Regulatory Notice 09-64

Similar documents
Regulatory Notice 10-21

Regulatory Notice 09-33

Regulatory Notice 08-11

Regulatory Notice 11-26

Regulatory Notice 08-26

Notice to Members. Branch Office Definition. Executive Summary. Questions/Further Information AUGUST 2002

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Regulatory Notice 14-39

NYSE and NYSE MKT MEMBERS AND MEMBER ORGANIZATIONS. NYSE Rule 36 - Use of Non-NYSE Provided Cellular Phones on the Floor of the Exchange

COMPLAINT FINANC1AL INDUSTRY REGULATORY AUTHORITY OFFICE OF HEARING OFFICERS. Disciplinary Proceeding SUMMARY

Regulatory Notice 18-27

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Notice to Members. Customer Account Statements. Executive Summary. Questions/Further Information. Background and Discussion

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Table of Contents. PCI Information Security Policy

NASD NOTICE TO MEMBERS 97-58

Regulatory Notice 10-28

Prevention of Identity Theft in Student Financial Transactions AP 5800

Notice to Members. Forms U4. Executive Summary. Questions/Further Information

[Utility Name] Identity Theft Prevention Program

IDENTITY THEFT PREVENTION Policy Statement

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Audit Considerations Relating to an Entity Using a Service Organization

ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017

Upcoming PIPEDA Changes What is changing and what to do about it

EDENRED COMMUTER BENEFITS SOLUTIONS, LLC PRIVACY POLICY. Updated: April 2017

Data Processing Agreement

Seattle University Identity Theft Prevention Program. Purpose. Definitions

Identity Theft Prevention Policy

TERMS AND CONDITIONS FOR THE USE OF THE WEBSITE AND PRIVACY POLICY

Subject: Kier Group plc Data Protection Policy

CASINO LICENCE APPLICATION

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

The USA PATRIOT Act. Section 314 Info Requests

ALGORITHMIC TRADING AND ORDER ROUTING SERVICES POLICY

Consumer Online Banking Application

Notice to Members. Short Interest Reporting. Executive Summary. Questions/Further Information

ASSESSMENT LAYERED SECURITY

Cleveland State University General Policy for University Information and Technology Resources

PayThankYou LLC Privacy Policy

Institutional Investors Web Registration and Change Form

INTERNAL AUDIT. Chapter 16 9 KATHMANDU, NEPAL, THE HIMALAYA S IN THE BACKGROUND

PRIVACY POLICY. Valid as of

Important Information

PPR TOKENS SALE PRIVACY POLICY. Last updated:

Red Flags/Identity Theft Prevention Policy: Purpose

Privacy Policy. Implemented on: November 2, 2017

Regulatory Notice 13-08

Postal Inspection Service Mail Covers Program

CHIEF EXECUTIVE OFFICER/MANAGING PARTNER AND COMPLIANCE, REGULATORY, AND LEGAL DEPARTMENTS

( Utility Name ) Identity Theft Prevention Program

NASD Notice to Members Request For Comment. Executive Summary

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

Branch Office Supervision Protecting Your Practice Wednesday, December 2 3:15 p.m. 4:15 p.m.

Polar Investment Counsel Inc Home Office: Thief River Falls MN FINRA CRD#: PICI Home Office Policy & Procedures Manual

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

On June 21, 2013, the Financial Industry Regulatory Authority, Inc. ( FINRA ) filed

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

POLICY ON ALGORITHMIC TRADING AND ORDER ROUTING SERVICES

December 21, 1998 BY ELECTRONIC MAIL AND HAND DELIVERY

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

IT ACCEPTABLE USE POLICY

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

Gatekeeper and Notice Requirements For Direct Electronic Access and Routing Arrangements

SIX Trade Repository AG

Qualification Examination Program Restructure and Regulatory Continuing Education (CE) Program Changes Tuesday, October 9 1:00 p.m. 2:00 p.m.

ACH Audit Guide Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2018

Identity Theft Prevention Program. Effective beginning August 1, 2009

DATA PROTECTION AND PRIVACY POLICY

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Privacy Notice for Business Partners

NASD Extends the Effective Date of the Uniform Branch Office Definition for Broker-Dealers, and Issues Joint Guidance on Branch Office Issues

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

DATA PROCESSING TERMS

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

CUMBRE VISTA HOMEOWNERS ASSOCIATION, INC. RECORDS INSPECTION AND COMMUNICATIONS POLICY AND PROCEDURE. 1-Pl) ~ \ 1

By accessing your Congressional Federal Credit Union account(s) electronically with the use of Online Banking through a personal computer or any other

RSL NSW SUB-BRANCH STANDARD OPERATING PROCEDURES

Frequently Asked Question Regarding 201 CMR 17.00

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

POMONA EUROPE ADVISORS LIMITED

Terms and Conditions for MPF e-statement/e-advice Service ( Terms and Conditions )

