A New Twist on New Account Fraud: Detecting and Preventing ACATS Fraud

In recent months, FINRA has published two Regulatory Notices regarding the fraudulent transfer of customer accounts using an automated system called ACATS. On this episode, we'll hear all about what goes into the creation of a Reg Notice and take a deep dive on this particular issue. Plus, we'll hear about some information that didn't make it into the most recently published Notice.

FINRA Unscripted welcomes three new guests, Chris Hunter, Principal Analyst with Risk Monitoring, Emily Kahn, Principal Intelligence Specialist with the Financial Intelligence Unit, and Lindsey Barnett, Senior Principal Investigator with the Special Investigations Unit, to talk about Regulatory Notices 23-06 and 22-21.

Resources mentioned in this episode:

Reg Notice 23-06: FINRA Shares Effective Practices to Address Risks of Fraudulent Transfers

Reg Notice 22-21: FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts

Reg Notice 21-18: Practices Used to Protect Customers From Online Account Takeover Attempts

Reg Notice 20:32: FINRA Reminds Firms to Be Aware of Fraudulent Options Trading

Rule 11870: Customer Account Transfer Contracts

BSA E-filing System

Episode 127: FINRA’s Risk Monitoring Team

Listen and subscribe to our podcast on Apple Podcasts, Google Podcasts, Spotify or wherever you listen to your podcasts. Below is a transcript of the episode. Transcripts are generated using a combination of speech recognition software and human editors and may contain errors. Please check the corresponding audio before quoting in print. 

FULL TRANSCRIPT

00:00 - 00:20

Kaitlyn Kiernan: In recent months, FINRA has published two Regulatory Notices regarding the fraudulent transfer of customer accounts using an automated system called ACATS. On this episode, we'll hear all about what goes into the creation of a Reg Notice and take a deep dive on this particular issue. Plus, we'll hear about some information that didn't make it into the most recently published Notice.

00:20 – 00:29

Intro Music

00:29 - 01:00

Kaitlyn Kiernan: Welcome to FINRA Unscripted. I'm your host, Kaitlyn Kiernan. I'm excited to welcome three new guests to today's show from FINRA's Member Supervision team to take a deep dive into a recent Regulatory Notice related to fraudulent transfer of customer accounts. Joining us today are Chris Hunter, Principal Analyst with Risk Monitoring, Emily Kahn, Principal Intelligence Specialist with the Financial Intelligence Unit, and Lindsey Barnett, Senior Principal Investigator with the Special Investigations Unit. Lindsey, Emily and Chris, welcome to the show.

01:00 - 01:01

Emily Kahn: Thank you.

01:01 - 01:02

Lindsey Barnett: Thanks.

01:02 - 01:11

Kaitlyn Kiernan: So, to kick us off, can you each introduce yourselves and tell us a little bit about what you do at FINRA and a little bit about your respective teams? Emily, maybe we can start with you?

01:11 - 01:40

Emily Kahn: Sure, I'll get started. I'm an Analyst in the Financial Intelligence Unit, or FIU. The FIU was created to proactively identify threats to the industry and also to investors. I like to say that our job is like putting together a puzzle without the box top. So, we're assessing a lot of different conflicting pieces of incomplete information, and we're using that information to create a product for our stakeholders that they use to make decisions and also address risks.

01:41 - 01:42

Kaitlyn Kiernan: And Lindsey, how about you?

01:43 - 02:19

Lindsey Barnett: So, I'm on the Special Investigations Unit, also known as the SIU. We're a frontline investigative team that monitors for anti-money laundering risk and fraud risk. We are comprised of the legacy Anti-Money Laundering unit and the new Anti-Fraud team. I'm on the Anti-Money Laundering team and we conduct complex, high-risk AML and fraud investigations, and we also partner with other FINRA departments and financial industry and regulatory and law enforcement agencies to help protect investors and the markets from financial crimes and money laundering.

02:20 - 02:22

Kaitlyn Kiernan: Thanks, Lindsey. And Chris, do you want to wrap us up?

02:23 - 02:43

Chris Hunter: Thank you. So, I'm a part of Risk Monitoring. My team is responsible for the day-to-day monitoring of our member firms. We are the primary contact for member firms and responsible for assessing and analyzing risk at our firms. Risk includes operational, financial and sales practice-related risk.

