Broker-dealers fall short in knowing their clients

It looks like broker-dealers are failing in their due diligence efforts on clients, as required by FINRA’s new Rule 2090. (FINRA is the largest non-governmental regulator of all securities firms doing business in the United States, and handles nearly every aspect of securities-related matters, from registering and educating industry participants, to writing and enforcing rules and the federal securities laws.)

According to several industry reports, the most violated rule this year has been a failure by broker-dealers to comply with FINRA’s know-your-customer obligations, now under Rule 2090 issued in July 2012. The rule, which is generally modeled after the former NYSE Rule 405(1), requires firms to use reasonable diligence regarding the opening and maintenance of every account in order to “know the essential facts concerning every customer.” The rule explains that “essential facts” are those required to:

  • effectively service the customer’s account;
  • act in accordance with any special handling instructions for the account;
  • understand the authority of each person acting on behalf of the customer; and
  • comply with applicable laws, regulations, and rules.

The know-your-customer requirements arise at the beginning of the relationship and do not depend on whether the broker has made a recommendation. Unlike the former NYSE Rule 405, Rule 2090 does not specifically address orders, supervision or account opening, which are areas that are explicitly covered by other rules.

In conjunction with this know-your-customer rule, FINRA has adopted transaction suitability Rule 2111, framed after the former NASD Rule 2310, which requires that a firm or associated person “have a reasonable basis to believe that a recommended transaction or investment strategy involving a security or securities is suitable for the customer, based on the information obtained through the reasonable diligence of the member or associated person to ascertain the customer’s investment profile.” According to FINRA, the measures constituting a reasonable diligence will vary depending on, among other factors, the complexity of and risks associated with the security or investment strategy and the firm’s or associated person’s familiarity with the security or investment strategy.

Rule 2111 further defines a customer’s investment profile, specifying that it includes, but is not limited to, the customer’s age, other investments, financial situation and needs, tax status, investment objectives, investment experience, investment time horizon, liquidity needs, risk tolerance, and any other information the customer may disclose to the member or associated person in connection with such recommendation. Accordingly, a broker must attempt to obtain and analyze a broad array of customer-specific factors, and also determine quantitative suitability if the broker has actual or de facto control over a customer account.

FINRA now makes it clear that a broker must have a firm understanding of both the product and the customer, and that the lack of such an understanding itself violates the suitability rule.

“Misspelling to defraud,” a case study from our files

The subject’s biography provided along with our client’s request for due diligence in connection with a private equity funding transaction was ridden with misspellings. And it did not say much, apart from boasts of professional accomplishments and financial success, and the subject’s self-description of being a “people-person who likes to travel.” But even with the biography’s vague statements and typos, our research quickly found that the subject’s company, which contained a transposed letter in its name, was affiliated with a Mexican multi-level marketing operation whose executives were recently arrested or are wanted by authorities for setting up allegedly fake websites whereby they defrauded investors for millions of dollars. As our research continued, we located media reports and online documents which indicated that the fraud spanned across three continents, and involved at least four other entities closely held by the subject, whose names were not listed in the biography. And according to various government sources, there is also mounting evidence of money laundering. Our client, although somewhat surprised by our findings, immediately halted the funding transaction.

Business identity theft: a crime that often goes unreported

According to the Federal Trade Commission (FTC) data from its Consumer Sentinel Network (CSN), an online database of consumer complaints available only to law enforcement, identity theft was the top consumer complaint in 2011, accounting for 17% or 287,232 complaints of the 1.8 million received; 990,242 of these cases involved fraud.

There are no reliable federal or state statistics that specifically track business identity theft, but various studies suggest that businesses do not report the crime because of the stigma attached to it. The company’s credibility and trust of its clients may never recover if they admit to being a victim.

Business identity theft comes in many forms. Posing as a look-alike or sound-alike business, and impersonating owners, officers or employees to illegally get cash, credit, and loans, is just one example. Thieves typically steal a business’ identity by gaining access to its bank accounts and credit cards, or by stealing sensitive company information, such as its tax identification number (TIN) and the owners’ personal information. Elaine Marshall, North Carolina’s Secretary of State, sees an increasing number of cases involving falsified documents. Marshall says that “the easiest targets are dissolved corporations, because whoever ran those defunct businesses usually no longer pays attention. Somebody comes 20 years later and reinstates it, and it looks like it’s a 40-year-old corporation. And if it was in good standing financially when it was dissolved, then

[the thief] will capitalize on that good standing.”

