonably verify the identity of customers and beneficial owners of legal entity customers with documentary and/or non-documentary methods within a reasonable timeframe.
Inadequate Responses to Red Flags:
- Auto-approving customer accounts despite red flags, or otherwise failing to perform a reasonable review of potential red flags associated with verifying customer identities (e.g., applicant provided a social security number that was not valid or was associated with the name of a different person, including a deceased individual).
- Failing to have established policies and procedures that can be reasonably expected to detect identity theft or synthetic identity fraud in connection with account opening (e.g., personal identifying information does not match a consumer report or was used on another account the firm knew was fraudulent).
Inadequate Due Diligence: Failing to conduct initial and ongoing risk-based CDD to understand the nature and purpose of customer relationships to develop a customer risk profile, or conduct due diligence on correspondent accounts of foreign financial institutions in compliance with FINRA Rule 3310(b).
Inadequate Ongoing Monitoring and Reporting of Suspicious Transactions:
- Failing to establish and implement written AML procedures that can reasonably be expected to detect and cause the reporting of suspicious activity.
- Failing to reasonably review for and respond to red flags associated with:
– Orders and securities trading
– Movement or settlement of cash or securities (e.g., wire and Automated Clearing House (ACH)
transfers, debit card and ATM transactions, securities trading (including order entry), journal transfers)
– Member’s business operations, including activity related to high-risk products and services (e.g., cash management products and services; trading of low-priced, thinly traded securities);
– Suspicious activity introduced to the member by other FINRA member broker-dealers; and orders for crypto asset trades.
– Failing to notify the AML department of events that may require the reporting of a SAR, including cybersecurity events, account compromise or takeovers, or fraudulent wire or ACH transfers.
– Failing to reasonably investigate inquiries from law enforcement, clearing firms, regulators or other federal and state agencies that concern red flags of suspicious activity.
Inadequate Handling of FinCEN Information Requests:
- Failing to review and respond to information requests from FinCEN issued pursuant to Section 314(a) of the Patriot Act,12 or not doing so within the required two-week timeframe.
Inadequate Testing: Failing to conduct adequate independent testing of their AML program by:
– Not providing for annual testing of the program on a calendar year basis (or every two years in specialized circumstances
– Not testing critical aspects of the AML program for reasonableness (e.g., suspicious activity detection and reporting), including where firms have taken on new products, services or client bases that may have materially shifted the firm’s AML risk profile or situations where new threats to the industry are applicable to the firm
– Conducting testing that is not reasonably designed, such as testing that fails to consider whether AML reports and systems are accurately and reasonably capturing suspicious transactions and are reasonably tailored to the AML risks of the member’s business
– Not confirming that persons with the requisite independence and qualifications perform the testing.
Effective Practices
Regulatory Updates: Reviewing alerts, advisories, significant cases and other updates from the SEC, FinCEN, FINRA, OFAC, and other regulators and agencies.
Risk Assessments: Conducting formal, written AML risk assessments that are updated in appropriate situations, such as the findings of its independent AML test or other internal or external audits, changes in size or risk profile of the firm (e.g., changes to business lines, products and services, registered representatives, customers or geographic areas in which the firm operates); or material macroeconomic or geopolitical events.
