Update No. 8: FINRA Continues to Address COVID-19 Impact on Financial Industry

May 14, 2020

Update: Our May 21, 2020, alert provides our most recent discussion of information and guidance issued by the SEC, FINRA, MSRB and SIFMA.

The Financial Industry Regulatory Authority (FINRA) continues to provide assistance and insight to member firms as the industry deals with COVID-19. Last week, FINRA Executive Vice President Bill Wollman participated in a webinar hosted by the Securities Industry and Financial Markets Association (SIFMA) discussing on-the-ground efforts and observations of how regulators and firms are facing pandemic-related challenges. FINRA also issued a notice warning the industry of potential pandemic-related frauds and scams, postponed online test-taking and proposed a series of procedural changes for litigated matters with FINRA.

SIFMA Webinar

On May 7, 2020, SIFMA hosted a webinar with FINRA Executive Vice President and Head of Office of Financial and Operational Risk Policy Bill Wollman, to answer questions from member firms and discuss, among other things, the impact of COVID-19 on the market, the industry, and the regulators. The webinar covered a lot of ground. By no means comprehensive, below is a list of some key takeaways.

  • Business Continuity Plans (BCPs) The BCP is a living document. Firms should continue to review and revise their BCPs as new operational challenges are confronted and addressed. Firms implemented BCPs as expected. Some firms, especially the larger ones, implemented a governance process to manage the implementation and modifications, including creating committees to address various aspects of the business.FINRA has been reaching out to firms to understand how the process is going and what is working and not working.Firms should document changes to the BCPs in real time and conduct post-mortems on what worked (or did not work, as the case may be).
  • The BCP is a living document. Firms should continue to review and revise their BCPs as new operational challenges are confronted and addressed.
  • Firms implemented BCPs as expected. Some firms, especially the larger ones, implemented a governance process to manage the implementation and modifications, including creating committees to address various aspects of the business.
  • FINRA has been reaching out to firms to understand how the process is going and what is working and not working.
  • Firms should document changes to the BCPs in real time and conduct post-mortems on what worked (or did not work, as the case may be).
  • Regulatory Coordination Having learned from the 2008 financial crisis, coordination presently among regulators is better. Here, FINRA may be coordinating with the U.S. Securities and Exchange Commission (SEC), Federal Reserve, Office of the Comptroller of the Currency, etc., depending on the firm.
  • Having learned from the 2008 financial crisis, coordination presently among regulators is better. Here, FINRA may be coordinating with the U.S. Securities and Exchange Commission (SEC), Federal Reserve, Office of the Comptroller of the Currency, etc., depending on the firm.
  • Regulatory Relief Coordinating with other regulators (e.g., SEC, states).Often the relief is necessary because of constraints of state stay-at-home orders.Importantly, firms should contact their Risk Monitoring Analyst (f/k/a Regulatory Coordinator) to seek relief. They should implement strong, countervailing controls and document what the firm is doing.
  • Coordinating with other regulators (e.g., SEC, states).
  • Often the relief is necessary because of constraints of state stay-at-home orders.
  • Importantly, firms should contact their Risk Monitoring Analyst (f/k/a Regulatory Coordinator) to seek relief. They should implement strong, countervailing controls and document what the firm is doing.
  • FINRA Examination Program Currently, all firm examinations are virtual. If there is a need for examiners to go on-site, safe social distancing measures will be undertaken. Even when states open and firms head back on-site, it is expected that more of the examination work will continue to be done remotely.
  • Currently, all firm examinations are virtual. If there is a need for examiners to go on-site, safe social distancing measures will be undertaken. Even when states open and firms head back on-site, it is expected that more of the examination work will continue to be done remotely.
  • Branch Office Audits FINRA has issued temporary relief to the on-site requirements. Of course, there are other ways to conduct reviews through the use of technology.Educate FINRA on what firms are finding in these reviews. For example, sharing what is working or not working can help inform FINRA for meaningful discussions with the SEC in terms of continued relief or rethinking the process overall.
  • FINRA has issued temporary relief to the on-site requirements. Of course, there are other ways to conduct reviews through the use of technology.
  • Educate FINRA on what firms are finding in these reviews. For example, sharing what is working or not working can help inform FINRA for meaningful discussions with the SEC in terms of continued relief or rethinking the process overall.

