Between January 27, 2021, and February 4, 2021, Wedbush received and approved four fraudulent wire transfer requests from a hacker without taking reasonable steps to confirm whether the requests were genuine. The hacker, who had gained access to an email account belonging to a registered representative at one of Wedbush’s correspondent firms, requested that Wedbush send four wires for more than $6.6 million from a joint brokerage account held by two customers to two third parties.
In approving the requests, Wedbush failed to reasonably investigate red flags that the wire requests were fraudulent, including that the wires were for large and increasing amounts in a short period of time and the wires were being sent to third-party recipients (both of whom were located in foreign countries) who lacked any connection to the customers. Wedbush did not take reasonable steps to confirm that the wire requests were genuine, such as contacting an authorized representative of the correspondent firm by telephone. Instead, the firm approved the four wires after only sending questions to the hacker who was using the compromised email account.
After Wedbush’s correspondent firm notified it of the fraud, Wedbush and the correspondent firm reimbursed the customers for their losses. In February 2021, Wedbush revised its written supervisory procedures concerning processing letters of authorization, including requiring firm personnel to call a “recognized person” at a correspondent firm using a known telephone number prior to approving wires over a certain amount. Due to the firm’s failure to reasonably surveil the transmittals of customer funds to third parties, the firm violated FINRA Rules 3110 and 2010.
The firm has also agreed to a censure and to an undertaking that a member of its senior management who is a registered principal of the firm shall certify in writing that the firm has remediated the issues and implemented a supervisory system, including written supervisory procedures, reasonably designed to achieve compliance with Rule 3110.