Verifying Customers’ Identities When Establishing Online Accounts: Incorporating additional methods for verifying customer identities as part of the firm’s CIP through, for example, methods such as:
– Requiring both documentary (e.g., driver licenses) and non-documentary identifying information, or multiple forms of documentary information
– Asking follow-up questions or requesting additional documents based on information from credit bureaus, credit reporting agencies or digital identity intelligence (e.g., automobile and home purchases)
– Contracting third-party vendors to help verify the legitimacy of suspicious information in customer applications (e.g., cross-referencing information across multiple vendors)
– Validating identifying information that applicants provide through likeness checks
– Reviewing the IP address or other available geolocation data associated with:
— New Online Account Applications for consistency with the customer’s home address
— Transfer requests (for consistency with locations from which the firm has previously received legitimate customer communications
– Obtaining a copy of the account statement from the account slated to be transferred before sending an Automated Customer Account Transfer Service (ACATS) request
– Delivering firms sending notifications to account owners (e.g., “push” notifications on mobile apps, emails, phone calls), contacting any broker(s) assigned to the account or both when an ACATS transfer is initiated
– Ensuring that any tools used for automated customer verification are reasonably designed to detect red flags of identity theft and synthetic identity fraud
– Limiting automated approval of multiple accounts for a single customer
– Reviewing account applications for common identifiers (e.g., email address, phone number, physical address) present in other applications and in existing accounts, especially seemingly unrelated accounts and
– Reviewing account applications for use of temporary or fictitious email addresses (e.g., @temporaryemail. org) or phone number (e.g., 555-555-5555, 999-999-9999).
[/vc_column_text]
Related Considerations
Scope of AML Program
- Does your firm’s AML program reasonably address the AML risks associated with its business model, including new and existing business lines, products and services offered, customers and the geographic area in which your firm operates?
- Has your firm experienced substantial growth or changes to its business? If so, has your firm’s AML program evolved alongside the business?
- Does your firm’s AML program reasonably address the AML risks associated with effecting transactions in low-priced securities, including transactions effected through omnibus accounts (particularly accounts maintained for foreign financial institutions)?
Suspicious Activity Reporting
- Do your firm’s AML procedures recognize that suspicious activity reporting obligations may apply to any transactions conducted by, at or through your firm?
- Does your firm have reasonably designed AML procedures to detect and respond to indicators of illicit activities (generally referred to as “red flags”) that are relevant to its business model, such as those detailed in:
- Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations; and
- Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities).
- Does your firm have AML policies and procedures that can be reasonably expected to respond to red flags of sanctions evasion?
- Does your firm have reasonably designed AML procedures that account for FinCEN guidance addressing when SARs should be filed in addition to Office of Foreign Assets Control (OFAC) blocking reports?
We would love to hear from you about your challenges and help you with our GRACE AML solution
Emerging Risk: New Account Fraud
FINRA has observed an increase in suspicious and fraudulent activity related to new account fraud (NAF), which occurs when a bad actor uses stolen or synthetic identification14 information to fraudulently open an account.
- NAF relies on the availability of stolen identification information, which is often extracted during data breaches and then sold on dark web marketplaces.
- Customers’ increasing interest in fully online account-opening processes—including those for mobile application–based brokerage accounts—has decreased human interaction between prospective customers and firms, creating the potential for bad actors to fraudulently open brokerage accounts with greater ease.
NAF may be a precursor to other fraud schemes. Examples observed in FINRA examinations and investigations include, but are not limited to:
- Fraudulent requests to the ACATS to steal securities and other assets from an investor
- Fraudulent ACH transfers and wire transfers, including instances in which accounts opened through NAF were used as conduits to steal money from customers at other financial institutions
- Deposit or movement of fraudulently obtained funds from government benefit programs (e.g., fraudulently obtained COVID-relief funds)
FINRA encourages firms, especially those that offer fully online account opening services and rely on automated account opening or customer verification services, to:
- Evaluate their review of red flags of NAF during the account opening process
- Evaluate their monitoring of ongoing customer account activity for NAF and other known fraud schemes
- Enhance these processes, as needed, to ensure compliance with Regulation S-ID and other applicable rules.
For additional guidance, FINRA recommends:
- Regulatory Notice 23-06 (FINRA Shares Effective Practices to Address Risks of Fraudulent Transfers of Accounts Through ACATS)
- Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts Through ACATS)
- Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)
- Regulatory Notice 21-14 (FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse)
- Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection with Potential Account Takeovers and New Account Fraud)
Delegation and Communication of AML Responsibilities:
- Delegating AML duties to business units in the best position to conduct ongoing monitoring to identify suspicious activity
- Establishing written escalation procedures and recurring cross-department communication between AML, compliance and
relevant business unit(s).
