PODCAST
Financial Intelligence Unit: Connecting FINRA Members with Actionable Information
FINRA's Financial Intelligence Unit acts as a nerve center for information on emerging threats impacting FINRA members with the aim of providing actionable intelligence to firms, other regulators and law-enforcement to keep investors safe.
On this episode, Blake Snyder, senior director of FIU, joins us to share how the group has grown and matured over the last few years and how they are evolving the way they share information, including through the introduction of the new Threat Intelligence Products, or TIPs.
Resources mentioned in this episode:
Episode 33: AML in the Securities Industry
TIP: Protecting Vulnerable Adult and Senior Investors
Investor Insight: Pig Butchering Scams
Investor Insight: Ramp-and-Dump Scams
National Cyber-Forensics and Training Alliance (NCFTA)
Listen and subscribe to our podcast on Apple Podcasts, Google Podcasts, Spotify, YouTube or wherever you listen to your podcasts. Below is a transcript of the episode. Transcripts are generated using a combination of speech recognition software and human editors and may contain errors. Please check the corresponding audio before quoting in print.
FULL TRANSCRIPT
00:00 - 00:26
00:26 – 00:29
Intro Music
00:29 - 00:53
Kaitlyn Kiernan: Welcome to FINRA Unscripted, I am your host Kaitlyn Kiernan. I'm pleased to welcome back to the show Blake Snyder, senior director of Member Supervision's Financial Intelligence Unit. He's going to provide an update on his team, the latest threats they are seeing and how they're sharing information with the industry. Blake, welcome back to the show.
00:53 - 00:55
Blake Snyder: Thank you for having me on again.
00:55 - 01:06
Kaitlyn Kiernan: It's been three years since we last had you on the show to talk about the Financial Intelligence Unit, or FIU. So, before we dig into that, your group, can you start by reintroducing yourself and telling us a bit about your background?
01:06 - 01:39
Blake Snyder: Yes, of course. I've been with FINRA for almost 24 years now. During that time, I've served in a number of roles in the organization including working in departments in FINRA that are now called firm examinations and risk monitoring. Prior to my current role, I led FINRA's AML unit and moved over to start FINRA's Financial Intelligence Unit, or FIU for short, in 2020 during the midst of the pandemic.
01:39 - 01:56
Kaitlyn Kiernan: Our first episode together was when you were on the AML team and that is still I think one of our top three most downloaded episodes. So now you're in a little bit of a different role, but it's great to have you back. And can you remind us at a high-level what it is that FINRA's Financial Intelligence Unit does?
01:57 - 03:08
Blake Snyder: Our mission is to identify and access emerging threats impacting the financial industry and to provide our stakeholders with actionable intelligence in support of FINRA's mission of investor protection and market integrity. In practice, what we do is identify issues that have the potential to have a significant impact on investors, FINRA member firms or the market. We look at these issues from a holistic perspective to assist FINRA and our stakeholders in leveraging all possible tactics that we can utilize to mitigate these threats.
Part of our mission is to help FINRA achieve its goal of being an intelligence-driven organization so that we can be proactive against threats rather than reactive, or left-of-boom, a term I'm sure you've heard from podcast with my fellow FINRA colleagues. When we last spoke, we discussed how the practice of intelligence was new to FINRA at that time. Our team does not conduct examinations, investigations or market surveillance, but we do obtain a significant amount of information regarding trends and threats from those teams. And the goal is that our work will help inform their strategy and operations.
03:09 - 03:54
Blake Snyder: Just to recap from what we discussed on our last podcast, our work primarily consists of strategic and tactical intelligence. Strategic intelligence is designed to assist management and policy makers to help establish priorities and develop strategies for a unit, department or organization. Issues covered through strategic intelligence often involve concerns that impact a large number of stakeholders or the market more broadly. Tactical intelligence involves providing information that assist users in operations and informs about specific functions being performed. Our team, the FIU, sits within Member Supervision's National Cause and Financial Crimes program led by Omar Meisel.
03:55 - 04:08
Kaitlyn Kiernan: You mentioned our last podcast together. I'll link to that in the show notes as well for anyone who wants to go back and give that a listen, but have there been any major changes or developments worth highlighting since we sat down three years ago?
04:09 - 05:01
Blake Snyder: Yes, there has. We've developed our intelligence program into a more established presence within the organization and, I think, and I hope, within the industry as well. We've developed communication channels and processes within operating units of FINRA to engage with and share intelligence with those groups on a real-time basis. We've also established new ways to communicate threats to the industry to communicate those threats to other regulators and law-enforcement as well. With respect to our engagement with the industry, firms are on the front lines and are likely to see red flags of threats and initial trends before we at FINRA might see them. Our engagement with firms has led to a point where I hope they are getting more comfortable with sharing threat intelligence with us and are more familiar with the types of intelligence that we will provide and return.
