Regulatory Notice 23-06

The Financial Industry Regulatory Authority (FINRA) has published a new regulatory notice (23-06) addressed at broker-dealers in connection with potential securities fraud involving the transfer of customer security accounts via ACATS (Automated Customer Account Transfer Service). ACATS is an automated system run by the National Securities Clearing Corporation (NSCC) to facilitate „the transfer of customer account assets from one firm to another“. The notice follows a previous regulatory notice (22-21) issued in October 2022 in which FINRA pointed out the regulatory obligations of member firms in this context.
In this new regulatory notice, FINRA presents some potential red flags indicating ACATS fraud and outlines some best practices it has observed among member firms as regards the detection and mitigation of ACATS fraud. Both issues are briefly outlined below:
##### Red flags or possible signs of ACATS fraud
– a transfer has been initiated AND rejected multiple times, e.g. on the basis of wrong or incomplete account information;
– after a successful asset transfer to a different broker account, the firm receives prompt instructions to move the assets again to another account;
– a customer changes its usual pattern to communicate with a member firm, e.g. from telephone to e-mail; or
– the communication itself is „untypical“ for a customer, e.g. an e-mail now contains untypical grammatical or spelling errors which did not appear in previous communications.
##### Practices to mitigate ACATS fraud
- Verifying Customer Identities for Accounts Established Online: To prevent ACATS fraud, it is key to ensure that firms practice due diligence particularly concerning accounts that are opened online. Such due diligence includes the verification of customer identity by
– deploying adequate technology to perform „likeness checks“;
– relying on external data or even contacting third-parties to support the firm in its verification process;
– requiring additional information (e.g. financial statements) from the customer;
– closely reviewing customer applications as to e-mail addresses, telephone numbers, or external account numbers that may occur multiple times maybe even among various customers;
– monitoring the processing time of an application and IP address that is used to open an account online (the same IP address is used for multiple account openings may signal fraud); or
– initiating „micro-deposits“ in customer accounts that need to be verified.
- Verifying Transfer Requests: If account transfers are to take place, a member firm may take the following steps to ensure that the request is legitimate:
– applying the above noted red flags to detect fraud;
– engaging with third party vendors, e.g. to verify customer information (name, address, date of birth, etc.) based on an individual’s social security number;
– installing systems to monitor the number of transfer rejections;
– obtaining additional information from a customer such as his or her latest account statement;
– sending some form of communication to the customer notifying him or her of the received account request; or
– engaging with the customer account manager to review the request and to ensure that is expected.
Additionally, firms are well advised to adequately train their staff as to the detection of ACATS fraud and as to the steps they shall take, e.g. to verify customer account / transfer information or to escalate an „incident“. Furthermore, firms need to investigate any potential fraud and file a suspicious activity report (SAR) pursuant to their statutory obligations.