Indeed businesses have become easy targets for identity theft. Almost anyone can obtain a business’ tax identification number. A merchant’s basic financial information, including bank account numbers, may be known to hundreds of its customers and suppliers. Data access can be exploited by employees and insider theft, and fraud is often difficult to detect, especially when carried out by trusted employees. Many businesses do not review their own credit information for fraud and may be lax in shredding or disposing of documents. Although more businesses are conducting background checks on employees and suppliers, only a few ensure the integrity of their commercial shredding contractors and even fewer conduct background checks on in-house or contracted cleaning staff. And many companies are simply complacent in data security.

The Internet carries the highest perpetration of criminal theft and fraud. Since 2002, the FBI has recorded an 84% increase in the number of computer intrusion investigations. Cyber thieves use the web to obtain goods, services, and money while exploiting time-lags in discovery and investigation. They also prowl for valuable non-ID specific business data including confidential e-mails, customer and marketing data, bid and pricing sheets, and trade-secrets. In the financial services sector, the vast majority of transactions, including credit cards and debit cards, and even mortgage funding, occur online in virtual anonymity without the risks associated with in-person transactions. Because such identity theft crimes take place in cyber-space, police often must coordinate with other state, federal, or international agencies. And even when jurisdictional issues are resolved, often only high-profile offenders actually face criminal prosecution.

In this complex and dangerous environment, a proactive approach to preventing business identity theft is critical, and should include:

  • Security policies based on the highest reasonably assessed risk, including limiting the number of persons with a valid need to access sensitive information;
  • Corporate governance which advocates strong security planning;
  • System audits and tests to ensure detection of inappropriate usage and other vulnerabilities;
  • Background checks of all employees, key vendors, and contractors including document shredding entities, cleaning personnel, etc.;
  • Annual reviews of Secretary of State and other public filings;
  • Annual or more frequent reviews of Dun & Bradstreet reports, and if applicable, small business reports with Equifax, Experian and TransUnion;
  • Practice of excluding sensitive personal or business information in public filings;
  • Shredding or destroying business records as applicable;
  • Securing paper documents in locked cabinets in restricted areas;
  • Using privacy screens with smart phones, laptops, etc., when accessing sensitive information while traveling; and
  • Obtaining business insurance that covers potential business identity theft losses.

There are many online information and action resources for identity theft. The FTC provides comprehensive guidelines for prevention and recovery from identity theft, along with complaint forms. The Identity Theft Resource Center also contains excellent reference materials, including links to state and local agencies, as do the Privacy Rights Clearinghouse and the National Consumers League. 

Overview of identity theft related crime laws

Below is an overview of federal laws in connection with identity theft crimes.

  • The Identity Theft and Assumption Deterrence Act (the “ITADA”)

The ITADA, passed in 1998, makes identity theft a distinct crime from wire fraud, covers theft of data (as well as documents), and encompasses businesses and persons that seek access to personal records through banks, state and federal agencies, or insurance companies. The ITADA mandates significant fines and imprisonment even for first offenders. The federal criminal jurisdiction requires an underlying felony (such as fraud or conspiracy) and involvement of an “identification document” that: (a) is purportedly issued by the United States, (b) is used or intended to defraud the United States, (c) is sent through the mail, or (d) is used in a manner that affects interstate or foreign commerce.

  • The Fair and Accurate Credit Transactions Act (the “FACTA”)

The FACTA was established as a national detection system to deter fraud resulting from identity theft in its early stages with or without subsequent law enforcement investigation. The FACTA, among other rights, allows victims to alert all three major credit rating agencies of suspected criminal use of their financial data or accounts affecting a credit rating. The FACTA created the rights to “free” annual credit reports, and requirements that mortgage lenders provide actual FICO credit scores (not just credit account data) if that score is used to determine interest rates for a housing loan. The FACTA also mandates that merchants show only the last five digits of credit card numbers on receipts. The FACTA further is responsible for developing a system to “red flag” suspicious requests for consumer data, and allows military personnel to “freeze” credit files when they are deployed overseas.

