Red-Flag Recognition, Investigation, and Escalation

This section synthesizes the supervisory dimension of the entire unit. The principal's job is not just to know the rules but to detect, investigate, and act when patterns suggest a violation is occurring. The exam tests this as a series of fact-pattern questions: given a set of red flags, what does the principal do?

The Supervisory Three-Step: Recognize, Investigate, Escalate

The principal's red-flag duty has three sequential steps:

Step 1: Recognize

The principal must identify patterns in customer activity that suggest a violation may be occurring. Common categories of red flags:

• Quantitative-suitability red flags: high turnover rates, high cost-equity ratios, repeated short-term in-and-out trading, frequent switching between similar mutual funds
• Customer-specific red flags: complex or illiquid products recommended to elderly or low-income customers, option strategies in retirement accounts, unsuitable use of margin, recommendations inconsistent with the customer's stated objectives
• Disclosure red flags: missing markup disclosure on retail debt trades, missing breakpoint discounts on mutual fund sales, missing principal consent on net transactions, missing Form CRS delivery
• AML / fraud red flags: structured deposits to avoid reporting thresholds, sudden unusual transfers, rapid liquidation of long-held positions, customer pressure to bypass account opening rules
• Exploitation red flags: third party making decisions for an elderly customer, sudden changes in account designations, beneficiary changes, large withdrawals to unfamiliar accounts, signs of cognitive decline

Recognition requires both systemic detection (automated alerts on turnover, cost-equity, near-breakpoint orders, large disbursements) and individual judgment (a rep flagging a phone call from a customer who sounds confused).

Step 2: Investigate

Once a red flag is identified, the principal must investigate:

• Pull trade history and customer profile for the account
• Compare actual trading to the customer's stated objectives and risk tolerance
• Interview the rep handling the account
• Request additional documentation from the rep or the customer
• Consult the customer's prior account statements, agreements, and disclosures
• Document what was reviewed, when, by whom, and what was concluded

Investigation is not a formality. The principal must actually do the work and reach a documented conclusion. A "look-but-don't-document" approach fails the supervisory duty under the supervisory-system requirement.

Step 3: Escalate

If the investigation supports a violation or a need for further action, the principal must escalate:

• Compliance department: for further internal review, interviews of additional personnel, and decisions on whether to discipline or terminate
• Legal department: when the conduct creates litigation or regulatory exposure
• AML / BSA officer: when the activity may require a Suspicious Activity Report (SAR)
• Trusted Contact Person (TCP) under the customer-account-information rule: for suspected exploitation or cognitive decline
• Temporary hold under the senior-investor temporary-hold rule: for suspected exploitation of a senior or vulnerable adult
• Account restrictions: blocking new orders, freezing disbursements, requiring two-principal sign-off on subsequent activity

Escalation is the principal's tool for getting the issue out of their lane and into the right specialist's lane. A principal who recognizes a SAR-worthy pattern but does not escalate to AML may have personally violated the supervisory-system requirement.

Exam Tip: Gotchas

• Escalation does not always mean "report and stop." The principal must DOCUMENT the investigation, the conclusion, and the action taken (or not taken, with rationale). Failure to document the supervisory response is a discrete supervisory-system violation independent of the underlying conduct.
• The exam tests the three-step sequence: recognize, investigate, escalate. A principal who recognizes a red flag but does not investigate has failed step 2; a principal who investigates but does not escalate has failed step 3. Each failure is a separate supervisory violation.

Trusted Contact Person Under the Customer-Account-Information Rule

The customer-account-information rule requires a firm to make reasonable efforts to obtain the name and contact information of a Trusted Contact Person (TCP) for each customer aged 18 or older. The TCP is a person the firm may contact when it has concerns about:

• The customer's mental capacity (signs of cognitive decline)
• Possible financial exploitation of the customer
• The customer's whereabouts if unreachable
• Other matters affecting the customer's account

Limitations on TCP Authority

The TCP has no power to make decisions for the customer. Specifically:

• Cannot authorize transactions on the customer's behalf
• Cannot change beneficiaries or account titles
• Cannot direct disbursements

The TCP is purely informational: the firm contacts the TCP to share concerns and gather information. The customer remains in control of all decisions. If the customer is unable to make decisions due to incapacity, formal legal authority (power of attorney, guardianship) is required, not just TCP contact.

Exam Tip: Gotchas

• The Trusted Contact Person under the customer-account-information rule has NO power to authorize trades, change beneficiaries, or direct disbursements. The TCP is informational only. The exam tests this distinction against power of attorney (which DOES authorize action).
• The customer-account-information rule applies to customers aged 18 or older and requires only reasonable efforts to obtain TCP information. The customer can decline to designate a TCP; the firm's obligation is to ask, not to require.