05:02 - 05:18
Kaitlyn Kiernan: Yeah, so the hope is it'll be a two-way street of information-sharing. You mentioned that FIU does not conduct investigations or exams. So, what is FIU's role then in fulfilling FINRA's mission and preventing investor or market harm?
05:19 - 06:51
Blake Snyder: So many of the threats that investors, the industry and the market face these days involve conduct by bad actors that are external to the financial industry. These types of threats are persistent and continuously evolving and can have significant impact on investors and firms. These types of issues are wide-ranging and can vary from unknown foreign bad actors orchestrating market manipulation schemes to cyber-related threats such as new account fraud and account intrusions to scams committed on individual investors such as romance scams. When faced with these threats it is imperative that we leverage all tools at our disposal to help protect investors and the market. Our goal is to help bring impacted stakeholders together as one team fight against these issues.
Earlier, I mentioned that we view threats and trends that we cover holistically. What this means is that we are able to look broadly at an issue beyond just an exam and investigation response and work with our stakeholders both internal and external to help mitigate any threats to the extent possible. Some issues may require an exam or investigation to address the issue from a rule violation perspective. But these days it is critical that we engage with all stakeholders internal and external to FINRA. For example, some of our work has included working with industry to help inform the industry about a threat so firms can take steps to protect their customers and their firms.
06:52 - 07:10
Blake Snyder: We work closely with FINRA's Investor Education team to help inform the public and investors of threats that are directly impacting investors. We may also work with the SEC, other regulators and law-enforcement to inform those stakeholders of what we know about external threat actors impacting the financial industry.
07:12 - 07:26
Kaitlyn Kiernan: But FIU also recently introduced a new type of intelligence report called a Threat Intelligence Product or TIP. Can you tell us what a TIP is and how it differs from other FINRA offerings such as a Reg Notice?
07:26 - 08:12
Blake Snyder: Sure, TIPs are one of the new dissemination channels that we recently created to communicate threats to the industry. Before the TIP we would typically leverage Regulatory Notices to communicate threats out to firms. Regulatory Notices, however, often contain guidance on how firms can comply with rules and typically require a significant amount of review before publication because of the potential impact. As the threats to the industry have involved, we wanted a new way to notify the industry of threats in real time without having to address rule guidance or applicability. TIPs are generally limited to a discussion of the threat, tactics external bad actors are using and effective mitigation strategies firms can consider.
08:13 - 08:23
Kaitlyn Kiernan: And FINRA recently posted a TIP about senior investor fraud to its website, but I understand there have been more TIPs, but they haven't been made public. Why is that?
08:23 - 09:35
Blake Snyder: We decided to send a majority of tips directly to firms because we are exposing tactics that bad actors are using and mitigation strategies that firms are using that have been proven to be effective. We don't want the bad actress to see what we are communicating and to have them change their tactics, something that we have seen recently. We also don't want to invite new bad actors by providing a playbook of how a particular threat works.
That being said, not all TIPs will be used to communicate intelligence on real-time threats and the recent protecting vulnerable adult and senior investors product was an example of that. This product covered broad trends related to fraud committed against seniors that involved more established types of fraud that are well-documented publicly, such as romance scams and grandparent scams. In these types of scams there are more limited touchpoints to FINRA firms than the type of threat intelligence we would generally cover in TIPs that we would not publish publicly. Bad actors are constantly involving the tactics and FINRA and the industry should be as well to position ourselves to counter these threats.
09:36 - 09:47
Kaitlyn Kiernan: So, you mentioned that one of the goals of this new TIP product is to be able to get information out more quickly. How quickly can you get one of these TIPs out to firms?
09:48 - 10:49
Blake Snyder: Fairly quickly, but we are always continuing to refine the process to be quicker and more effective. There are significant efforts that are undertaken when we identify threats that we may consider for a TIP. In order to fully understand the threat and the effective mitigation strategies that can be utilized we need to collect information that will help form our assessment. This typically involves communicating with a number of different FINRA operating units that may have useful information and engaging with FINRA member firms to understand what firms are seeing and how they are responding. We may need to collect and analyze internal data or conduct research using open-source information, by which I mean information publicly available on the internet. All of this take some time, but we endeavor to publish tips as soon as we practically can. We don't need to have all the information but enough to be able to provide intelligence to our stakeholders that is useful.
10:49 - 10:58
Kaitlyn Kiernan: And if a threat falls outside of FINRA's jurisdiction and it's not something FINRA can examine for, how are you coming across these issues?