Under the FACTA, consumer “red flags” include fraud alerts from a reporting business that has identified a data breach, unusual patterns in credit usage, suspicious documentation, credit usage after long periods of inactivity, known mail drop addresses, and other anomalies.

The FACTA also requires employers to shred documents containing employee data; any business that supplies or facilitates consumer credit must secure or destroy consumer information. This “disposal rule” requires reasonable and appropriate destruction of all information derived from a consumer credit report, prior to its disposal. Failure to comply with destruction requirements (i.e. shredding) carries penalties of up to $2,500 per violation. There is an implied obligation within the FACTA disposal rule to conduct due diligence for hiring or contracting data disposal personnel, which includes reference checking, physical inspection of licenses or certificates, and audits.


  • The Fair Credit Reporting Act (the “FCRA”)

The FCRA requires consumer reporting agencies (CRAs) to adopt reasonable procedures to maintain and report consumer data with confidentiality, accuracy, relevancy, and reasonable security. CRAs must ensure “reasonable procedures to assure maximum possible accuracy of the information concerning the subject of the report.”

Victims may sue for willful or negligent failure to verify the accuracy of disputed information or correct inaccurate information resulting from a stolen identity. Consumers who report errors or fraudulent transactions are entitled to a “reasonable investigation” and an expectation that errors will be corrected and reported back promptly. The statute provides for attorney’s fees and punitive damages for willful violations. Under the FCRA, identity theft victims may authorize law enforcement agencies to obtain their credit reports and other records without obtaining a subpoena and at no personal cost. The FCRA imposes a two-year statute of limitations that begins when an inaccurate disclosure or report is filed, not when the consumer actually becomes aware of inaccuracies.

The FCRA also includes a “disposal rule” requiring any business that has access to or which utilizes consumer reporting information to dispose of this sensitive information properly.  The FCRA’s disposal rule is broader than FACTA’s in that it targets any company that complies, sells or purchases reports containing private personal or medical information. This includes employment agencies, banks, private investigators, landlords, auto dealers, insurance agents and others. The FCRA disposal rule applies to any information, in any format, and mandates that the disposal method must render the documents or information unreadable and incapable of being reconstructed.

  • The Gramm-Leach-Bliley Act (the “GLBA”)

The GLBA directs eight federal regulatory agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule to ensure that financial institutions prevent unauthorized disclosure of consumer financial information, including fraudulent access, by implementing appropriate policies, procedures and controls. Also known as the Financial Services Modernization Act of 1999, the GLBA defines financial institutions as a “business significantly engaged in providing financial services or products for personal, family, or household use.” The GLBA is relevant to traditional banks and credit unions, and also includes check-cashing and payday loan services, non-bank lenders, real estate appraisers, tax preparers, debt collectors, financial advisors, and insurance agents and brokers.

  • The Right to Financial Privacy Act (the “RFPA”)

The RFPA falls under the ambit of the FDIC and targets industrial loan companies, trust companies, savings associations, credit unions and consumer finance institutions. The RFPA creates statutory Fourth Amendment protection for personal bank records by providing that ‘no government authority

[state or federal] may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described and the customer authorizes access; there is an appropriate administrative subpoena or summons; there is a qualified search warrant; there is an appropriate judicial subpoena, or there is a written request from an authorized government authority.

The RFPA prohibits banks and other covered entities from requiring customers to release financial records as a condition of doing business, and mandates banks to provide customers with access to records of all disclosures made to third parties.

  • The Health Insurance Portability and Accountability Act (the “HIPAA”)

The HIPAA, which is administered by the U.S. Department of Health and Human Services (HHS), establishes nationwide security standards for electronic health care information. This ‘security rule’ requires all covered entities to be compliant with specific administrative, technical, and physical security standards and procedures for electronic data. HIPAA rules apply not only to doctors, clinics, hospitals, pharmacies, and laboratories, but may also apply to certain collection agencies, health insurers, and lawyers, and also to any businesses that maintain self-insured employee health care plans.