COVID-19 Fraud Warning

On May 5, 2020, FINRA issued Regulatory Notice 20-13, FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic. Emphasizing that firms and their associated persons should be aware of and take appropriate measures to address the increased risks and challenges presented during the COVID-19 pandemic and the opportunity it creates for financial fraud, FINRA’s notice outlines four common scams: (1) fraudulent account openings and money transfers; (2) firm imposter scams; (3) IT Help Desk scams; and (4) business email compromise schemes.

  • Fraudulent Account Openings and Money Transfers FINRA warns that fraudsters may be taking advantage of the pandemic to use stolen or synthetic identities to establish accounts to divert congressional stimulus funds or unemployment payments, or to engage in automated clearing house (ACH) fraud.Firms’ AML program requirements, as described below, address the risks relating to fraudulent account openings and money transfers. Having strong controls in the following areas substantially mitigates the risk of fraud: Customer identification programsMonitoring for fraud during account openingBank account verification and restrictions on fund transfersOngoing monitoring of accountsCollaborating with clearing firmsSuspicious activity report filing requirementsIn addition to considering the above practices, FINRA encourages firms to assess their compliance programs relating to account opening and money transfers and reminds them to review applicable policies and procedures.
  • FINRA warns that fraudsters may be taking advantage of the pandemic to use stolen or synthetic identities to establish accounts to divert congressional stimulus funds or unemployment payments, or to engage in automated clearing house (ACH) fraud.
  • Firms’ AML program requirements, as described below, address the risks relating to fraudulent account openings and money transfers. Having strong controls in the following areas substantially mitigates the risk of fraud: Customer identification programsMonitoring for fraud during account openingBank account verification and restrictions on fund transfersOngoing monitoring of accountsCollaborating with clearing firmsSuspicious activity report filing requirements
  • Customer identification programs
  • Monitoring for fraud during account opening
  • Bank account verification and restrictions on fund transfers
  • Ongoing monitoring of accounts
  • Collaborating with clearing firms
  • Suspicious activity report filing requirements
  • In addition to considering the above practices, FINRA encourages firms to assess their compliance programs relating to account opening and money transfers and reminds them to review applicable policies and procedures.
  • Firm Imposter Scams The expanded use of remote working arrangements may increase opportunities for fraudsters to impersonate firms and associated persons in communicating with customers or creating a fake online presence or website. As part of these scams, fraudsters may seek to obtain customers’ personal information or trick them into making investments or transferring funds.FINRA notes the below methods some firms have employed to address these risks: Providing staff with training or fraud alerts describing these scams and steps that can be taken to protect the firm and its customersAlerting customer-facing staff of fraudsters’ schemes and advising them to vet incoming callsImplementing the practices discussed in FINRA Information Notice 4/29/19, including, without limitation, posting an alert on the firm’s website and sending email notifications to warn clients of the imposter website(s) and the associated URL(s) when they become aware of imposter websitesIT Help Desk Scams Remote work arrangements increase the opportunity for attacks involving firms’ IT Help Desks. In one variant of these attacks, fraudsters pose as associated persons and contact a firm’s IT Help Desk to, for example, request a password reset. The fraudsters use this conversation with IT staff to gain information about the firm, which they subsequently use to infiltrate the firm’s network.In another variant of these attacks, a fraudster poses as a member of a firm’s IT Help Desk team and contacts associated persons in an attempt to obtain user credentials or introduce malware into the person’s computer, which can then be used to steal valuable information.FINRA notes that some firms have addressed these risks by training their IT Help Desk staff to verify callers’ identities and by training associated persons to take extra precautions when receiving unsolicited calls or emails that appear to come from the IT Help Desk.Business Email Compromise Schemes Fraudsters maytake advantage of remote working environments to pose as firm leadership to request fund transfers. Another scam — the gift card procurement scam — occurs when a fraudster purports to be a manager or executive and emails a subordinate with an urgent request for the employee to purchase gift cards.FINRA notes the following steps that some firms have taken to address these risks: Monitoring red flags, such as requests arriving at an unusual time of day, using atypical language, requesting a transfer to a new account, requiring secrecy for the transactions or displaying unusual urgencyConfirming the request via telephone prior to acting on any requestsFINRA encourages firms to protect customers and other firms by immediately reporting scams and any other potential fraud to: FINRA, through its Regulatory Tip Form; the SEC’s tips, complaints and referral system; the FBI’s tip line; the Internet Crime Complaint Center (for cybercrimes); and local state securities regulators.
