FINRA imposes $900k fine on Brex Treasury
Brex Treasury LLC has agreed to pay a fine of $900,000 as a part of a settlement with the Financial Industry Regulatory Authority (FINRA).
Brex Treasury primarily relied on an automated identity-verification algorithm that was not reasonably designed to achieve compliance with the applicable AML requirements.
In relevant part, Brex Treasury’s identity-verification algorithm attempted to match certain beneficial owner information provided by the customer through an online account application to known identities on file with various identity vendors. If there was a match that the algorithm considered sufficient, then the algorithm conducted a series of risk-based fraud checks.
Beginning in early 2021, the algorithm incorporated a machine learning model to assign a score to each customer that helped determine how to evaluate the results of certain fraud checks.
If the algorithm considered the applicable fraud checks to have been passed, then the account could be automatically approved. Otherwise, the algorithm could either automatically reject the account; request and analyze additional information (such as a photo ID, if one had not already been required); or escalate the application for manual review.
Brex Treasury’s identity-verification algorithm was not reasonably designed to achieve compliance with the applicable AML requirements. The algorithm had substantive weaknesses, including that it did not collect all of the identifying information required from customers and that it allowed accounts to be opened without a reasonable review of information from the firm’s fraud checks that may have raised red flags about the true identity of a legal entity customer or beneficial owner.
Brex Treasury’s identity-verification algorithm relied in part on matching information about purported beneficial owners to known identities. Initially, however, the firm did not collect all of the identifying information required for beneficial owners in accordance with the BSA implementing regulations.
Instead, the firm collected only the names and phone numbers of beneficial owners from prospective customers and not dates of birth, addresses, or identification numbers. Using only that limited information, the firm queried a third-party vendor for a similar identity.
If the vendor’s files contained an identity it considered at least a “strong” match to the applicant’s name and a “possible” match to the applicant’s phone number, then the firm sought the remaining pieces of identifying information required for beneficial owners indirectly from the vendor. If the vendor could provide that information then the firm’s identity-verification algorithm considered the applicant’s beneficial owner to be a match for the identity on file at the vendor.
In January 2021, the firm began to collect the name, date of birth, address, and identification number for each beneficial owner directly from legal entity customers. The firm then submitted this information to its identity vendor. If the vendor had a matching identity in its files with the same name and identification number, the firm considered the identity of the beneficial owner verified, as long as either the date of birth or address were also an exact match.
In this scenario, however, the firm did not reasonably consider whether the date of birth or address that did not match presented a substantive discrepancy or otherwise required resolution in order for the firm to reach a reasonable belief that it knew the true identity of the beneficial owner or the legal entity customer.
Brex Treasury also conducted automated fraud checks on new accounts, some of which incorporated an external “fraud score” provided by a third-party vendor. This external fraud score was intended to reflect the relative risk of potential identity fraud associated with the beneficial owner information being presented for review and ranged from zero to one, with one representing the highest risk.
The score was accompanied by “reason codes” showing the particular discrepancies or indicators of potential identity fraud that were present or had contributed to the fraud score. For example, there was a reason code to indicate that the identity being presented had been previously reported as stolen.
Brex Treasury’s identity-verification algorithm did not reasonably evaluate information the firm obtained during its fraud checks that may have called into question the true identity of a legal entity customer or beneficial owner.
By early 2021, Brex Treasury was allowing applications to bypass manual reviews of certain fraud check results based on the results of a machine learning account risk model that generated an “ARM score” for prospective accounts using various attributes of prospective customers and beneficial owners as inputs.
The ARM score was intended to roughly correspond to the risk of fraud generally, including the risk of new account fraud involving a stolen or synthetic beneficial owner identity. At times during the relevant period, if a prospective customer’s ARM score fell below thresholds the firm had deemed indicative of a lower-risk account, then the firm’s identity verification algorithm did not require manual review for certain fraud checks.
However, the firm had initially developed the account risk model by taking data primarily from its historical customer base of venture-backed and middle-market companies and attempting to apply it to a wider potential customer base that included small business customers. Those customers were relatively higher-risk because, for example, small businesses were less likely to have funding from professional investors and less likely to have been referred to the firm through its network of strategic partners in the startup community.
But because the firm did not have reasonable policies and procedures governing the design, testing, and validation of the account risk model or the identity-verification algorithm in general, the technology was not generalizable to that wider population.
Due to the weaknesses in its identity-verification algorithm, Brex Treasury verified certain identities and approved new accounts despite substantive discrepancies and red flags of potential identity fraud.
Brex Treasury also relied on a manual customer screening process that was not reasonably designed to achieve compliance with the applicable AML requirements.
From 2020 through 2021, Brex Treasury approved hundreds of potentially fraudulent accounts that attempted over $15 million of transactions using deposited funds that failed to settle. In these incidents, new accounts that had been approved using the firm’s unreasonable identity-verification processes initiated ACH or check deposits from external accounts and then withdrew or spent the funds that the firm made available.
Subsequently, those deposits were recalled as unauthorized, rejected due to insufficient funds, or refused for other reasons. After reversing such deposits, the firm in most cases could not recover the funds or confirm the customers’ true identities.
Therefore, Brex Treasury violated FINRA Rules 3310(b) and 2010.
On top of the $900,000 fine, the firm has agreed to a censure.