A little over a year ago, I blogged about a FINRA Enforcement action against an Ameriprise rep – but, notably, not Ameriprise – to highlight what a great job the firm did in ensuring that its sales force was not engaging in any undisclosed outside business activities.  It had a robust supervisory procedure, with multiple levels of review, generating a significant amount of documentation.  Unfortunately, this week, that same firm entered into a $4.5 million settlement with the SEC that highlighted several problems with a different Ameriprise supervisory system, one designed to detect efforts by reps to steal money from client accounts.  The system was in place; it just didn’t function that well.  As a result, Ameriprise paid the price.

Proving that sometimes the old fashioned frauds can be just as effective as nifty new cyber frauds, from 2008 and continuing to 2013, a few Ameriprise reps perpetrated a fraud against certain Ameriprise clients, engaging in approximately 600 fraudulent transactions and misappropriating $1 million in client funds. Ameriprise was clever enough to understand the old trick of a rep changing the address of record on a customer account to his or her own addresses, thereby preventing the customer from receiving a copy of a monthly account statement revealing some unauthorized distribution, whether wire or check, to the rep.  Which is exactly what these reps did.  First they changed the customers’ address, and then they “forged client signatures on dozens of Ameriprise forms, including those to change the address of a client, to disburse funds via check, and to transfer funds by wire.”

Ameriprise had a system in place that was designed to issue an automated alert when the existing address on an account was changed to one that was “controlled” by one of its reps. But, “[f]or most of the relevant period . . . [b]ecause of a technical error,” the system “did not generate a flag in instances when there was a positive match between a changed address on an existing account and a ‘controlled address.’  As a consequence, [the system] did not compare the changed address to addresses associated with Ameriprise representatives and other personnel.”  Thus, Ameriprise was unaware of the unauthorized address changes, and, moreover, it “did not conduct any system testing that could have uncovered the error.”  That’s some technical error!

In addition to the flawed address change detector, Ameriprise also had a separate system designed to make sure that reps weren’t sending money to themselves out of their customer accounts. To prevent this, the system would review the identity and the address of the receiving party of an outgoing check to ensure that it was not an address controlled by one of its reps.  The problem is that the system didn’t flag the transaction unless the two addresses matched exactly.  As the SEC pointed out, “if the address information differed as between “Avenue” and “Ave.” – the Analysis Tool would not flag the transaction as suspicious.”  So, even though the addresses to which unauthorized disbursements from customer accounts were sent “were known to Ameriprise to be associated with and controlled by” the reps, no flag was generated and the unauthorized withdrawals were not questioned, either.  In addition, the system only reviewed disbursements by check, not by wire, a rather sizable loophole, and one the reps took advantage of.

Clearly, the SEC gave Ameriprise no partial credit for trying. So, the lesson is that it is not good enough to have some whiz-bang surveillance system with a great design but which only works in theory.  As the title of this blog post notes, supervision need only be reasonable, not perfect.  But, if the flaw in the well-intended and otherwise efficacious surveillance system is so big that it permits a blatant fraud to be conducted over a five-year period, it’s hard to argue with the SEC’s conclusion that it was not reasonable.  Especially if testing that would have revealed the existence of the flaw was not conducted.