Email Request Marked SPAM, But Compliance Officer Wired Money Anyway

Jun 5

Securities Commissioner John Morgan entered a Disciplinary Order June 2 that fined and reprimanded a Chicago-based securities dealer whose compliance officer repeatedly wired funds to individuals pretending to be a 75-year-old Texas client of the firm.

In three separate transactions in 2015, Daniel Haugh, the chief compliance officer of PTI Securities & Futures LP, wired a total of $91,560 from the Individual Retirement Account (IRA) of the Texas client, who had not made any requests for funds to be transferred from his account.

The requests were sent from the client’s email account, which had been compromised.

Electronic mail is the most likely way for a client’s account with a securities firm to be compromised, according to the Securities Commissioner.

“Cyber-fraud is on the rise, and state-registered investment advisers and other registrants should establish up-to-date procedures to assess the risks of access to client information,” Morgan said.

The Financial Industry Regulatory Authority in 2012 warned its member firms about the rise in instances where client email accounts were compromised.

Last year the Financial Crimes Enforcement Network, a division of the Department of the Treasury, issued an advisory to financial institutions to help them institute procedures to stop fraudulent transfers of customer funds.

In the PTI Securities case, warning signals were everywhere. The subject line of the first email to Haugh requesting a transfer of funds read “[SPAM] Hi Dan.” The email asked Haugh to “please email me the cash balance on all my account.”

The individuals who hacked the client's email account listed a false Social Security number, birth date, and signature on the wire request form. The birth date listed would have made the client 35 years younger than he was.

Haugh responded with the account balance, and the email request led to a transfer of $45,780 to an individual in Louisiana.

Haugh wired money a second time from the client's IRA to the same individual in Louisiana, then to another person in Alabama.

The client was unrelated to the recipients of the wire transfers and had never wired money to them before.

PTI Securities repaid $91,560 to the Texas client, the full amount inappropriately wired from his account. The order reprimanded the firm and levied a fine of $5,000, which was paid to the State of Texas.

The order found that PTI Securities violated its written procedures when it failed to verify the three signatures on the wire distribution requests and didn’t discuss discrepancies with the client before transferring the money.

The firm violated State Securities Board rules by failing to establish and maintain an adequate supervisory system reasonably designed to comply with securities laws and regulations.