In addition to federal laws, each state has its own law regarding identity theft or impersonation. Twenty-nine states, Guam, Puerto Rico and the District of Columbia have specific restitution provisions for identity theft. Five states—Iowa, Kansas, Kentucky, Michigan and Tennessee—have forfeiture provisions for identity theft crimes. Eleven states—Arkansas, Delaware, Iowa, Maryland, Mississippi, Montana, Nevada, New Mexico, Ohio, Oklahoma and Virginia—have created identity theft passport programs to help victims from continuing identity theft.

Thirty-four states have introduced or have pending legislation regarding identity theft during the 2012 legislative session, including Louisiana which enacted its Business Identity Theft Prevention Act. For more information on state laws, visit the website of National Council of State Legislatures.

Diploma mill ordered to pay $22.7 million to 30,000 scam victims

On August 31, 2012, Belford High School, Belford University and several of their co-conspirators were ordered to pay $22.7 million to a class of more than 30,000 U.S. residents who were duped into purchasing fake high school diplomas from Belford. The defendants were also ordered to forfeit the websites used to perpetrate the scam, including www.belfordhighscool.com, www.belfordhighschool.org, www.belforduniversity.org, and www.belforduniversity.com.

The lawsuit, filed on November 5, 2009, charged that Belford High School is an Internet scam that defrauded students of their money by offering them a supposedly “valid” and “accredited” high school diploma. As affirmed by the judgment, the school is a fake and the diplomas are not valid. The lawsuit also alleged that the two accrediting agencies by which Belford claimed to be accredited – International Accreditation Agency for Online Universities and the Universal Council for Online Education Accreditation – are not legitimate accrediting agencies.

Notably, we came across Belford University in 2010 when a bachelor’s degree from the “school” was listed on an employment application by a candidate for a professional level position with one of our clients. Click here to read the 2010 blog.


Highlights of ACFE’s 2012 report on occupational fraud

The Association of Certified Fraud Examiners (ACFE) recently released its Report to the Nations on Occupational Fraud and Abuse – 2012 Global Fraud Study. The ACFE states that the Report is based on data from 94 countries compiled from studies of 1,388 occupational fraud cases that occurred between January 2010 and December 2011, and were investigated by certified fraud examiners. The ACFE conducts global occupational fraud studies every two years. According to the Report, a typical organization loses 5% of its revenues to fraud each year, which translates to more than $3.5 trillion if applied to the estimated 2011 Gross World Product. As in its prior studies, the Report shows that the industries most commonly affected by occupational fraud are banking and financial services, government and public administration, and manufacturing. Small organizations suffered the largest median losses. The Report indicates that asset misappropriation continued to be the most frequently committed fraud, yet least costly, with a median loss of $120,000, while financial statement fraud remained the least frequent but the most costly, with a median loss of $1,000,000. Below are the Report’s findings about the fraud perpetrators:

  • Perpetrators with higher authority levels tend to cause much larger losses. The median loss among frauds committed by owner/executive was $573,000, by managers it was $180,000, and by employees, $60,000.
  • Vast majority (77%) of all frauds were committed by individuals working in one of six departments: accounting, operations, sales, executive/upper management, customer service or purchasing.
  • In 81% of cases, the fraudster displayed one or more behavioral red flags that are often associated with fraudulent conduct: living beyond means (36%), financial difficulties (27%), close association with vendors or customers (19%) and excessive control issues (18%).
  • Approximately 87% of the fraudsters had never been charged or convicted of a fraud-related crime, and 84% had never been punished or terminated for fraud-related conduct.

The Report further notes that the most frequent method of detection continued to be by tip, which occurred in 43.3% of the cases, followed by management review and then by internal audit detection. For entities with fraud hotlines, the likelihood that the fraud would be found by tip was 50.1% whereas for entities without a fraud hotline, that likelihood decreased to 35%, according to the Report. Overall, the median duration of a fraud before being discovered remained consistent with the ACFE’s 2010 study, at 18 months. Nearly half of victim organizations do not recover any losses suffered from a fraud.

The Report confirms that the nature and threat of occupational fraud is universal. Though its research noted some regional differences in the methods used to commit fraud – as well as organizational approaches to preventing and detecting it – many trends and characteristics are similar regardless of where the fraud occurred. The Report recommends that management should continually assess the organization’s specific risks and establish or revise compliance and fraud prevention programs accordingly.

