optionsXpress Out Of Email Options

March 26, 2015

Wall Street is supposed to be protected by smoke detectors in the form of endless amounts of rules and regulations, massive volumes of written supervisory procedures, and a legion of regulators and in-house compliance staff.  Of course, as with all such alarm systems, you have to make sure that you take the damn device out of the box, put the batteries in, and properly install it in the right location.  History suggests that this has not always been the case for the financial services community. Consider this recent regulatory settlement in which you have to wonder just what the hell was or wasn't going on in terms of detecting and responding to warning signs.

Case In Point

For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, optionsXpress, Inc., (a subsidiary of Charles Schwab Corporation) submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of optionsXpress, Inc.,Respondent (AWC  #2012034190001, March 17, 2015). 

Address Changed

The AWC asserts that in February 2012, an identity thief gained wrongful access to an optionsXpress, Inc. ("OX") customer's account and changed the email address of record. In keeping with its protocol, OX emailed address-change confirmations to both the old and new email addresses.

One PIN Left Standing

On several occasions in February and March 2012, the identity thief unsuccessfully tried to re-set the account's personal identification number ("PIN"). Having successfully changed the email address, the hacker seems to have encountered a problem climbing over the security wall behind which the PIN was hidden. If at first . . .

ACH Ache

Despite having repeatedly failed to re-set the PIN, sometime in March 2012, the identity thief somehow managed to answer certain security questions. The AWC does not disclose what those questions were or how the hacker managed to obtain the answers. 

Armed with the ability to circumvent OX's security, the thief was apparently able to re-set the PIN and then established a new Automated Clearing House ("ACH") link, which permits the processing of electronic transactions among participating depository institutions. The new ACH link allowed the thief to connect the victim customer's OX account to an outside bank account purportedly under the thief's control.

On March 28, 2012, the thief effectuated a $9,100 ACH transfer from the customer's OX account to the linked outside bank account. The AWC further alleges that during April 2012, the thief sold 24,000 shares in the customer's account on two trade dates and effectuated a cumulative total of an additional $443,000 in cash ACH transfers on five different dates.

OX Vox

OX placed automated telephone calls confirming each ACH transaction to the customer's cellphone. The AWC asserts, however, that OX did not confirm the customer's receipt of those auto-calls. On top of that, emails confirming the transactions were sent by OX to the address of record -- except that address had previously been changed by the identity thief.

WTF?

On April 30, 2012, the customer contacted OX and informed the firm that the cited ACH activity was unauthorized, at which time the firm froze the account. Thereafter, OX reimbursed the customer. The AWC does not explain what prompted the customer to contact OX; and although the instigation may have been the OX automated calls to the customer's cellphone, that is merely my conjecture and is not confirmed in the AWC.

Goin' Large

The AWC alleged that during the relevant time, OX generated a Large ACH Report, which appears to be an exception run triggered by ACH transactions above a specified dollar threshold. The AWC asserts that notwithstanding a protocol for reviewing the Large ACH Report, OX lacked written procedures detailing:

  • who was responsible for performing ACH activity reviews;
  • how the reviews were to be performed; or
  • what to do with any findings.
The Eyes Of Texas

FINRA appears to have determined that the victimized customer was an Illinois resident but that the identity thief was communicating via a Texas-based Internet Protocol ("IP") address. That's an interesting discrepancy and one that the AWC highlights. Many firms have already noted the importance of IP signatures and when the source changes from one historically used by the customer, the discrepancy will be noted in an alert and someone assigned to promptly investigate the matter. 

The AWC notes the following circumstances involving the use of the Texas IP address during the relevant times when the unauthorized access was ongoing: 

  • the Illinois customer's online account was repeatedly accessed from what appeared to be a Texas IP address;
  • the Texas IP address was the source for the communications that changed the customer's email address of record; and,
  • there were multiple failed attempts to reset the PIN from the Texas IP address,

Moose And Squirrel

In early April, 2012, while pretending to be the customer, the identity thief telephoned OX's customer service center from a Skype phone account and purportedly evidenced "a heavy Eastern European accent [and] appeared not be able to understand English . . ."

Moreover, when asked to answer the security question, the thief did not know the customer's mother's maiden name. Inexplicably, the OX service center employee who handled the telephone call did not escalate the matter to appropriate firm personnel.

SIDE BAR: At first glance, FINRA may be seen as being overly picky when admonishing OX about identifying the source of online access and telephone calls. On the other hand, I think that the self-regulator makes a compelling argument that supervisory and compliance staff at OX failed to properly consider emerging, troubling indications in the form of: 

  • the Texas IP address, 
  • the use of a Skype account, 
  • the failed attempts to pass security questions, 
  • the creation of new email addresses, 
  • the implementation of an ACH link, and 
  • strong suggestions that we may not have been dealing with someone from Illinois (which is not to suggest that Illinois residents may not have thick accents and a lack of fluency with English as a first language; but it is to suggest that you can't ignore cumulative red flags).  
Are these the tapes of the identity thief with the Eastern European accent???

Large Report, Little Follow-Up

As to the five April 2012 cash transfers noted on the Large ACH Report, two of the displayed transfers were not accompanied by any disclosure of the previously failed security questions and the changed email address. The AWC further questions why the account's appearance on five daily Large ACH Reports in less than a month did not trigger an internal review.

SIDE BAR: And now for a bit of theatrical fantasy courtesy of the esteemed but unknown playwright Bill Singer of the famed BrokeAndBroker.com Blog:

COMPLIANCE OFFICER: Is that the fire alarm?

SUPERVISOR: Sounds like it.

COMPLIANCE OFFICER: You think there's a fire?

SUPERVISOR: Nah, it's probably a false alarm or maybe they're testing the system.

COMPLIANCE OFFICER: Should we call someone and check?

SUPERVISOR: Waste of time. I'm sure it will stop soon.

COMPLIANCE OFFICER: You sure . . . maybe I'll just make a quick call downstairs?

SUPERVISOR: If you want to look like an idiot, go ahead; but don't get me involved. It's nothing.

COMPLIANCE OFFICER: I think I smell smoke.

SUPERVISOR: Didn't you just take a smoking break in front of the building?

COMPLIANCE OFFICER: Yeah, but . . .

SUPERVISOR: I don't smell nothing. You're just imagining things.

FINRA Sanctions

FINRA alleged that OX's conduct constituted violations of FINRA Rule 2010; NASD Rule 3012(a)(2)(B)(i); and NASD Rule 3010. In accordance with the terms of the AWC, FINRA imposed upon OX a Censure and $150,000 fine. Additionally, OX agreed that within 30 days it will certify in writing to FINRA's Department of Enforcement that it has implemented written ACH transfer review procedures to address and correct the violations described in the AWC.

Bill Singer's Comment

Compliments to FINRA on an excellent AWC replete with a strong presentation of the underlying facts and some useful guidance for better compliance practices.