Q: I recently read a FINRA notice that warned of people impersonating FINRA employees in order to obtain sensitive information. While the notice was informative regarding looking out for overseas telephone numbers and email domain names that do not end with “finra.org” as indicators of possible fraud, are there any other suggestions you could offer that we can use to protect ourselves?
For example, normally I would be hesitant to tell a potential examiner that I want to call him back through a confirmed FINRA telephone number to verify his or her identity, but now I’m wondering if that is something I should do.
-
Violating this FINRA rule has extremely serious consequences including termination and disciplinary action.
August 14 -
When do promotional materials rise to the level of an official “recommendation” and thereby require additional disclosures by brokers?
July 23 -
Can an RIA take the first bite of the apple when it comes to a dually registered rep’s brokerage commissions?
June 26
A: As you noted, on July 13, 2018,
In one instance the imposter refused to provide any information about herself, other than a bogus telephone number, and in the other incident, the imposter provided a phony email address that used @finra.org.co.uk as the domain name. Unfortunately, not all scam artists that you encounter will be this obvious or inept. Fraudsters continue to enhance and refine their techniques, and it is up to you to be on the lookout.
I not only think your suggestion is a good one, but I also believe it should be considered standard practice whenever you are contacted by a regulator. First, note that, depending on your position within the organization, any telephone contact with a regulator should immediately be forwarded on to your manager and/or compliance officer. You should never attempt to give out any information beyond your name and that of your supervisor to anyone purporting to be a regulator unless you have been specifically authorized to do so.
Even if the regulator is legitimate, you should not be providing any information that you have not been authorized to provide since you may compromise yourself and your employer and inadvertently subject either or both of you to disciplinary actions. If a regulatory examiner wants to speak with you, it would almost certainly be arranged through your supervisor or compliance officer beforehand. He or she will schedule the call and provide you with a time and date to speak to the examiner.
Depending on your position in the organization, any telephone contact with a regulator should immediately be forwarded to your manager and compliance officer.
In other instances, it is perfectly acceptable to tell the caller that you need to verify their identity (regardless of whether they are from the state, the SEC or FINRA) and that you will call them back after doing so. Of course it should go without saying that you should not call the number they provide to you when attempting to verify their identity. Ask them what office they are calling from and then look up that office’s number on the regulator’s website and call them back at that number. Callers who object to this practice or respond with threats of disciplinary action should raise red flags.