02:43 - 03:01

Kaitlyn Kiernan: Thanks, Chris. And for anyone who missed it, we just had a deep dive on the Risk Monitoring team on Episode 127, so be sure to check that out for more on that team. Now before we dig into the Reg Notice that I mentioned at the top, what makes the Reg Notice, generally, such an important tool for FINRA?

03:02 - 03:24

Emily Kahn: So, the Reg Notice is an important tool for FINRA because it allows us to get information out to the firms in a timely manner. The Regulatory Notices cover a variety of topics and usually include guidance on the specific issues in the Notice and also raise awareness, which can lead to additional input from firms and investors.

03:24 - 03:38

Kaitlyn Kiernan: Thanks, Emily. And how does FINRA determine whether something rises to the level of a Reg Notice? Sometimes we'll have a Reg Notice on cyber issues. Other times it might be a social media post. So, how do we determine what becomes that Reg Notice?

03:38 - 04:09

Emily Kahn: Well, it depends. Like I said, it's one of the most important tools FINRA has because it allows us to reach the broadest audience possible, which also includes material issues that affect a wide array of firms. So, it depends on the topic. It could be emerging threats to the industry, it could be something that's new or novel. It could also be maybe a variation on something that is an old issue, or it could just be reminding firms of their obligations in a certain area.

04:09 - 04:27

Kaitlyn Kiernan: Now, today, we're all here to talk about Reg Notice 23-06, which is related to the fraudulent transfer of customer accounts using the ACATS system, which stands for Automated Customer Account Transfer Service. Chris, what prompted the need for this particular Notice?

04:27 - 05:17

Chris Hunter: The Regulatory Notice is a result of concerns raised by FINRA members regarding account transfer fraud. Firms identified a new type of new account fraud, ACATS fraud, and escalated the concerns to FINRA. Specifically, there has been an increased number of fraudulent transfer of customer accounts via the Automated Customer Account Transfer Service, otherwise known as ACATS, in which a bad actor will use the stolen identity of a legitimate customer to open an online brokerage account and request an ACATS transfer from a legitimately opened account. Due to these concerns, FINRA took a proactive approach to assess the issue related to fraudulent account transfer. FINRA teams held discussions internally and with firms to understand what the issues were and assess how the fraud was occurring.

05:18 - 05:34

Kaitlyn Kiernan: Thanks, Chris. And for people who have been following FINRA Reg Notices for a while, they may have noticed that they're coming out a little bit more quickly than they have in the past. Emily, what's behind this effort to speed the pace from an issue being flagged to getting out to firms?

05:35 - 06:03

Emily Kahn: Well, it's really that FINRA recognizes that the threat landscape is changing and it's evolving even more quickly than it has in the past. So, the faster that we get the information out to the industry, the faster that they can assess what's going on at their firm and address it and mitigate the issue if it does occur. We really feel like when you're involved in the process of solving a problem, you feel more connected to the problems and also more connected to solving those problems.

06:03 - 06:08

Kaitlyn Kiernan: And what does it take to get these Notices out the door more quickly?

06:08 - 06:56

Emily Kahn: It takes a lot of people. It takes talking with firms. It takes communicating with multiple groups across FINRA and individuals with specific expertise, subject matter experts in different areas, and anyone in a FINRA group who has a touchpoint to this issue in some way. So, for example, for this Regulatory Notice, we leveraged a lot of people that have knowledge of account fraud, AML and also just the ACATS system in general. So, after we draft up the Regulatory Notice, then we go back out and we meet with those people again and we get more feedback. And then we also work with the Office of General Counsel so that we make sure that we're not only working to get this out quickly, but it's also something that's informative to the industry and helpful.

06:56 - 07:13

Kaitlyn Kiernan: I think you can tell it takes a lot of people, just based on this podcast, we've got three people here with us from three different teams within Member Supervision. So, that really highlights it right there. And what other tools does FINRA have to get information to the industry quickly, even if it's not a Reg Notice?

07:13 - 07:55

Emily Kahn: Well, we have this podcast that we're all on right now, but we also have the FINRA Annual Conference, which is coming up in May, and we have the Annual Report on Examinations and Risk Monitoring, which comes out in the beginning of the year every year. And we hold firm committee meetings to discuss different topics. And we have multiple touchpoints throughout the year in our exam process. We also have multiple touchpoints throughout the year with our Risk Monitoring staff, and we're exploring new ways to utilize roundtable discussions more, hoping to promote some type of sharing or intelligence sharing within FINRA, but also within the industry, within the firms together.

