In this barnstorming tour through the attitudes of America's financial regulators to keeping data about high-net-worth clients secure, an eminent New York lawyer draws on his experience to map out the future.

On February 2nd, the Securities and Exchange Commission, the Financial Industry Regulatory Authority (FINRA) and the North American Securities Administrators Association (NASAA) all released cyber-security reports and alerts. The SEC and NASAA alerts provided valuable benchmarks for brokers and investment advisers with regards to cyber-security practices. FINRA’s report provided both benchmarks and some deeper coverage of the kinds of control that firms should be contemplating.

FINRA’s report on cyber-security included a case study reference relating to the anti-money-laundering field, an oft-neglected component of cyber-security discussions. Although cyber-security typically focuses on the protection of a potential target’s systems, the “attack supply-chain” generally also includes an enabler. In cases where the purpose of the cyber-attack is US market manipulation, that enabler will be an entity regulated in the US. The enabler may also help cyber-criminals move funds to other institutions in foreign jurisdictions with weaker compliance standards.

In their case study reference, FINRA summarized two AML-related activities. Both involved the opening of accounts for foreign customers who posed a higher AML risk than normal. In both cases, those customers then engaged in a pattern of fraudulent trading that involved hacking into customers' accounts at other broker-dealers and trade in a manner (usually involving thinly-traded securities) designed to benefit their own accounts and harm the accounts into which they had hacked. For example, one customer engaged in a “pump and dump” scheme in which they bought shares, then caused the accounts they hacked into to purchase those shares before selling out their shares for a profit. FINRA found, in both cases, that the firms that opened the cyber-criminals’ accounts did not have: (i) AML policies and procedures adequately tailored to their lines of business in order to detect and report suspicious activity; or (ii) reasonably designed customer identification programmes.

Money-laundering control (even when separated from cyber-security) has been a priority for FINRA for some time. For example, in its 2015 Regulatory and Examinations Priorities Letter, it reaffirmed money-laundering as a priority and noted that it was going to pay more and more attention to: (i) the adequacy of every firm’s processes to identify suspicious transfers to and from cash management accounts and to verify the purpose of the activity in these accounts; and (ii) the monitoring of DVP/RVP accounts for suspicious transfers and for clues about whether adequate 'due diligence' is occurring in respect of the registration of securities. The market manipulation that occurred in the cited case studies above is just one of FINRA’s major concerns, the primary others being microcap fraud and insider-dealing. Nonetheless, the seriousness with which FINRA views violations of money-laundering rules has implications for firms that make life easy for cyber-criminals, even inadvertently.

The SEC and FINRA are taking lapses in AML controls very seriously. One year ago, FINRA levied an $8,000,000 fine against Brown Brothers Harriman and suspended their AML compliance officer despite his having established an AML oversight practice and warning his superiors about the activity that was causing problems. The SEC recently fined Oppenheimer $20,000,000 for AML violations. While both actions related to the trading of unregistered securities, both were cases in which the firms’ failures to act as 'gatekeepers' to identify suspicious parties resulted in substantial penalties and reputational damage under current AML regulation.

In view of the danger that one's institution might inadvertently help cyber-criminals, the AML due diligence processes should incorporate searches for whether the prospective customer and associated persons have been linked to hackers or cyber-attacks, particularly in the case of applicants for business that seem to be more risky than others. Such searches should use the information sources that a firm’s cyber-security function uses.

In addition, the monitoring of transactions of riskier customers ought to be adjusted accordingly. For example, a hacker who controls several accounts has greater control of the timing of the transactions that damage its victims and therefore can more rapidly cause a spike in the price of a security. Because of this, on-boarding and transaction supervision ought to be adjusted accordingly.

The importance of AML controls to cyber-security and vice versa goes beyond preventing cyber-criminals from opening accounts or limiting their activities within an account. The first indications of either an information security breach, suspicious transaction(s) or funds movement(s) can provide valuable information to each function. The activity of customers that may justify a suspicious activity report or SAR should also be viewed as a potential information breach. Such activity may be the first indication of a hacked account and instantly relevant from a cyber-security perspective. Similarly, a detected cyber-security breach may be the first indication of or otherwise relevant to a financial crime from the perspective of an AML compliance officer. For example, during a 'distributed denial of service' attack on a system (in which cyber-attackers bombard a system with their attacks, often to distract that system from more nefarious goings-on) the AML function should watch carefully for other suspicious activity relating to customers' and even firms' accounts. This argues for co-operation in respect of the on-boarding of clients, among other things.

Money-laundering control has been an established function across financial firms for a longer period of time than cyber-security has. In the US, it generally resides within the general compliance function or its own separate function. Information security, on the other hand, is usually to be found in the technology and/or security functions, although typically with a layer of compliance oversight at regulated financial firms. A firm’s compliance office is therefore best placed to facilitate greater co-ordination between these two functions.

* Eric Hess can be contacted at eric@hesslegalcounsel.com or on 001 646-783-7030