  • The expanded use of remote working arrangements may increase opportunities for fraudsters to impersonate firms and associated persons in communicating with customers or creating a fake online presence or website. As part of these scams, fraudsters may seek to obtain customers’ personal information or trick them into making investments or transferring funds.
  • FINRA notes the below methods some firms have employed to address these risks: Providing staff with training or fraud alerts describing these scams and steps that can be taken to protect the firm and its customersAlerting customer-facing staff of fraudsters’ schemes and advising them to vet incoming callsImplementing the practices discussed in FINRA Information Notice 4/29/19, including, without limitation, posting an alert on the firm’s website and sending email notifications to warn clients of the imposter website(s) and the associated URL(s) when they become aware of imposter websites
  • Providing staff with training or fraud alerts describing these scams and steps that can be taken to protect the firm and its customers
  • Alerting customer-facing staff of fraudsters’ schemes and advising them to vet incoming calls
  • Implementing the practices discussed in FINRA Information Notice 4/29/19, including, without limitation, posting an alert on the firm’s website and sending email notifications to warn clients of the imposter website(s) and the associated URL(s) when they become aware of imposter websites
  • IT Help Desk Scams Remote work arrangements increase the opportunity for attacks involving firms’ IT Help Desks. In one variant of these attacks, fraudsters pose as associated persons and contact a firm’s IT Help Desk to, for example, request a password reset. The fraudsters use this conversation with IT staff to gain information about the firm, which they subsequently use to infiltrate the firm’s network.In another variant of these attacks, a fraudster poses as a member of a firm’s IT Help Desk team and contacts associated persons in an attempt to obtain user credentials or introduce malware into the person’s computer, which can then be used to steal valuable information.FINRA notes that some firms have addressed these risks by training their IT Help Desk staff to verify callers’ identities and by training associated persons to take extra precautions when receiving unsolicited calls or emails that appear to come from the IT Help Desk.
  • Remote work arrangements increase the opportunity for attacks involving firms’ IT Help Desks. In one variant of these attacks, fraudsters pose as associated persons and contact a firm’s IT Help Desk to, for example, request a password reset. The fraudsters use this conversation with IT staff to gain information about the firm, which they subsequently use to infiltrate the firm’s network.
  • In another variant of these attacks, a fraudster poses as a member of a firm’s IT Help Desk team and contacts associated persons in an attempt to obtain user credentials or introduce malware into the person’s computer, which can then be used to steal valuable information.
  • FINRA notes that some firms have addressed these risks by training their IT Help Desk staff to verify callers’ identities and by training associated persons to take extra precautions when receiving unsolicited calls or emails that appear to come from the IT Help Desk.
  • Business Email Compromise Schemes Fraudsters maytake advantage of remote working environments to pose as firm leadership to request fund transfers. Another scam — the gift card procurement scam — occurs when a fraudster purports to be a manager or executive and emails a subordinate with an urgent request for the employee to purchase gift cards.FINRA notes the following steps that some firms have taken to address these risks: Monitoring red flags, such as requests arriving at an unusual time of day, using atypical language, requesting a transfer to a new account, requiring secrecy for the transactions or displaying unusual urgencyConfirming the request via telephone prior to acting on any requestsFINRA encourages firms to protect customers and other firms by immediately reporting scams and any other potential fraud to: FINRA, through its Regulatory Tip Form; the SEC’s tips, complaints and referral system; the FBI’s tip line; the Internet Crime Complaint Center (for cybercrimes); and local state securities regulators.
  • Fraudsters maytake advantage of remote working environments to pose as firm leadership to request fund transfers. Another scam — the gift card procurement scam — occurs when a fraudster purports to be a manager or executive and emails a subordinate with an urgent request for the employee to purchase gift cards.
  • FINRA notes the following steps that some firms have taken to address these risks: Monitoring red flags, such as requests arriving at an unusual time of day, using atypical language, requesting a transfer to a new account, requiring secrecy for the transactions or displaying unusual urgencyConfirming the request via telephone prior to acting on any requests
  • Monitoring red flags, such as requests arriving at an unusual time of day, using atypical language, requesting a transfer to a new account, requiring secrecy for the transactions or displaying unusual urgency
  • Confirming the request via telephone prior to acting on any requests
  • FINRA encourages firms to protect customers and other firms by immediately reporting scams and any other potential fraud to: FINRA, through its Regulatory Tip Form; the SEC’s tips, complaints and referral system; the FBI’s tip line; the Internet Crime Complaint Center (for cybercrimes); and local state securities regulators.