Temporary Holds Under the Senior-Investor Temporary-Hold Rule

The senior-investor temporary-hold rule allows a firm to place a temporary hold on a disbursement of funds or securities from a specified adult's account when the firm has a reasonable belief of financial exploitation.

"Specified Adult" Definition

A "specified adult" under the senior-investor temporary-hold rule is:

• A natural person aged 65 or older, OR
• A natural person aged 18 or older who the member reasonably believes has a mental or physical impairment that renders the individual unable to protect their own interests

Hold Mechanics

• Initial hold: up to 15 business days
• Extension: an additional 10 business days if the firm's review supports the reasonable belief of exploitation
• Notification: the firm must notify all parties authorized to transact business on the account (including the suspect, in some cases) and the TCP no later than 2 business days after placing the hold
• Internal review: the firm must conduct an internal review and report findings to compliance

The hold can be applied to disbursements (cash withdrawals, wires, ACH) and transactions in securities (added 2022 amendment), but not to all account activity broadly. The customer can still receive statements, the account remains open, and the firm continues to fulfill non-disbursement obligations.

Think of it this way: The senior-investor temporary-hold rule gives the firm a legal safe harbor to hold a disbursement when exploitation is suspected. Before 2018, a firm that paused a wire transfer faced potential liability for breaching its duty to the customer. The rule protects the firm from liability for the temporary hold, provided the requirements are met.

Exam Tip: Gotchas

• The senior-investor temporary-hold rule applies to specified adults: aged 65 or older, OR aged 18+ with a mental or physical impairment. A 70-year-old customer is automatically covered; a 30-year-old customer is covered only if the firm reasonably believes there is an impairment.
• The temporary hold under the senior-investor rule is up to 15 business days, extendable by 10 more. Compare to the customer-account-information rule TCP, which has no time limit because it is informational, not transactional.
• The hold applies to disbursements and (after 2022 amendments) certain transactions, not to all account activity. The customer's account remains open and statements continue.

Suspicious Activity Reports (SARs)

When red flags suggest potential money laundering, terrorist financing, or other financial crimes, the firm must consider filing a Suspicious Activity Report (SAR) with FinCEN under the Bank Secrecy Act.

The principal's role in SAR filing:

• Recognize activity that meets the SAR threshold (specific amounts, attempted structuring, no apparent business purpose, customer cannot explain transactions)
• Refer to the AML compliance officer for investigation and filing
• Maintain confidentiality: the rep, the customer, and the public must not be informed that a SAR was filed (criminal penalty for "tipping off")

SAR thresholds and AML procedures are covered in detail in Unit 10 (Account Opening and AML). For Unit 12 purposes, the principal's duty is to recognize and refer; the AML officer handles the filing.

Exam Tip: Gotchas

• SARs are confidential. The customer must NOT be informed that a SAR was filed. Tipping off a customer about a SAR is a federal crime under the Bank Secrecy Act with civil and criminal penalties.

Documenting the Supervisory Response

Every step of the recognize-investigate-escalate sequence must be documented:

• What was reviewed (which trades, which statements, which communications)
• When the review occurred (date, time)
• Who conducted the review (named principal)
• What was concluded (specific findings)
• What action was taken (or not taken, with rationale)

This documentation is not optional. The supervisory-system requirement requires the firm to maintain records of supervisory activity. A supervisory file that shows "I looked at the account on July 15 and saw nothing" is sufficient if true; a file with no entry at all leaves the principal exposed when a violation later surfaces.

Exam Tip: Gotchas

• Failure to document the supervisory response is a discrete supervisory-system violation independent of the underlying conduct. A principal who detects a red flag, takes action, and saves the day but leaves no documentation has still violated the supervisory-system requirement.
• The supervisory file is the principal's defense in a regulatory exam. When FINRA examiners ask "what did you do about this red flag?", the answer must be in writing in the file; oral recollections are not sufficient.

How Red-Flag Recognition Connects the Unit

Every prior section of this unit produces red flags that the principal must recognize:

• KYC, suitability, Reg BI: red flags appear when trades do not match the customer's profile
• Discretion rule: red flags appear when discretionary trading shows excessive turnover or cost-equity
• Breakpoint sales rule: red flags appear when fund orders cluster just below breakpoints
• OTC equity recommendation rule: red flags appear when OTC equity recommendations are made without documented issuer review
• Customer disclosure rules: red flags appear when annual or event-triggered disclosures (margin, SIPC, BrokerCheck, predispute arbitration) are missing from customer files
• Negotiable-instrument rule: red flags appear when negotiable instruments are processed without express written authorization

The principal's role under the supervisory-system requirement is to look for these patterns across the firm's activity, not to wait for a regulator to find them. The supervisory function is proactive, systemic, and documented.

Exam Tip: Gotchas

• The principal's supervisory duty under the supervisory-system requirement is proactive. A firm that says "we did not detect the violation because no one filed a complaint" has failed its supervisory duty if reasonable systemic detection would have surfaced the pattern.