07:55 - 08:05

Kaitlyn Kiernan: Now let's dig into this Notice a little bit more. Lindsey, at a high level, what was this Reg Notice, Notice 23-06 really about?

08:06 - 09:25

Lindsey Barnett: So, this Notice is about continuing to bring awareness to the increase of fraudulent ACATS transfers. It provides some insights into the indicators of the fraud seen by firms and best practices for deterrence and mitigation. It also expands on the obligations under the applicable rules and laws. And for those who are unfamiliar, ACATS is an automated system that facilitates the transfer of customer accounts from one firm to another, between the delivering firm and the receiving firm. The delivering firm is the firm that maintains the assets that would be moving out of the account into the account at the receiving firm. We see ACATS fraud, as Chris mentioned, as a type or a subtype of new account fraud. And new account fraud is when a bad actor opens up an account using a fake or a stolen identity. And ACATS fraud occurs when a bad actor opens up a fraudulent account at the receiving firm using stolen or parts of stolen customer information and then sets up an ACATS transfer using a Transfer Instruction Form, or a TIF, with the legitimate customer's account at the delivering firm. The receiving firm then would initiate the ACATS transfer request.

09:26 - 09:35

Kaitlyn Kiernan: So, it sounds like this is actually a little trickier to detect because it is real customer data. It's not fake like in other types of customer account fraud.

09:35 - 10:14

Lindsey Barnett: Yes. So, they would be using stolen or parts of stolen customer data to initiate the transfer request and the rules governing ACATS transfers like FINRA Rule 11870 provide guidance that the delivering member must accept or reject the transfer request within one business day, not taking into account any exemptions. But since this is a generally quick process, FINRA has some concerns that bad actors would be taking advantage of these efficiencies of ACATS and thus why we wanted to get this notice out to the industry.

10:14 - 10:20

Kaitlyn Kiernan: That's interesting. And are there certain member firms that are more susceptible to ACATS fraud than others?

10:21 - 10:45

Lindsey Barnett: So, while this could occur at any firm, FINRA has observed that firms that allow online account opening or account opening through mobile applications are at a heightened risk for both new account fraud and ACATS fraud. And this is because accounts opened electronically are easier to open using fraudulent or stolen information rather than when a customer is meeting with a broker face to face.

10:46 - 11:00

Kaitlyn Kiernan: That makes sense. But I feel like that might be a lot of accounts these days being opened remotely. And now, Emily mentioned a few of the other teams involved, but Chris, can you detail any more information about how FINRA worked across the organization on this Notice?

11:00 - 11:29

Chris Hunter: Yeah. This Regulatory Notice was a collaborative effort across multiple FINRA teams—Risk Monitoring, National Cause and Financial Crimes and the Financial Intelligence group was involved in drafting this Notice. Senior management from each of these groups also took an active role in understanding the concerns and advising on potential solutions. Senior management also worked on putting together the teams to work on a Regulatory Notice, so it's really a collaborative effort across multiple FINRA teams.

11:29 - 11:43

Kaitlyn Kiernan: So, this is actually the second Reg Notice regarding ACATS fraud in less than six months. Late last year, we had Reg Notice 22-21 also touching on ACATS. Emily, how might this reflect the effort to get information out sooner?

11:44 - 12:44

Emily Kahn: The first Regulatory Notice was our alert to the membership, to the industry. We wanted to get them the information as fast as possible, like I mentioned before. Helping to keep them in the loop helps them to be able to identify and mitigate this issue if they're seeing it at their firm. And, also, it helps firms and investors to know who to reach out to about the issue if they think they're seeing this. The second Regulatory Notice was a lot more expansive, and that Regulatory Notice was informed by all the conversations that we had with the affected firms and, also with our exam staff that are working on any related matters. It contains a lot more detailed information, including red flags or indicators of ACATS fraud, also best practices for deterrence and mitigation of ACATS fraud. And we're hoping that this is part of that effort to help firms learn from each other and create that intelligence sharing forum within the industry.

