Firm Settles FINRA Charges for Customer Identification and Identity Theft Prevention Program Failures

A firm settled FINRA charges for failing to implement an anti-money laundering ("AML") program reasonably designed to verify customer identities and detect and report suspicious transactions, and for deficiencies in its identity theft prevention program ("ITPP").

According to the AWC, from January 2019 to June 2023, the firm failed to establish and maintain a Customer Identification Program ("CIP") reasonably designed to verify the true identities of its customers. Among other things, the firm used "several proprietary and third-party automated systems to verify customer identities," and submitted accounts deemed rejected or indeterminate through additional automated reviews "which did not address the specific reasons that certain customer account applications were designated rejected or indeterminate in the initial verification." Thus, the firm approved numerous accounts without forming a reasonable belief of the customers' identities. FINRA found that "the firm approved approximately 350 accounts [where] applicants provid[ed] only the last four digits of [their] social security numbers;" "the firm inaccurately believed its vendor had been verifying complete social security numbers." FINRA stated that the firm also approved accounts for customers "purportedly born in the 1930s and 1940s" without conducting additional verification, "despite the presence of other indicia of potential identity fraud for those customers during the application process."

FINRA found that the firm failed to establish policies reasonably expected to detect and cause the reporting of suspicious transactions. FINRA determined that the firm's AML program lacked comprehensive procedures to link red flags identified during account opening with subsequent suspicious account activity. Instead, the firm relied on automated alerts that only flagged transfers that it "deemed large or excessively frequent," coupled with manual reviews that were inadequate for its customer base due to the millions of customer accounts held at the firm. As a result, the firm failed to detect and reasonably investigate suspicious transactions. FINRA stated that, among other things, the firm did not identify approximately 200 accounts "that had been opened using a common phone number." Moreover, even though the firm's clearing firm "notified [the firm] that it had identified many such accounts as part of a group potentially engaging in suspicious requests to reverse electronic payments that appeared to be indicative of attempted securities free riding," the firm did not take additional investigative steps regarding the use of the common phone number and "allowed additional accounts to be opened using the same number flagged by its clearing firm for almost six additional months." The firm similarly "failed to timely detect that numerous unrelated accounts were opened using email addresses that were routed to the same inboxes or were opened using temporary email address domains."

FINRA also found that the firm failed to develop and implement a reasonable ITPP designed to detect, prevent, and mitigate identity theft in connection with its covered accounts. Prior to October 2021, the Firm primarily relied on customers to report suspected identity theft, or on its clearing firm to report undeliverable mail. FINRA stated that even when alerted to specific identity theft vulnerabilities—such as the use of shared phone numbers—the firm did not implement written monitoring procedures until May 2022. FINRA highlighted that when these procedures were introduced, they failed to specify responsibility, frequency, or escalation protocols, resulting in continued automated approval of accounts despite "indicia of potential identity theft."

FINRA concluded that the firm violated FINRA Rules 3310 ("Anti-Money Laundering Compliance Program") and 2010 ("Standards of Commercial Honor and Principles of Trade"), as well as Regulation S-ID Rule 201 ("Duties regarding the detection, prevention, and mitigation of identity theft").

The firm agreed to a censure and a $450,000 fine.