Information Security Policy

Global Statement of Business Continuity

Content. Privacy Policy

Access to University Data Policy

1. General provisions

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Employee Security Awareness Training Program

MNsure Privacy Program Strategic Plan FY

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

WEBSITE PRIVACY POLICY

Red Flag Policy and Identity Theft Prevention Program

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

NERC Staff Organization Chart Budget 2019

CERTIFIED FINANCIAL PLANNER BOARD OF STANDARDS, INC. ANONYMOUS CASE HISTORIES NUMBER 30648

The HIPAA Omnibus Rule

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

Transcription:

Regulatory Notice 09-64 Customer Assets Verification of Instructions to Transmit or Withdraw Assets from Customer Accounts Executive Summary As part of their duty to safeguard customer assets and to meet their supervisory obligations, FINRA firms must have and enforce policies and procedures governing the withdrawal or transmittal of funds or other assets from customer accounts. 1 Among other things, the policies and procedures should be reasonably designed to review and monitor all instructions to transmit or withdraw assets from customer accounts, including instructions from an investment adviser or other third party purporting to act on behalf of the customer. FINRA firms are required to test and verify their procedures for adequacy and to update them when necessary. Questions concerning this Notice should be addressed to: Mike Rufino, Senior Vice President and Deputy, Member Regulation, at (212) 858-4487; or Patricia Albrecht, Assistant General Counsel, Office of General Counsel, at (202) 728-8026. Background and Discussion Recently, several cases involving the misappropriation of customer assets have highlighted the importance of having adequate procedures for verifying the validity of instructions to transmit or withdraw securities or other assets from customer accounts. In some cases, an employee of the firm committed a fraud; in others, outside investment advisers or other third parties purported to be acting on behalf of the customer. A number of the cases involved forged letters of authorization. In some, employees concealed their misconduct by diverting customers genuine account statements to a post office box or address under the employee s control, and replacing them with fabricated statements. Notice Type Guidance Suggested Routing Compliance Legal Operations Senior Management Key Topic(s) Internal Controls Letters of Authorization Supervisory Procedures Transmittal/Withdrawal of Customer Assets Referenced Rules & Notices Information Notice 3/12/08 NASD Rule 3012 NYSE Rule 342.23 NYSE Rule 401 1

09-64 Policies and Procedures NASD Rule 3012 (Supervisory Control System) 2 and Incorporated NYSE Rule 401 (Business Conduct) require all firms to establish, maintain and enforce written supervisory control policies and procedures that, among other things, include procedures that are reasonably designed to review and monitor the transmittal of funds (e.g., wires or checks) or securities: from customer accounts to third-party accounts (i.e., a transmittal that would result in a change of beneficial ownership); from customer accounts to outside entities (e.g., banks, investment companies); from customer accounts to locations other than a customer s primary residence (e.g., post office box, in care of accounts, alternate address); and between customers and registered representatives (including the hand-delivery of checks). The policies and procedures a firm establishes under these rules must include a means or method of customer confirmation, notification or follow up that can be documented. 3 NASD Rule 3012 further provides that a firm must identify in its written supervisory control procedures any of these activities it does not engage in and document that additional supervisory policies and procedures for such activities must be in place before the firm can engage in them. 4 These rules apply to both clearing and introducing firms. While firms may allocate responsibility for complying with particular requirements between the clearing and introducing firms, both firms must have policies and procedures in place to ensure that their respective responsibilities are met. For example, the firms may agree that the introducing firm is responsible for verifying a customer s identity. However, the clearing firm must still have adequate policies and procedures to review and monitor disbursements it makes to third-party accounts, outside entities or an address other than the customer s primary address. A firm s procedures should also specify how instructions to withdraw or transmit assets may be conveyed, including which employees of the introducing firm are authorized to transmit instructions to the clearing firm on the customer s behalf, and both firms are responsible for ensuring that their employees follow their respective procedures. 2 Regulatory Notice

