A regional broker-dealer agreed to pay $50,000 to settle FINRA charges of supervisory failures after the firm transferred funds from a customer's account to accounts controlled by a hacker. The hacker submitted fraudulent wire transfer instructions to the firm from the customer's hacked email account.
According to the Letter of Acceptance, Waiver and Consent, the firm (i) had no written supervisory procedures for monitoring wire transfers of customer funds to third-party accounts and (ii) did not confirm with the customer the authenticity of email instructions to transfer funds from the customer's account to third-party accounts. As a result, FINRA claimed the hacker was able to authorize the transfer of funds from the customer's account to accounts controlled by the hacker on several occasions before the firm discovered the fraud.
Commentary / Mark Highman
Last week, in an unrelated action, the SEC fined a financial services company for alleged supervisory failures after firm personnel misappropriated funds from customer accounts. Today's action involves alleged supervisory failures that FINRA claimed enabled an external hacker to divert funds from a customer account to third-party accounts through the use of fraudulent email instructions. The message from the regulators is clear: firms must be vigilant in adopting and implementing supervisory systems to guard against internal and external threats that compromise customer accounts. Unless firms have robust procedures to address these issues, they are at risk of regulatory sanctions. FINRA has issued guidance on steps that firms should take to verify instructions to transmit assets from customer accounts. See FINRA Reg. Notices 12-05 and 09-64. For further guidance on cybersecurity issues, please see the Cabinet Topic Page on Cybersecurity and Data Protection.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