Training:
- Establishing and maintaining an AML training program for appropriate personnel that is tailored to the individuals’ roles and responsibilities, addresses industry developments impacting AML risk and regulatory developments, and, where applicable, leverages trends and findings from the firm’s quality assurance controls and independent AML test.
Additional Resources
FINRA
- Anti-Money Laundering (AML) Key Topics Page
- Anti-Money Laundering (AML) Template for Small Firms (September 8, 2020)
- Frequently Asked Questions (FAQ) regarding Anti Money Laundering (AML)
- Industry Risks and Threats – Resources for Member Firms
- SEC Identity Theft Red Flags Rule (Reg S-ID)
Regulatory Notices:
- Regulatory Notice 23-06 (FINRA Shares Effective Practices to Address Risks of Fraudulent Transfers of Accounts Through ACATS)
- Regulatory Notice 22-25 (Heightened Threat of Fraud: FINRA Alerts Firms to Recent Trend in Small Capitalization (“Small Cap”) IPOs)
- Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts Through ACATS)
- Regulatory Notice 22-06 (U.S. Imposes Sanctions on Russian Entities and Individuals)
- Regulatory Notice 21-36 (FINRA Encourages Firms to Consider How to Incorporate the Government-Wide Anti-Money Laundering and Countering the Financing of Terrorism Priorities Into Their AML Programs)
- Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)
- Regulatory Notice 21-14 (FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse)
- Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities)
- Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection with Potential Account Takeovers and New Account Fraud)
- Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
- Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations)
FINRA Unscripted Podcasts
- A New Twist on New Account Fraud: Detecting and Preventing ACATS Fraud (May 2, 2023)
- AML Update: The Latest Trends and Effective Practices (May 31, 2022)
- At, By or Through: Fraud in the Broker-Dealer Industry (April 20, 2021)
- Overlapping Risks, Part 2: Anti-Money Laundering and Elder Exploitation (November 10, 2020)
- Overlapping Risks, Part 1: Anti-Money Laundering and Cybersecurity (October 27, 2020)
- Beyond Hollywood, Part II: AML Priorities and Best Practices (May 14, 2019)
- Beyond Hollywood, Part I: Money Laundering in the Security Industry (April 30, 2019)
SEC
- Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities (October 17, 2023)
- Risk Alert: Observations from Anti-Money Laundering Compliance Examinations of Broker-Dealers (July 31, 2023)
- Anti-Money Laundering (AML) Source Tool for Broker-Dealers (May 16, 2022)
- Risk Alert: Compliance Issues Related to Suspicious Activity Monitoring and Reporting (March 29, 2021)
Treasury and FinCEN
- FinCEN Alert to Financial Institutions to Counter Financing to Hamas and its Terrorist Activities
(October 20, 2023) - FinCEN Alert on Prevalent Virtual Currency Investment Scam Commonly Known as “Pig Butchering”
(September 8, 2023) - Advisory on Elder Financial Exploitation (June 15, 2022)
- Advisory on Kleptocracy and Foreign Public Corruption (April 14, 2022)
- Alert: FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts (March 7, 2022)
- Treasury Publishes National Risk Assessments for Money Laundering, Terrorist Financing, and Proliferation Financing (March 1, 2022)
- The Anti-Money Laundering Act of 2020 (June 30, 2021)
- Anti-Money Laundering and Countering the Financing of Terrorism National Priorities (June 30, 2021)
- Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other Anti-Money Laundering Considerations (January 19, 2021)
- Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (October 1,
2020) - Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19)Pandemic (July 30, 2020)
- FinCEN 314(a) Fact Sheet (February 26, 2019)
- Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (October 25, 2016)
- Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and
Cyber-Related Information through Suspicious Activity Reports (SARs) (October 25, 2016) - The SAR Activity Review, Issue 8, Section 5 “Revised Guidance on Filing Suspicious Activity Reports Relating
to the Office of Foreign Assets Control List of Specially Designated Nationals and Blocked Persons” (April
2005) - Interpretive Release No. 2004–02 (Unitary Filing of Suspicious Activity) (December 23, 2004)
Financial Action Task Force
- Risk-based Approach Guidance for the Securities Sector (October 26, 2018)
FINRA’s intent is that the Report be an up-to-date, evolving resource or library of information for member firms. To that end, the Report builds on the structure and content in the 2021-2023 Reports by adding new topics denoted NEW FOR 2024 and new material (e.g., new findings, effective practices) to existing sections where appropriate. (New material in existing sections is in bold type.)