11:00 - 12:11
Blake Snyder: The majority of the threats that our team deals with typically involve bad actors external to the financial industry for which FINRA does not have jurisdiction. However, these threats are impacting FINRA member firms and investors and there are typically multiple touch points that we have where we can identify these threats. As I mentioned before, member firms are a key source of information for us as firms are on the front lines and are positioned to identify emerging issues as they arise. In addition to firms, our FINRA colleagues may identify these issues in their day-to-day work and communicate that information to us.
For example, FINRA's is Initial Review Group manages the intake of all customer complaints in tips that FINRA receives. They may notice a trend in what investors and tipsters are complaining about. Or, another example, our Market Surveillance team under our Market Regulation department may identify a new type of manipulation strategy that is being utilized in the market by bad actors. These are just a couple of examples of where we might source emerging trends and threats that our team covers.
12:12 - 12:21
Kaitlyn Kiernan: And your team has been tracking a new kind of market manipulation called a ramp and dump scheme. Can you explain what that is and how it works?
12:22 - 13:54
Blake Snyder: Sure. Ramp-and-dump schemes are an evolution of the classic pump-and-dump scheme. The distinction is that bad actors are utilizing trading and nominee accounts to manipulate the price of a stock upwards instead of where pump-and-dump schemes may leverage boiler room operations or stock promotion campaigns to pump the price of a stock. Similar to pump-and-dump scheme, however, in the dump portion of a ramp-and-dump, the bad actors are selling shares to unsuspecting investors. What's different is that these victims are typically victims of internet-based fraud schemes and are being convinced to buy shares in their brokerage account by external threat actors.
These internet-based fraud schemes typically involve some type of misdirected text message scam, which has the unfortunate name of pig butchering. In these scams victims receive a seemingly misdirected text message and the bad actor will proceed to attempt to develop a relationship with the victim over a period of weeks or months. When trust is established, the bad actor will convince the victim to purchase shares of a specific security often at a particular time and price. These types of scams are previously associated with crypto related scams but migrated to involving activity on U.S. stock exchanges. This activity spiked in 2022 when we observed it being utilized in conjunction with initial public offerings of small-cap companies listed on us stock exchanges.
13:55 - 13:59
Kaitlyn Kiernan: And how is FINRA and the FIU responded to this new threat?
14:00 - 15:44
Blake Snyder: From what we've observed the majority of these schemes are being orchestrated by bad actors outside of the industry and outside of FINRA's jurisdiction. As I was saying before, when presented with new threats like this, there may be an exam response that is necessary, but it is imperative that we use every tool at our disposal beyond just an examination. The first step we took in assessing this new threat was to publish an alert notifying the industry about the threat which we published in Regulatory Notice 22-25.
In Regulatory Noticed 22-25, we provide information about how ramp-and-dump schemes work and red flags that firms can look out for to identify these schemes as they are occurring. Because of the involvement of stocks listed on U.S. stock exchanges, we worked with both NASDAQ and NYSE to publish Reg Notice 22-25 simultaneously with alerts published by both exchanges. We later met with impacted firms to brief the firms on how the threats worked and the tactics used by the bad actors. We worked with our Investor Education team on Investor Insights publications on pig butchering scams and another publication specific to ramp-and-dump scams.
On the FINRA of regulatory operations side, there were a number of FINRA departments that were impacted and we organized a working group with those stakeholders to share intelligence and develop strategy to help mitigate the threat. We also shared intelligence with law enforcement and both domestic and foreign regulators. It was really a successful all-hands-on-deck approach that help limit the activity from occurring in the future.
15:45 - 15:57
Kaitlyn Kiernan: Great, and we'll link to a lot of those resources that you just mentioned--the investor piece, the Reg Notice--but what happened after publishing that Reg Notice? Did the ramp-and-dump schemes evolve at all?
15:58 - 17:20
Blake Snyder: Yes, and while the ramp-and-dump activity involving IPOs has declined significantly, we have seen a new variation of the scheme surface. While not as prevalent as what we were seeing in 2022, what we are seeing now involves the use of ramp-and-dump schemes involving securities not involved in IPOs. These securities are already listed on U.S. stock exchanges. They're generally small-cap companies and have low market volume and lower prices. We believe these types of securities are being targeted because these stocks are easier to manipulate and also these schemes incorporate another type of threat that we covered in our last discussion: imposter scams.
Generally, this scheme works like this: an ad is placed on social media that contains a picture of a prominent investment professional or media personality, inviting prospective victims to join their exclusive investment clubs. I should point out that in this case the investment professional or media personality is a victim in this scheme because the ads are fake and the investment professionals are being impersonated. The ad will contain a link that victims can click on that will take a victim to a group chat on an encrypted messaging platform.