12:45 - 12:54

Kaitlyn Kiernan: You mentioned a lot of collaboration and talking to firms. Can you tell us a little bit more about the process of gathering the effective practices that end up in a Reg Notice?

12:55 - 13:25

Emily Kahn: So, there's several ongoing investigations within FINRA and we leverage those teams and the subject matter experts within the organization that have expertise in different areas, like I mentioned before in AML, the ACATS system, also with new account fraud because we know that's connected and also getting information from the firms about what they're seeing. And when you put that information all together, this helps, hopefully, other firms that are working to identify this issue.

13:26 - 13:38

Kaitlyn Kiernan: Now, when you're looking to get a Notice out quickly, I'm sure there's some information that doesn't make the cut. Chris, is there anything you can share that didn't make it into the Reg Notice that might be useful for firms to know?

13:38 - 14:08

Chris Hunter: Sure, so, we receive feedback from firms on their effective practices, and we use that information to identify trends and we utilize the most common threats in the Regulatory Notice. So, we avoided using any information that was firm specific. But as part of our day-to-day assessment of risk, we receive other information reports on where bad actors receive stolen information. Third-party service providers used by investors has been a source of data theft that can be used to commit fraud.

14:09 - 14:13

Kaitlyn Kiernan: And how can firms benefit from just knowing where the information is coming from?

14:13 - 14:39

Chris Hunter: As consumers, we have accounts all over the Internet. We open accounts with Yahoo!, for example, or we have a Facebook account. And within that there's personal information that's attributed to each person. So, unless each third-party service provider has good controls when it comes to cybersecurity and are diligent in protecting consumer personally identifiable information, it's very difficult for firms to pinpoint that source.

14:39 - 14:50

Kaitlyn Kiernan: So, we all have a lot of vulnerabilities there. And Lindsey, what are the indicators of ACAT fraud and how is it maybe related to or different from new account fraud?

14:50 - 16:43

Lindsey Barnett: So, two indicators of ACATS fraud that we've seen. So first, we've seen that ACAT transfers shortly after account opening and, also the money moves out of the account very quickly after the bad actor receives the assets via ACATS. A bad actor's goal would be to move the assets out of the account before the legitimate customer notices and reports it as either fraudulent or unauthorized. So, in general, we're seeing this whole scheme occur really quickly, even from the start of the account opening. The second would be repeated rejections of transfer requests. So, if there's a pattern of repeated rejections, it may be worth taking a look because those repeated rejections could be a result of errors in basic account information that a legitimate customer would presumably know. So, it might be worth taking a look to review if there are any repeated rejections of transfer requests.

We've talked about new account fraud a little bit, ACATS fraud as a subtype of new account fraud. So, I'm just going to go over some indicators of new account fraud. Just know that other frauds may be underlying these red flags, but it may be worth taking a look if you see any of these occurring at your firm to see if ACAT fraud is occurring or if anything else is occurring as a result. So, the first would be same customer information across seemingly unrelated accounts. So, this could be anything like email addresses, phone numbers, physical address, same Social Security number, for example. If there were 100 accounts opened up with the same Social Security number with different names, different date of births, different email addresses, that would be a red flag that this might not be the same person, and this could be compromised information and an indicator of new accounts fraud.

16:44 - 16:47

Kaitlyn Kiernan: That definitely seems suspicious there.

16:47 - 17:48

Lindsey Barnett: It definitely seems suspicious. So, if there's any seemingly unrelated accounts that have matching customer profile information, it's definitely worth taking a look to see what's going on there. Also, the use of temporary or fictitious email addresses. So, temporary email addresses are really interesting. They're only valid for a predetermined set amount of time, so they could be valid for a week, open up an account and then once that time period passes, they are no longer in service. Also, we've seen the account opening using just fake email addresses or invalid phone numbers. And of course, lastly, rapid account opening. So, seeing a large amount of accounts opened within seconds of each other, especially if they're connected with similar account opening customer profiles. That can be an indicator that there might be some sort of automated system that's mass opening accounts.

17:48 - 17:52

Kaitlyn Kiernan: And how do you tell if an account has one of those temporary email addresses you mentioned?

17:53 - 18:20

Lindsey Barnett: I like to say when in doubt, use Google because I've come across a lot of domain names that I just don't recognize. You type it into Google, and it usually comes up right away. These email domains are not hiding that they're temporary. They're usually advertising that they're a temporary email address. So, if you don't see the traditional Gmail, Hotmail and so on, Google is a good resource.