SI case study: “A career in fraud”

A prospective client investigation was ordered on a company and its president, but the preliminary information was enough to reject this individual or any company under his control from the proposed business engagement. Initial court searches uncovered a 2003 criminal misdemeanor conviction for possession of a false identification to be used to defraud. The index did not provide much information and the file was destroyed by the court, so SI’s analyst turned to media sources to dig deeper. Sure enough, one article referenced guilty pleas entered by the subject and his business partner for hiring imposters to take the Series 7 securities brokers’ examination for them. Each was sentenced to a year of probation and fined $5,000. Articles from 2004 reported three civil cases for fraud in jurisdictions where the subject appeared to have no residential history. Follow-up research found that judgments in these lawsuits totaled more than $4.6 million. Several articles also linked the subject to a con artist who had admitted to defrauding ethnic organizations and individuals of $80 million during the late 1990s. And in 2007, the FDIC had executed a settlement agreement with the subject and (the same) business partner after they allegedly failed to seek FDIC approval before making an investment in an unregistered bank holding company. On the whole, this company president had been engaged in fraudulent activities for over a decade and no legal or regulatory action appeared to stop his mode of operation.

Social media evolving as new platform for investment scams

The Securities and Exchange Commission (SEC) today charged an Illinois-based investment adviser with offering to sell fictitious securities through social media sites. According to the SEC’s Division of Enforcement, Anthony Fields of Lyons, IL, offered more than $500 billion in fictitious securities, and in some instances, used LinkedIn discussions to promote fraudulent “bank guarantees” and “medium-term notes.”

The SEC’s order instituting administrative proceedings against Fields charges that he made multiple fraudulent offers through his two sole proprietorships – Anthony Fields & Associates (AFA) and Platinum Securities Brokers. Fields allegedly provided false and misleading information concerning AFA’s assets under management, clients, and operational history to the public through its website and in SEC filings. Fields also failed to maintain required books and records, did not implement adequate compliance policies and procedures, and promoted himself as a broker-dealer while he was not registered with the SEC.
Also today, in recognition that fraudsters are now turning to new and evolving platforms to peddle their scams, the SEC issued two alerts to highlight the risks investors and advisory firms face when using social media.

One of these alerts, a National Examination Risk Alert titled “Investment Adviser Use of Social Media,” provides staff observations based on reviews of investment advisers of varying sizes and strategies that use social media. The bulletin addresses issues that may arise from social media usage by firms and their associated persons, and offers suggestions for managing the antifraud, compliance, and recordkeeping provisions of the federal securities laws. The alert notes that firms need to consider how to implement new compliance programs or revisit their existing ones to align with the rapidly changing technology.

In the SEC’s second bulletin, an Investor Alert titled “Social Media and Investing: Avoiding Fraud” prepared by the Office of Investor Education and Advocacy, the aim is to help investors be aware of fraudulent investment schemes that use social media, and provide tips for checking the backgrounds of advisers and brokers.

Truth is stranger than fiction: fraud came complete with a fake courtroom and costumed employees

Late last year, the Pennsylvania Attorney General (AG) filed a consumer protection lawsuit against an Erie debt collection company accusing it of using deceptive tactics to mislead, confuse or coerce consumers. The AG called the company’s actions “an unconscionable attempt to use fake court proceedings to deceive, mislead or frighten consumers into making payments or surrendering valuables to the company without following lawful procedures for debt collection.”

According to the lawsuit, the company allegedly used fraudulent civil subpoenas – sometimes served by deputy sheriff impersonators – to summon consumers to its office which included an area referred to as the “courtroom” and was the stage for fictitious proceedings to intimidate consumers into providing access to bank accounts, making immediate payments or surrendering vehicle titles and other assets. The bogus courtroom was set up with furniture and decorations similar to those used in actual courts, including a raised judge’s bench, two tables and chairs in front of the bench for attorneys and defendants, a simulated witness stand, seating for spectators, and shelves with legal books. And in some of the fake hearings, an individual dressed in black was seated as the “judge.” After the staged proceedings, the company’s employees allegedly were dispatched to the consumers’ homes in order to retrieve documents or to compel them to sign payment agreements.