Key Sections of the report that describe the obligations for AML
FINRA Rule 3310 (Anti-Money Laundering Compliance Program) requires that each member firm develop and implement a written AML program that is approved in writing by senior management and is reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act (BSA) and its implementing regulations.
FINRA Rule 3310(a) requires that member firms establish and implement AML policies and procedures that can be reasonably expected to detect and cause the reporting of suspicious transactions
FINRA Rule 3310(c) requires that the AML program provide for independent testing for compliance each calendar year (or every
two years in some specialized cases)
FINRA Rule 3310(e) requires that the program provide ongoing training for appropriate personnel
FINRA Rule 3310(f) requires that member firms’ AML programs include appropriate risk-based procedures for conducting ongoing customer due diligence.
Other requirements contained in the BSA’s implementing regulations include
- Maintaining a Customer Identification Program (CIP)
- Verifying the identity of legal entity customers
- Establishing due diligence programs to assess the money laundering risk presented by correspondent accounts maintained for foreign financial institutions
- Responding to information requests from FinCEN within specified timeframes
- suspicious activity detection and reporting, does it:
– appropriately monitor trading activity and money movements conducted or attempted by, at or through your firm;
– review the integrity of its data feeds
– assess scenario parameters as needed? - If your firm introduces customers and activity to a clearing firm, do your AML procedures reasonably address how your firm will communicate and share information with your clearing firm with respect to the filing of SARs?
- Does your firm maintain appropriate risk-based procedures for conducting ongoing Customer Due Diligence (CDD) to:
– understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile
– to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information?
Customer Onboarding
- Does your firm have reasonable AML procedures to collect identifying information and verify the identity of its customers under the CIP Rule, and the beneficial owners of all who are considered its legal entity customers under the CDD Rule?
- Does your firm use information gathered as part of CIP and CDD to help ensure compliance with other requirements, such as OFAC regulations?
- Does your firm have AML policies and procedures that can be reasonably expected to detect identity theft or synthetic identity fraud in connection with account openings, and has your firm considered the example red flags included in Regulation S-ID?
AML Independent Testing
Is your firm’s AML independent test performed by someone with a working knowledge of the BSA and its implementing regulations?
- Does your firm ensure that it is performing its independent AML test with the required frequency (once each calendar year for most firms)?
- Does your firm’s AML independent test confirm that your firm has established and implemented reasonably designed procedures for customer identification and verification, customer due diligence and suspicious activity reporting?
Findings and Effective Practices
Findings
Misconstruing Obligation to Conduct CIP and CDD: Failing to recognize that certain formal relationships established with the firm to effect securities transactions are customer relationships (and, consequently, not conducting CIP or CDD as required).
Inadequate Verification of Customer Identities: Failing to collect identifying information at the time of account opening and reasonably verify the identity of customers and beneficial owners of legal entity customers with documentary and/or non-documentary methods within a reasonable timeframe.
Inadequate Responses to Red Flags:
- Auto-approving customer accounts despite red flags, or otherwise failing to perform a reasonable review of potential red flags associated with verifying customer identities (e.g., applicant provided a social security number that was not valid or was associated with the name of a different person, including a deceased individual).
- Failing to have established policies and procedures that can be reasonably expected to detect identity theft or synthetic identity fraud in connection with account opening (e.g., personal identifying information does not match a consumer report or was used on another account the firm knew was fraudulent).
