On March 20, FINRA accepted a Letter of Acceptance, Waiver, and Consent (AWC) with an online brokerage firm, censuring and fining the firm $450,000 for alleged deficiencies in its anti-money laundering program, customer identification program, and identity-theft prevention program. According to the AWC, FINRA alleged violations of the Bank Secrecy Act, FINRA Rules 3310 and 2010, and Regulation S-ID.
According to FINRA, the alleged deficiencies spanned January 2019 through June 2023 and arose during a period of rapid growth in the firm’s online brokerage business. The AWC states that FINRA viewed the firm’s written policies, procedures, and controls as not reasonably designed for the size and nature of its customer base, particularly in connection with account opening, suspicious activity detection, and identity-theft red flags.
Key allegations include:
- Customer identification deficiencies. FINRA alleged that the firm did not maintain a reasonably designed customer identification program and approved certain accounts without sufficiently verifying customer identity.
- Suspicious activity monitoring deficiencies. FINRA alleged that the firm’s AML monitoring relied too heavily on automated alerts focused on large or frequent deposits and withdrawals, without adequate procedures connecting account-opening red flags to later account activity. The AWC also states that the firm failed to timely identify patterns involving shared phone numbers, shared inboxes, and temporary email domains.
- Identity-theft program deficiencies. FINRA alleged that, prior to October 2021, the firm primarily relied on customers to self-report identity theft and did not timely update its written Identity Theft Prevention Program even after learning of potential fraud methods.
Putting It Into Practice: Federal regulators continue to scrutinize whether financial institutions’ BSA/AML, customer identification, and fraud-prevention controls are reasonably designed for the size and nature of their businesses (previously discussed here). Broker-dealers and other firms offering digital onboarding should review whether red flags identified at account opening are incorporated into ongoing transaction monitoring and escalation processes.