Online Test-Taking Delay

On May 10, 2020, FINRA announced it would further delay scheduling for online test-taking for exams. FINRA and the North American Securities Administrators Association (NASAA) previously announced a pilot of online test-taking expected to be ready for a wider roll-out on May 24, 2020. (See April 28, 2020 alert.)

  • FINRA noted a need to extend the validation period and stated that additional time is necessary before it can make appointment scheduling available to all test candidates and firms.
  • FINRA expects to communicate an anticipated launch date in the near future.
  • FINRA will extend all enrollment windows that expired, or will expire, between March 16 and June 30, 2020, and exam enrollment end dates will be extended through June 30, 2020.

Proposed Procedural Change for Litigated Disciplinary Filings

On May 7, 2020, FINRA filed with the SEC proposed amendments to certain FINRA Rules to provide temporary relief from certain timing, method of service and other procedural requirements in litigated matters during the period in which FINRA’s operations are impacted by the outbreak of COVID-19. The proposed changes would be in place through June 15, 2020. FINRA requested that the SEC waive the requirement that the rule change not become operative for 30 days, to allow the proposed rule change to become operative immediately. The proposed amendments do the following:

  • Allow, and in some instances require, FINRA to serve documents by electronic mail. This amendment is requested in light of the challenges FINRA has faced in sending hard copy documents, given the restriction on in-person activities.
  • Require that applicants, respondents and other parties file or serve documents via electronic mail. This amendment arises out of the challenges on FINRA’s ability to timely receive and process hard copy mail, and is requested in order to minimize the challenges posed by the current conditions and assist FINRA in maintaining fair review processes and proceedings.
  • Provide extensions of time under FINRA Rules 1015 (Review by National Adjudicatory Council), 6490 (Processing of Company-Related Actions), and 9559 (Hearing Procedures for Expedited Proceedings). This amendment is requested due to the difficulty that FINRA staff has encountered in meeting certain deadlines related to the adjudicatory and review processes in these rules, given the remote operations of FINRA staff.
  • Allow oral arguments before the National Adjudicatory Council to be conducted by video conference. FINRA notes that this relief is a reasonable accommodation to protect the health and safety of all parties participating in the adjudicatory processes while avoiding unnecessary delays.

MOVING FORWARD

McGuireWoods is monitoring these developments and will provide updates to clients as information becomes available. (For background, see McGuireWoods’ May 7, April 28, April 21, April 15, April 6, March 26 and March 17 updates.) Please let us know if you have any questions or if there is anything else we can do to support you during this challenging time.

McGuireWoods’ COVID-19 Response Team helps clients navigate urgent and evolving legal and business issues arising from the novel coronavirus pandemic. Lawyers in the firm’s 21 offices are ready to assist quickly on questions involving healthcare, labor and employment, education, real estate and more. For assistance, contact a team member or send an email to [email protected].

McGuireWoods has published additional thought leadership related to how companies across various industries can address crucial COVID-19-related business and legal issues.

Subscribe