Inadequate Due Diligence: Failing to conduct initial and ongoing risk-based CDD to understand the nature and purpose of customer relationships to develop a customer risk profile, or conduct due diligence on correspondent accounts of foreign financial institutions in compliance with FINRA Rule 3310(b).
Inadequate Ongoing Monitoring and Reporting of Suspicious Transactions:
- Failing to establish and implement written AML procedures that can reasonably be expected to detect and cause the reporting of suspicious activity.
- Failing to reasonably review for and respond to red flags associated with:
– Orders and securities trading
– Movement or settlement of cash or securities (e.g., wire and Automated Clearing House (ACH)
transfers, debit card and ATM transactions, securities trading (including order entry), journal transfers)
– Member’s business operations, including activity related to high-risk products and services (e.g., cash management products and services; trading of low-priced, thinly traded securities);
– Suspicious activity introduced to the member by other FINRA member broker-dealers; and orders for crypto asset trades.
– Failing to notify the AML department of events that may require the reporting of a SAR, including cybersecurity events, account compromise or takeovers, or fraudulent wire or ACH transfers.
– Failing to reasonably investigate inquiries from law enforcement, clearing firms, regulators or other federal and state agencies that concern red flags of suspicious activity.
Inadequate Handling of FinCEN Information Requests:
- Failing to review and respond to information requests from FinCEN issued pursuant to Section 314(a) of the Patriot Act,12 or not doing so within the required two-week timeframe.
Inadequate Testing: Failing to conduct adequate independent testing of their AML program by:
– Not providing for annual testing of the program on a calendar year basis (or every two years in specialized circumstances
– Not testing critical aspects of the AML program for reasonableness (e.g., suspicious activity detection and reporting), including where firms have taken on new products, services or client bases that may have materially shifted the firm’s AML risk profile or situations where new threats to the industry are applicable to the firm
– Conducting testing that is not reasonably designed, such as testing that fails to consider whether AML reports and systems are accurately and reasonably capturing suspicious transactions and are reasonably tailored to the AML risks of the member’s business
– Not confirming that persons with the requisite independence and qualifications perform the testing.
Effective Practices
Regulatory Updates: Reviewing alerts, advisories, significant cases and other updates from the SEC, FinCEN, FINRA, OFAC, and other regulators and agencies.
Risk Assessments: Conducting formal, written AML risk assessments that are updated in appropriate situations, such as the findings of its independent AML test or other internal or external audits, changes in size or risk profile of the firm (e.g., changes to business lines, products and services, registered representatives, customers or geographic areas in which the firm operates); or material macroeconomic or geopolitical events.
Verifying Customers’ Identities When Establishing Online Accounts: Incorporating additional methods for verifying customer identities as part of the firm’s CIP through, for example, methods such as:
– Requiring both documentary (e.g., driver licenses) and non-documentary identifying information, or multiple forms of documentary information
– Asking follow-up questions or requesting additional documents based on information from credit bureaus, credit reporting agencies or digital identity intelligence (e.g., automobile and home purchases)
– Contracting third-party vendors to help verify the legitimacy of suspicious information in customer applications (e.g., cross-referencing information across multiple vendors)
– Validating identifying information that applicants provide through likeness checks
– Reviewing the IP address or other available geolocation data associated with:
— New Online Account Applications for consistency with the customer’s home address
— Transfer requests (for consistency with locations from which the firm has previously received legitimate customer communications
– Obtaining a copy of the account statement from the account slated to be transferred before sending an Automated Customer Account Transfer Service (ACATS) request
– Delivering firms sending notifications to account owners (e.g., “push” notifications on mobile apps, emails, phone calls), contacting any broker(s) assigned to the account or both when an ACATS transfer is initiated
– Ensuring that any tools used for automated customer verification are reasonably designed to detect red flags of identity theft and synthetic identity fraud
– Limiting automated approval of multiple accounts for a single customer
– Reviewing account applications for common identifiers (e.g., email address, phone number, physical address) present in other applications and in existing accounts, especially seemingly unrelated accounts and
– Reviewing account applications for use of temporary or fictitious email addresses (e.g., @temporaryemail. org) or phone number (e.g., 555-555-5555, 999-999-9999).