17:20 - 17:44
Blake Snyder: Once in the group chat, the bad actors typically will impersonate real brokers or registered investment advisors and convince the group of victims that they possess investment expertise. After building trust, the bad actors will convince victims to buy the stock that is part of the ramp-and-dump scheme. As the victims are investing, the bad actors are dumping their shares, leaving victims with significant losses.
17:45 - 18:13
Kaitlyn Kiernan: So that's a good example of why the TIPs are now no longer public so that we don't see the bad actors adapting their schemes in response to information FINRA shares. So, you mentioned the imposter scams that involve FINRA reps, but with the investment club scams that don't involve impersonating a FINRA-registered rep, what is FINRA's role if there isn't a brokerage firm or rep directly involved?
18:14 - 19:26
Blake Snyder: A critical function of our team is providing intelligence to the industry and to investors to inform them of these types of threats so that firms can help protect their customers and investors can help protect themselves. The first ever TIP that we published covered the investment club scam and we followed that with briefings with firms that were being directly impacted. And in briefings, we have a conversation with firm personnel that could potentially be involved with responding to the threat from the firm side.
We have also engaged with our Member Relations team and briefed a number of our firm advisory committees, working groups and roundtables. We worked with our Investor Ed team to publish an Investor Insight article on the subject. And after we had a better understanding of what was happening and how it works, we sent referrals to other regulators and law enforcement covering and what we were seeing and the tactics being utilized. We continue to cover this issue and we've had really outstanding engagement with the industry, which I think can be a model for when similar threats arise in the future.
19:27 - 19:39
Kaitlyn Kiernan: The breadth and scope of the risk landscape today can be a little overwhelming. So, to wrap up on a more positive note, are there any best practices or mitigation strategies you can leave our listeners with today?
19:39 - 21:27
Blake Snyder: I will say that communication is always key to combating really any type of threat impacting the financial industry or probably any industry. For firms what this means is having an understanding of the various touch points within their organizations that can be leveraged to help identify new threats. This can be, for example, having a regular touch point with the brokers and operations staff that are in day-to-day contact with firms so that they understand what customers are reporting that they're seeing out in the threat landscape.
I will also say—and I understand some of the hesitation that firms can have—that sharing information on threats that firms are observing with FINRA, other regulators and law-enforcement can really help build a comprehensive response to these new and ever evolving threats. There are also a number of public-private initiatives where industry and law enforcement can share intelligence, such as the NCFTA which is the National Cyber Forensics Training Alliance, and also Infragard, which is another public-private partnership led by the FBI that focuses on critical infrastructure in the U.S.
But most effectively, from what I've observed, is when firms share information with each other this can occur through the firm advisory committees and roundtables that FINRA sponsors or through informal networks that firms establish. I've seen some really impactful work being done by firms sharing information on issues that they are seeing with each other and what practices firms have developed and can be effective.
21:28 - 21:32
Kaitlyn Kiernan: And how confirm stay up to date on the latest Intelligence coming out of FIU?
21:34 - 21:58
Blake Snyder: Be on alert for TIPs that we disseminate and when appropriate we may reach out to firms directly impacted by a threat to share intelligence and to brief firms on what we were seeing. We also have a significant amount of engagement with our Member Relations department and engage with the firm advisory committees and the various working groups and roundtables that have been established.
21:59 - 22:09
Kaitlyn Kiernan: And the TIP product is still new and you've mentioned firms should feel free to share intelligence. How can they do that? How can we reach out if they have any feedback they want to share or information?
22:11 - 22:35
Blake Snyder: So, I will always say in response to any question like this is please always consider contacting your assigned risk monitoring staff. They are really in place to be that primary point of contact for the firms. But you can also reach out to me or just send an email to my team's email box [email protected].
22:35 - 23:00
Kaitlyn Kiernan: Great. Well, thanks Blake for taking the time to join me today to provide an update on all the great works going on in FIU. Listeners, if you don't already, be sure to subscribe to FINRA Unscripted on Apple Podcast, Spotify or wherever you listen to podcasts. You can also now find us on YouTube. Today's episode was produced in coordinated by me Kaitlyn Kiernan and edited and engineered by John Williams.
23:00 – 23:05
Outro Music
23:05 - 23:34
Disclaimer: Please note FINRA podcasts are the sole property of FINRA, and the information provided is for informational and educational purposes only. The content of the podcast does not constitute any FINRA rule or amendment or interpretation to such rules. Compliance with any recommended conduct presented does not mean that a firm or person has complied with the full extent of their obligations under FINRA rules, the rules of any other SRO or securities laws. This podcast is provided as is. FINRA and its affiliates are not responsible for any human or mechanical errors or omissions. Parties may not reproduce these podcasts in any form without the express written consent of FINRA.