09-64 Additionally, a firm s policies and procedures should include procedures that are reasonably designed to, among other things: Verify that any third party who purports to be acting on behalf of a customer, including any family member, third-party investment advisor or money manager, has been authorized by the customer to take the action in question. Typically, this requires firms to verify that a valid power of attorney has been executed by the customer and that actions taken by the third party are within the scope of the authority conveyed. Verify the identity of a person who appears in person to receive assets and who claims to be the customer. Adequately document the steps taken to verify the information listed above and maintain that documentation in accordance with applicable books and records requirements. Identify and respond to red flags or suspicious activity. If a firm s procedures require heightened review of certain transmittal instructions based on dollar amount thresholds, firms should also be aware that firm employees or third-party investment advisers can learn of the threshold amounts and try to fly under the radar by submitting multiple instructions for lesser amounts. Therefore, firms should take steps to address this risk, including, to the extent possible, limiting dissemination of information about the threshold triggers. While firms procedures must be designed to detect and respond to unusual or suspicious activity, firms must also take into account that fraudulent activity can often flourish when employees fall into a sense of familiarity or routine that can be exploited either by other employees or third parties. Therefore, firms must train their employees to follow all applicable policies and procedures rigorously, even in what appear to be routine situations. Moreover, a firm s policies and procedures should include random sampling and testing of even routine transfers and withdrawals. This helps to verify that employees follow agreed upon procedures and helps deter improper conduct. In addition, firms should closely monitor the use of standing instructions, including standing letters of authorization. Parameters for the instructions should be clear and the authorization kept current. Firms that use automated systems to help monitor transmittals and withdrawals must have adequate means to test and review the effectiveness of such systems just as they must monitor manual systems. Firms should also periodically review and assess the adequacy of their automated supervisory systems and procedures, which can become outdated or ineffective for a variety of reasons, including business growth, consolidation, new technologies, as well as changes in the size, volume and/or frequency of transmittals. Firms are also reminded to make certain that each employee s access to relevant systems is limited strictly to what is appropriate for the employee s function within the firm. Regulatory Notice 3

09-64 Questions to Consider Given the recent number of cases involving fraudulent letters of authorization and other forms of transmittal requests, FINRA urges firms to review the adequacy of their current policies and procedures to verify the validity of such requests. As they do so, firms may find the following questions helpful: What types of transmittals does the firm accept? Do the firm s policies and procedures adequately address all types of permitted transmittals, as well as FINRA s requirements that firm s have procedures specifically designed to review and monitor these transmittals? How are transmittals identified on the firm s books and records, and what exception reports are used to monitor them? Is there any type of transmittal that is not included in exception reports? Does the person(s) responsible for reviewing transmittals have a means to review all transmittals regardless of the form in which they are submitted? If standing letters of authorization are permitted, are there limits on their use? Do they expire after a specified period of time? Are transfers made pursuant to standing letters of authorization subject to heightened scrutiny? Is there a tracking and/or reconciliation process for transmittals? Do the firm s procedures adequately address risks associated with the various ways it allows transmittal requests to be communicated (telephone, fax, email, notarized letter)? Are there clear guidelines for employees regarding letters of authorization and have they been communicated effectively? Do these guidelines allow exceptions, and if so, how are they documented? Is there a separate system to follow up and review the letter of authorization process, and is the level of testing adequate? Are all types of transmittals, based on dollar amount or format, potentially subject to independent verification and testing? Do testing procedures include representative samples of transaction types, volumes and dollar amounts? If procedures include thresholds or parameters to identify transmittals subject to heightened supervision or additional testing, are the parameters adequate given the current transaction volume and average dollar size? Can parties circumvent the parameters by using multiple, smaller transfers that are designed to fly under the radar? 4 Regulatory Notice

09-64 Do any non-employees have access and/or authority over part of the transmittal process (such as signature verification at an introducing broker)? What types of tests are used to ensure that access and authority is properly limited? Are there adequate and clearly communicated escalation procedures for bringing red flags or suspicious activity to senior management s attention? For more information, please listen to FINRA s compliance podcast, which highlights strong practices based on a survey of a sample of FINRA firms. The podcast, Letters of Authorization, was published on January 21, 2009, and is available at www.finra.org/podcasts. Endnotes 1 This Notice does not apply to account transfers made pursuant to ACATS or FINRA Rule 11870. 2 The current FINRA rulebook consists of (1) FINRA Rules; (2) NASD Rules; and (3) rules incorporated from NYSE (Incorporated NYSE Rules) (together, the NASD Rules and Incorporated NYSE Rules are referred to as the Transitional Rulebook).While the NASD Rules generally apply to all FINRA member firms, the Incorporated NYSE Rules apply only to those member firms of FINRA that are also members of the NYSE (Dual Members). The FINRA Rules apply to all FINRA member firms, unless such rules have amore limited application by their terms. For more information about the rulebook consolidation process, see Information Notice 3/12/08 (Rulebook Consolidation Process). 3 See NASD Rule 3012(a)(2(B) and Incorporated NYSE Rule 401(b) (requiring procedures as part of a a firm s internal control requirements prescribed under Incorporated NYSE Rule 342.23). 4 See NASD Rule 3012(a)(2)(B). Incorporated NYSE Rule 401 does not have a comparable provision. 2009 FINRA. All rights reserved. FINRA and other trademarks of the Financial Industry Regulatory Authority, Inc. may not be used without permission. Regulatory Notices attempt to present information to readers in a format that is easily understandable. However, please be aware that, in case of any misunderstanding, the rule language prevails. Regulatory Notice 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback