On February 2nd, the SEC, FINRA and the North American Securities Administrators Association (NASAA) all released cybersecurity reports and alerts.
The SEC and NASAA alerts provided valuable benchmarks for brokers and investment advisers with regards to cybersecurity practices. FINRA’s report provided both benchmarks as well as deeper coverage of the kinds of controls that their members should be contemplating, many of which have been addressed in my prior blogs, articles and white paper.
FINRA’s report on cybersecurity included a case study reference relating to AML, an oft neglected component of cybersecurity discussions. Although cybersecurity typically focuses on the protection of a potential target’s systems, the attack supply chain generally also includes an enabler. Where the purpose of the cyber-attack is U.S. market manipulation, that enabler will be a U.S. regulated entity. The enabler may also help cyber criminals move funds to other institutions in foreign jurisdictions with weaker compliance standards.
In their case study reference, FINRA summarized two AML-related actions. Both actions involved the opening of accounts for higher risk foreign customers. In both cases, those customers then engaged in a pattern of fraudulent trading whereby they would hack into customer accounts at other broker-dealers and trade in a manner (usually involving thinly traded securities) designed to benefit their own accounts and harm the accounts that they hacked into. For example, one customer engaged in a “pump and dump” scheme whereby they would buy shares, then cause the accounts they hacked into to purchase those shares before selling out their shares for a profit. FINRA found, in both cases, that the firms that opened the cyber criminals’ accounts did not have: (i) AML policies and procedures adequately tailored to the firm’s business in order to detect and report suspicious activity; or (ii) a reasonably designed customer identification program.
AML has been a priority for FINRA absent cybersecurity for some time. For example, in their 2015 Regulatory and Examinations Priorities Letter, FINRA cited reaffirmed AML as a priority and noted that they would be increasingly focused upon: (i) the adequacy of a firm’s processes to identify suspicious transfers to and from cash management accounts and to verify the purpose of the activity in these accounts; and (ii) the monitoring of DVP/RVP accounts for suspicious transfer as well as whether adequate due diligence is occurring respecting registration of securities. The market manipulation that occurred in the cited case studies above is just one of FINRA’s major concerns, the primary others being microcap fraud and insider trading. Nonetheless the seriousness with which FINRA views violations of AML has implications for firms that enable cyber criminals, even inadvertently.
The SEC and FINRA are taking AML violations very seriously. One year ago, FINRA levied an $8,000,000 fine against Brown Brothers Harriman and suspended their AML compliance officer despite his having established an AML oversight practice and warning his superiors about the problematic activity. The SEC recently fined Oppenheimer $20,000,000 for AML violations. While both actions related to the trading of unregistered securities, both were cases in which the firms’ failures to act as “gatekeepers” to identify bad actors resulted in substantial penalties and reputational damage under current AML regulation.
In light of the threat of inadvertently becoming an enabler of cyber criminals, the AML due diligence processes should incorporate searches for whether the prospective customer and associated persons have been linked to hackers or cyber-attacks, particularly higher risk prospects. Such searches should leverage the information sources that a firm’s cybersecurity function uses. In addition, the monitoring of transactions of riskier customers needs to be adjusted accordingly. For example, a hacker with control of multiple accounts has greater control of the timing of the transactions that damage its victims and thus can more rapidly cause a spike in the price of a security. Thus, on boarding and transaction supervision needs to be adjusted accordingly.
The importance of AML to cybersecurity and vice versa goes beyond preventing cyber criminals from opening accounts or limiting their activities within an account. The first indicators of either an information security breach, suspicious transaction(s) or funds movement(s) can provide valuable information to each function. Customer activity that may be a possible basis for a Suspicious Activity Report (SARS) should be also viewed as a potential information breach. Such activity may be the first indicator of a hacked account and instantly relevant from a cybersecurity perspective. Similarly, a detected cybersecurity breach may be the first indicator of or otherwise relevant to a financial crime from the perspective of an AML compliance officer. For example, during a distributed denial of service (DDOS) attack on a system (where cyber attackers effectively bombard a system with the attacks, often to distract from another more nefarious purpose) the AML function should be on heightened alert as to other suspicious activity relating to customer and even firm accounts. This argues for cooperation respecting incident detection, as well as on boarding clients, across the functions.
AML has been an established function across financial firms for a longer period of time than cybersecurity has. It generally resides within the general compliance function or its own separate function. Information security, on the other hand, is usually initially viewed as residing within the technology and/or security functions, although typically with a layer of compliance oversight in regulated firms. A firm’s compliance office is thus clearly best positioned to facilitate greater coordination between these two functions. In short, facilitating greater coordination across these two functions is a cost effective measure that will yield an improved information security and AML environment.