Verification of Instructions to Transmit or Withdraw Assets from Customer Accounts
Customer Assets
Regulatory Notice | |
Notice Type Guidance |
Referenced Rules & Notices Information Notice 3/12/08 NASD Rule 3012 NYSE Rule 342.23 NYSE Rule 401 |
Suggested Routing Compliance Legal Operations Senior Management |
Key Topic(s) Internal Controls Letters of Authorization Supervisory Procedures Transmittal/Withdrawal of Customer Assets |
Executive Summary
As part of their duty to safeguard customer assets and to meet their supervisory obligations, FINRA firms must have and enforce policies and procedures governing the withdrawal or transmittal of funds or other assets from customer accounts.1 Among other things, the policies and procedures should be reasonably designed to review and monitor all instructions to transmit or withdraw assets from customer accounts, including instructions from an investment adviser or other third party purporting to act on behalf of the customer. FINRA firms are required to test and verify their procedures for adequacy and to update them when necessary.
Questions concerning this Notice should be addressed to:
Background and Discussion
Recently, several cases involving the misappropriation of customer assets have highlighted the importance of having adequate procedures for verifying the validity of instructions to transmit or withdraw securities or other assets from customer accounts. In some cases, an employee of the firm committed a fraud; in others, outside investment advisers or other third parties purported to be acting on behalf of the customer. A number of the cases involved forged letters of authorization. In some, employees concealed their misconduct by diverting customers' genuine account statements to a post office box or address under the employee's control, and replacing them with fabricated statements.
Policies and Procedures
NASD Rule 3012 (Supervisory Control System)2 and Incorporated NYSE Rule 401 (Business Conduct) require all firms to establish, maintain and enforce written supervisory control policies and procedures that, among other things, include procedures that are reasonably designed to review and monitor the transmittal of funds (e.g., wires or checks) or securities:
The policies and procedures a firm establishes under these rules must include "a means or method of customer confirmation, notification or follow up that can be documented."3 NASD Rule 3012 further provides that a firm must identify in its written supervisory control procedures any of these activities it does not engage in and document that additional supervisory policies and procedures for such activities must be in place before the firm can engage in them.4
These rules apply to both clearing and introducing firms. While firms may allocate responsibility for complying with particular requirements between the clearing and introducing firms, both firms must have policies and procedures in place to ensure that their respective responsibilities are met. For example, the firms may agree that the introducing firm is responsible for verifying a customer's identity. However, the clearing firm must still have adequate policies and procedures to review and monitor disbursements it makes to third-party accounts, outside entities or an address other than the customer's primary address. A firm's procedures should also specify how instructions to withdraw or transmit assets may be conveyed, including which employees of the introducing firm are authorized to transmit instructions to the clearing firm on the customer's behalf, and both firms are responsible for ensuring that their employees follow their respective procedures.
Additionally, a firm's policies and procedures should include procedures that are reasonably designed to, among other things:
If a firm's procedures require heightened review of certain transmittal instructions based on dollar amount thresholds, firms should also be aware that firm employees or third-party investment advisers can learn of the threshold amounts and try to "fly under the radar" by submitting multiple instructions for lesser amounts. Therefore, firms should take steps to address this risk, including, to the extent possible, limiting dissemination of information about the threshold triggers.
While firms' procedures must be designed to detect and respond to unusual or suspicious activity, firms must also take into account that fraudulent activity can often flourish when employees fall into a sense of familiarity or routine that can be exploited either by other employees or third parties. Therefore, firms must train their employees to follow all applicable policies and procedures rigorously, even in what appear to be routine situations. Moreover, a firm's policies and procedures should include random sampling and testing of even routine transfers and withdrawals. This helps to verify that employees follow agreed upon procedures and helps deter improper conduct. In addition, firms should closely monitor the use of standing instructions, including standing letters of authorization. Parameters for the instructions should be clear and the authorization kept current.
Firms that use automated systems to help monitor transmittals and withdrawals must have adequate means to test and review the effectiveness of such systems just as they must monitor manual systems. Firms should also periodically review and assess the adequacy of their automated supervisory systems and procedures, which can become outdated or ineffective for a variety of reasons, including business growth, consolidation, new technologies, as well as changes in the size, volume and/or frequency of transmittals. Firms are also reminded to make certain that each employee's access to relevant systems is limited strictly to what is appropriate for the employee's function within the firm.
Questions to Consider
Given the recent number of cases involving fraudulent letters of authorization and other forms of transmittal requests, FINRA urges firms to review the adequacy of their current policies and procedures to verify the validity of such requests. As they do so, firms may find the following questions helpful:
For more information, please listen to FINRA's compliance podcast, which highlights strong practices based on a survey of a sample of FINRA firms. The podcast, "Letters of Authorization," was published on January 21, 2009, and is available at www.finra.org/podcasts.
1 This Notice does not apply to account transfers made pursuant to ACATS or FINRA Rule 11870.
2 The current FINRA rulebook consists of (1) FINRA Rules; (2) NASD Rules; and (3) rules incorporated from NYSE (Incorporated NYSE Rules) (together, the NASD Rules and Incorporated NYSE Rules are referred to as the Transitional Rulebook). While the NASD Rules generally apply to all FINRA member firms, the Incorporated NYSE Rules apply only to those member firms of FINRA that are also members of the NYSE (Dual Members). The FINRA Rules apply to all FINRA member firms, unless such rules have amore limited application by their terms. For more information about the rulebook consolidation process, see Information Notice 3/12/08 (Rulebook Consolidation Process).
3See NASD Rule 3012(a)(2)(B) and Incorporated NYSE Rule 401(b) (requiring procedures as part of a firm's internal control requirements prescribed under Incorporated NYSE Rule 342.23).
4See NASD Rule 3012(a)(2)(B). Incorporated NYSE Rule 401 does not have a comparable provision.