Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

Recent large-scale data breaches have heightened concerns among regulators, businesses, and the public over the risk of identity theft and the resulting potential for fraudulent financial transactions. Other developments associated with the digital age—i.e., advances in computing power, the rise of social media, and growth in online commerce—have also fueled these concerns. The concerns are well founded. Fraudulent customer transactions reportedly cost financial institutions and their customers billions of dollars each year. To date, most fraudulent transactions have occurred outside the mutual fund context. Yet the fund industry has not been immune, and the ongoing risk to the industry and to fund shareholders cannot be discounted. 

Fund groups have long sought to protect the integrity of transactions effected by fund shareholders, whether effected by traditional means (e.g., in writing, by telephone) or by newer means (e.g., online, via mobile apps). But the digital age has added to the challenges, and for many fund groups, these challenges have underscored the importance of “shareholder authentication”—that is, of having appropriate mechanisms and processes in place (1) to confirm the identities of shareholders who seek to conduct redemptions or other transactions involving fund shares, and (2) to ensure the integrity of the transactions that are effected by those fund shareholders.

The fund industry’s interest in effective authentication techniques reflects a recognition that even a low incidence of transactional fraud can have significant consequences for affected fund groups and their shareholders, in terms of (1) financial damage (i.e., direct financial loss for fund groups and/or fund shareholders); (2) legal damage (to the extent that transactional fraud gives rise to regulatory scrutiny and/or private litigation); and/or (3) reputational harm. Indeed, for fund groups, where maintaining the trust of shareholders and business partners is central to successful operations, the reputational harm that can be associated with fraudulent transactions may ultimately be the most significant of the three.

This study explores mechanisms and processes implemented by fund groups to confirm shareholders’ identities and to ensure the integrity of transactions. This study is divided into two parts:

• Shareholder Authentication in Theory: Part I describes (1) general principles of authentication, and (2) limitations of authentication, both with respect to particular authentication measures and with respect to authentication generally.
• Shareholder Authentication in Practice: Part II reviews practical considerations for fund complexes when addressing authentication issues, focusing on (1) technological solutions, (2) operational initiatives, and (3) educational efforts.

This study focuses primarily on redemptions and other fund share transactions effected by retail shareholders directly with fund groups over the telephone or online. But the contents of this study may also be relevant to the broader universe of transactions involving fund shares, including those effected by institutional shareholders, by retail shareholders transacting through financial intermediaries, and by retail shareholders who are requesting transactions by letter or facsimile.