Related Considerations
Scope of AML Program
- Does your firm’s AML program reasonably address the AML risks associated with its business model, including new and existing business lines, products and services offered, customers and the geographic area in which your firm operates?
- Has your firm experienced substantial growth or changes to its business? If so, has your firm’s AML program evolved alongside the business?
- Does your firm’s AML program reasonably address the AML risks associated with effecting transactions in low-priced securities, including transactions effected through omnibus accounts (particularly accounts maintained for foreign financial institutions)?
Suspicious Activity Reporting
- Do your firm’s AML procedures recognize that suspicious activity reporting obligations may apply to any transactions conducted by, at or through your firm?
- Does your firm have reasonably designed AML procedures to detect and respond to indicators of illicit activities (generally referred to as “red flags”) that are relevant to its business model, such as those detailed in:
- Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations; and
- Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities).
- Does your firm have AML policies and procedures that can be reasonably expected to respond to red flags of sanctions evasion?
- Does your firm have reasonably designed AML procedures that account for FinCEN guidance addressing when SARs should be filed in addition to Office of Foreign Assets Control (OFAC) blocking reports?
We would love to hear from you about your challenges and help you with our GRACE AML solution
Emerging Risk: New Account Fraud
FINRA has observed an increase in suspicious and fraudulent activity related to new account fraud (NAF), which occurs when a bad actor uses stolen or synthetic identification14 information to fraudulently open an account.
- NAF relies on the availability of stolen identification information, which is often extracted during data breaches and then sold on dark web marketplaces.
- Customers’ increasing interest in fully online account-opening processes—including those for mobile application–based brokerage accounts—has decreased human interaction between prospective customers and firms, creating the potential for bad actors to fraudulently open brokerage accounts with greater ease.
NAF may be a precursor to other fraud schemes. Examples observed in FINRA examinations and investigations include, but are not limited to:
- Fraudulent requests to the ACATS to steal securities and other assets from an investor
- Fraudulent ACH transfers and wire transfers, including instances in which accounts opened through NAF were used as conduits to steal money from customers at other financial institutions
- Deposit or movement of fraudulently obtained funds from government benefit programs (e.g., fraudulently obtained COVID-relief funds)
FINRA encourages firms, especially those that offer fully online account opening services and rely on automated account opening or customer verification services, to:
- Evaluate their review of red flags of NAF during the account opening process
- Evaluate their monitoring of ongoing customer account activity for NAF and other known fraud schemes
- Enhance these processes, as needed, to ensure compliance with Regulation S-ID and other applicable rules.
For additional guidance, FINRA recommends:
- Regulatory Notice 23-06 (FINRA Shares Effective Practices to Address Risks of Fraudulent Transfers of Accounts Through ACATS)
- Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts Through ACATS)
- Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)
- Regulatory Notice 21-14 (FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse)
- Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection with Potential Account Takeovers and New Account Fraud)
Delegation and Communication of AML Responsibilities:
- Delegating AML duties to business units in the best position to conduct ongoing monitoring to identify suspicious activity
- Establishing written escalation procedures and recurring cross-department communication between AML, compliance and
relevant business unit(s).
Training:
- Establishing and maintaining an AML training program for appropriate personnel that is tailored to the individuals’ roles and responsibilities, addresses industry developments impacting AML risk and regulatory developments, and, where applicable, leverages trends and findings from the firm’s quality assurance controls and independent AML test.