In conjunction with the lawsuit, which seeks restitution for all consumers who have been harmed by the company’s unfair trade practices, the AG filed a petition for, among other remedies, a special and preliminary injunction asking the court to freeze the company’s assets, and prohibit it from engaging in any debt collection. Fast forward to November 2011: the company is now defunct, and the AG’s office is resuming its suit against the former president who several months ago filed for personal Chapter 13 bankruptcy which insulated him from creditors, but not from the Attorney General’s Bureau of Consumer Protection, according to Chief U.S. Bankruptcy Judge Thomas P. Agresti’s ruling.

And there is more. According to published reports, an Erie district judge is suing the publisher of the Erie Times-News, its web server and three reporters for defamation in connection with stories, which allegedly made it appear that he was part of the sham perpetrated by this debt collection agency.

Just like this case, many of the attorney general’s complaints read better than fiction, but these scams are real and cause very real damage to individuals and companies. Many consumers do not realize that state attorney general records are searchable and it is imperative that these records are included in all comprehensive background investigations.


Epidemic of fake websites is real

Cyber crime experts report that fake websites are proliferating at the rate of 60,000+ per week or over 3,100,000 per year. And the fraudsters’ malicious exploitations are getting bold and more sophisticated, creating sites that are difficult to discern from those of legitimate businesses or organizations. From banks (which make up about 68% of fraudulent sites) to regulators and news reporting agencies, no entity is immune.

Recently, several local and national newspapers reported on a publicity campaign by a public relations company that purportedly set up a fake news site to promote one of its clients, a public entity, with positive articles and press releases “written in the image of real news” by “journalists” who allegedly do not exist. Although Web experts note that it is fairly common for celebrities and private-sector businesses to generate buzz or improve sales through news coverage, open government advocates called this stunt an egregious breach of trust and ethical standards.

The Federal Trade Commission (FTC) issued warnings a few months ago about scam artists exploiting well-known news organizations by setting up fake news sites to peddle their wares. The sites, which usually display logos of legitimate news organizations, promote everything from bogus weight loss products to work-at-home jobs, anti-aging products and debt reduction plans. The FTC cited several investigations that resulted in charges against the fraudsters, saying that many of the websites are owned by marketers and used to entice consumers to click on links to the sellers’ sites. In its case against acai berry supplement peddlers, the FTC disclosed that the sellers paid the marketers a commission based on the number of consumers they lured to their sites. There was no reporter, no studies, no dramatic weight loss, no satisfied consumers who left comments, and no affiliation with a reputable news source. As a rule, the FTC noted, legitimate news organizations do not endorse products.

The FTC itself, and other regulators have not escaped the fraudsters’ blitz. In April 2011, the FTC brought charges against an individual for multiple violations of the Federal Trade Commission Act for misrepresenting his affiliations with federal agencies, including the FTC, misrepresenting that the services advertised on his websites were government-approved, and making deceptive debt relief claims. The FTC alleged that the individual, a Texas-based “lead generator,” set up several websites through which he associated his business with a fictitious government agency – the “Department of Consumer Services Protection Commission” – that appeared to combine two real government entities, the Federal Trade Commission and the Consumer Financial Protection Bureau. Among other charges, the FTC stated that to further these scams, the websites depicted the FTC’s official seal, copied language about the fictitious agency’s consumer protection mission from the FTC’s site, and claimed that the fake agency “monitors and researches” member companies that provide financial assistance to American consumers.

The scammers and their fake websites are also busy abroad. Earlier this month, international news sources reported that Russian fraudsters set up a counterfeit site of a popular five-star hotel, complete with the real hotel’s photographs, room descriptions and services. According to published reports, they also paid a fee to Google to ensure that their bogus site was listed before the hotel’s genuine site. The fraudulent website purportedly came to an abrupt end after, among other disparities, it was discovered that the room rates were advertised in dollars.

Another story about a flagrant website invasion came in October 2011 from Belgrade, where Serbian media reported that a mock-up of the official Nobel Prize website was set up purportedly by political activists to promote their causes and views.

Fraudulent websites appear daily and no industry or organization is beyond these fraudsters’ reach. Scherzer International, a provider of specialized background investigations for business transactions and employment decisions, includes comprehensive website reviews in its reports. We know how to spot scams, exaggerated claims and other red flags.

Go to Top