18:21 - 18:29

Kaitlyn Kiernan: That's all great information. Thanks, Lindsey. And Chris, what is the risk to firms from fraudulent ACAT transfers?

18:29 - 18:49

Chris Hunter: Firms with inadequate account transfer controls allow for potential reputational damage, loss of consumers' trust, as well as potential financial losses. In today's world, it really takes one customer voicing a concern that could negatively impact the firm's reputation and cause other customers to review their relationships with that firm.

18:49 - 18:58

Kaitlyn Kiernan: Thanks, Chris. And Lindsey, you gave a lot of great red flags, but is there anything else firms can do to mitigate the risk other than monitoring for those red flags you mentioned?

18:59 - 21:14

Lindsey Barnett: Yeah. So, there's a ton of things firms can do. A lot of them are outlined in the Reg Notice. I'll just touch on three for now. Number one, staying up to date on all rules, Reg Notices, including this one, 23-06, and 22-21. The second would be verifying customers' identities online, so taking an extra step to verify that identity. So, using documentary and potentially also non-documentary methods of review. So, a documentary method would be getting the customer's ID and a non-documentary method could be getting a financial statement. Just want to add the caveat that if you are getting non-documentary information, it may be worth doing a cursory review just to make sure nothing looks like it was blatantly forged or altered, as well. Another thing firms can do to verify customer identities online is using micro deposit confirmations.

And then thirdly, enhancing the review of transfer requests. So, there's things that the receiving firm can do so that again, that's the firm that's receiving the transfer request. So, those firms could request the accounts statement of the other account to verify that that account is actually owned by the person who wants to transfer the request to. And then the delivering firm can notify their customers through push notifications, so they could send a notification via phone or email and let the customer know that a transfer request has been made by them or on their behalf and if that is not the case, please reach out.

And lastly, just wanted to remind firms of their obligation to report fraud or potential fraud through the BSA e-filing system. Just note that this does help regulators and law enforcement identify frequent bad actors across the industry and helps prevent further damage. And file any customer complaints with FINRA or the appropriate regulatory agency. And I believe we will have some resources linked as well.

21:15 - 21:30

Kaitlyn Kiernan: Yes, definitely. So, you can check out our show notes for links to the Reg Notices mentioned and then other resources as well. And now just to wrap up, FINRA's mission is investor protection, market integrity, and Chris, how does this all tie back to that mission?

21:31 - 22:04

Chris Hunter: FINRA’s approach to both Regulatory Notices issued on account transfer fraud highlights a direct and proactive approach to addressing new threats once they are identified. The first Regulatory Notice outlined the threats and gave firms an opportunity to review their internal procedures to address potential concerns related to fraudulent transfer of customer accounts. The second Regulatory Notice provided effective ways to address the threat. By approaching the threats in this manner, FINRA is equipping firms with intelligence required to protect investors and protect the firms from incurring losses as well.

22:05 - 22:47

Kaitlyn Kiernan: Well, thank you, Chris, Emily and Lindsey for joining me today to talk about these recent Reg Notices. It's been interesting to not just hear a little bit about the behind-the-scenes process, about the Reg Notice, but also more tips on preventing this type of fraud in particular. So, thanks again for joining me. That's it for today's episode of FINRA Unscripted. For our listeners, if you have any questions or comments on today's episode, you can email us at [email protected]. You can be sure to subscribe to FINRA Unscripted wherever you listen to podcasts to stay up to date on all of our latest episodes. Today's episode was produced by me, Kaitlyn Kiernan, engineered by John Williams and coordinated by Hannah Krobock. Thanks for listening.

22:47 – 22:52

Outro Music

22:52 - 23:20

Disclaimer: Please note FINRA podcasts are the sole property of FINRA, and the information provided is for informational and educational purposes only. The content of the podcast does not constitute any FINRA Rule or amendment or interpretation to such rules. Compliance with any recommended conduct presented does not mean that a firm or person has complied with the full extent of their obligations under FINRA Rules, the rules of any other SRO or securities laws. This podcast is provided as is. FINRA and its affiliates are not responsible for any human or mechanical errors or omissions. Parties may not reproduce these podcasts in any form without the express written consent of FINRA.