Wells Fargo Associate Duped By Email Scam

January 28, 2015

Another day and another email disaster at another major FINRA member firm. In the end, however, the customer is made a whole -- but the registered person is made a bit less than whole by a fine and suspension.  Some good lessons embedded in this regulatory settlement. 

Case In Point

For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, Michael Vincent Borja submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of Michael Vincent Borja, Respondent (AWC  #2013037029901, January 21, 2015).

In 2008, Borja entered the securities industry with FINRA member firm UBS International Inc.; thereafter, he was registered with Oppenheimer & Co. Inc from 2009 to January 2012; and then with Wells Fargo Advisors, LLC. until his May 2013 discharge. The AWC asserts that for about two weeks in July 2013, he was also employed in a non-registered capcity with VALIC Financial Advisors, Inc. The AWC asserts that Borja had no prior formal disciplinary history in the securities industry.

Registered Service Associate

Upon the inception of his employment with Wells Fargo Advisors, Borja was a registered client service associate and assigned to a stockbroker described only as "MT" in the AWC. Among Borja's duties were to open new accounts, handle trades, and process wire transfers. One of stockbroker MT's customers, described only as "GS" in the AWC, was serviced by Borja from the beginning of his employment.

November 6, 2012 Email

On November 6, 2012, Borja received an email from customer GS with an attached Letter of Authorization ("LOA") requesting the transfer of $18,971 from the customer's brokerage account to a third-party account in Lima, Peru. As it turned out, the email was not sent by customer GS but by an imposter.

Unlike many of these cases, the AWC advises us that the "email address was not one known to be associated with the customer, but contained the customer's name in the email address." 

Under such circumstances, it would appear that the sender's use of a previously unknown address might have alerted Borja and others to be wary - or at least make sure to follow the firm's protocols for handling such email requests. In fact, the AWC asserts that Borja did not call the customer to confirm the wire request but merely processed the transfer. Worse, the AWC alleges that Borja 

falsely claimed that he had spoken with GS, that he knows him personally and recognized GS's voice. Borja falsely entered "pmt to friend for personal loan" in the Service Request as the intended purpose for the wire.

December 5, 2012 Email

On December 5, 2012, received a second email from an imposter with attached LOA seeking a transfer of an additional $48,561 to the Lima account. It is unclear from the AWC whether this second email came from the same imposter as the November 6th communication. The AWC explains that "[t]his email was a variation of the email address used in the November 6, 2012 request and was also not an email address associated with the customer."

In response to this second transfer request, Borja again did not call the customer to confirm and he went ahead and processed the wire and also offered the same false assurances to his firm concerning his efforts at verification. 

Not How We Wanted It Done

During all times relevant to this matter, Wells Fargo's written supervisory procedures purportedly required, among other things, that upon receipt of a wire request seeking to transfer to a non-customer, an associate was supposed to prepare a Service Request setting forth various details and disclosures. Pointedly, the AWC asserts that:

For all outgoing wire requests in excess of $10,000, associates must personally speak with the customer, confirm the wire instructions and document the wire instructions and verification of the customer's identity in the Service Request. When accepting verbal instructions from customers, the associates must verify the customer's identity either through knowing the customer personally and recognizing his or her voice or by obtaining at least two pieces of personally identifying information. These can include a Social Security or Tax Identification Number, date of birth, home telephone number, or recent account activity. The associate must document the customer's name, who received the instructions, when the instructions were received, and how the identity of the customer was verified. . .

Made Whole

Upon discovery of the fraud, Wells Fargo fully reimbursed customer GS for the two transfers. 

Made Less Than Whole

Online FINRA BrokerCheck records as of January 25, 2015, disclose that Borja was 
"Discharged" by Wells Fargo Advisors on May 3, 2013, based upon allegations that:

MR. BORJA ENTERED CERTAIN INFORMATION ON THE FIRM'S SYSTEMS THAT WAS INCORRECT WITH RESPECT TO CLIENT ACCOUNT UPDATES, AND PROVIDED CERTAIN INFORMATION REGARDING COMPLIANCE WITH FIRM POLICY IN CONNECTION WITH A WIRE TRANSFER THAT WAS NOT ACCURATE

FINRA alleged that Borja's false attestations and submission of false information violated FINRA Rule 2010; and that his conduct further caused his firm to maintain false books and records in violation of FINRA Rules 4511 and 2010. 

In accordance with the terms of the AWC, FINRA imposed upon Borja a $5,000 fine and a suspension of 45 calendar days from associating with any FINRA-regulated broker-dealer in any capacity. 

Bill Singer's Comment

At times I am sympathetic to the often-lowly employees who seem sacrificed by their employer firms when it comes to some of these hacked/imposter email requests for wire transfers. In this case, however, FINRA got it right and I applaud the regulator's efforts and moderate sanctions. The AWC offers compliance professionals several excellent insights and tips that may suggest "best practices" for member firms. The one quibble I will note is that Wells Fargo fired Borja in May 2013 but it took FINRA about 20 months to settle this case. Truly, this type of matter should be settled or charged on a more aggressive basis.