Additional Resources
FINRA
- Anti-Money Laundering (AML) Key Topics Page
- Anti-Money Laundering (AML) Template for Small Firms (September 8, 2020)
- Frequently Asked Questions (FAQ) regarding Anti Money Laundering (AML)
- Industry Risks and Threats – Resources for Member Firms
- SEC Identity Theft Red Flags Rule (Reg S-ID)
Regulatory Notices:
- Regulatory Notice 23-06 (FINRA Shares Effective Practices to Address Risks of Fraudulent Transfers of Accounts Through ACATS)
- Regulatory Notice 22-25 (Heightened Threat of Fraud: FINRA Alerts Firms to Recent Trend in Small Capitalization (“Small Cap”) IPOs)
- Regulatory Notice 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts Through ACATS)
- Regulatory Notice 22-06 (U.S. Imposes Sanctions on Russian Entities and Individuals)
- Regulatory Notice 21-36 (FINRA Encourages Firms to Consider How to Incorporate the Government-Wide Anti-Money Laundering and Countering the Financing of Terrorism Priorities Into Their AML Programs)
- Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers from Online Account Takeover Attempts)
- Regulatory Notice 21-14 (FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse)
- Regulatory Notice 21-03 (FINRA Urges Firms to Review Their Policies and Procedures Relating to Red Flags of Potential Securities Fraud Involving Low-Priced Securities)
- Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection with Potential Account Takeovers and New Account Fraud)
- Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
- Regulatory Notice 19-18 (FINRA Provides Guidance to Firms Regarding Suspicious Activity Monitoring and Reporting Obligations)
FINRA Unscripted Podcasts
- A New Twist on New Account Fraud: Detecting and Preventing ACATS Fraud (May 2, 2023)
- AML Update: The Latest Trends and Effective Practices (May 31, 2022)
- At, By or Through: Fraud in the Broker-Dealer Industry (April 20, 2021)
- Overlapping Risks, Part 2: Anti-Money Laundering and Elder Exploitation (November 10, 2020)
- Overlapping Risks, Part 1: Anti-Money Laundering and Cybersecurity (October 27, 2020)
- Beyond Hollywood, Part II: AML Priorities and Best Practices (May 14, 2019)
- Beyond Hollywood, Part I: Money Laundering in the Security Industry (April 30, 2019)
SEC
- Staff Bulletin: Risks Associated with Omnibus Accounts Transacting in Low-Priced Securities (October 17, 2023)
- Risk Alert: Observations from Anti-Money Laundering Compliance Examinations of Broker-Dealers (July 31, 2023)
- Anti-Money Laundering (AML) Source Tool for Broker-Dealers (May 16, 2022)
- Risk Alert: Compliance Issues Related to Suspicious Activity Monitoring and Reporting (March 29, 2021)
Treasury and FinCEN
- FinCEN Alert to Financial Institutions to Counter Financing to Hamas and its Terrorist Activities
(October 20, 2023) - FinCEN Alert on Prevalent Virtual Currency Investment Scam Commonly Known as “Pig Butchering”
(September 8, 2023) - Advisory on Elder Financial Exploitation (June 15, 2022)
- Advisory on Kleptocracy and Foreign Public Corruption (April 14, 2022)
- Alert: FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts (March 7, 2022)
- Treasury Publishes National Risk Assessments for Money Laundering, Terrorist Financing, and Proliferation Financing (March 1, 2022)
- The Anti-Money Laundering Act of 2020 (June 30, 2021)
- Anti-Money Laundering and Countering the Financing of Terrorism National Priorities (June 30, 2021)
- Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other Anti-Money Laundering Considerations (January 19, 2021)
- Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (October 1,
2020) - Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19)Pandemic (July 30, 2020)
- FinCEN 314(a) Fact Sheet (February 26, 2019)
- Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (October 25, 2016)
- Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and
Cyber-Related Information through Suspicious Activity Reports (SARs) (October 25, 2016) - The SAR Activity Review, Issue 8, Section 5 “Revised Guidance on Filing Suspicious Activity Reports Relating
to the Office of Foreign Assets Control List of Specially Designated Nationals and Blocked Persons” (April
2005) - Interpretive Release No. 2004–02 (Unitary Filing of Suspicious Activity) (December 23, 2004)
Financial Action Task Force
- Risk-based Approach Guidance for the Securities Sector (October 26, 2018)