Fund groups have adopted a variety of approaches to shareholder authentication. A robust approach to shareholder authentication tends to rely on “defense in depth.” In this context, “defense in depth” implies multiple layers of protection that tend to incorporate one or more of the following three elements: (1) technological solutions that provide greater confidence in establishing the identity of a shareholder; (2) operational initiatives, which may include risk assessments and the implementation of targeted policies and procedures; and (3) educational efforts designed to reduce the risk of human error on the part of both employees and shareholders.
Fund groups may adopt a variety of technological measures, both positive and negative, to authenticate each of the various elements of a shareholder transaction: (1) the person (i.e., the shareholder); (2) the device that he or she is using to effect the transaction; (3) the details of the transaction at issue; and (4) the fund group itself. 
Fund groups have tended to focus primarily on the first of these elements—i.e., authenticating the person. This has typically been accomplished through single-factor authentication measures based on shareholder knowledge
. Less commonly, fund groups have begun to employ other types of authentication measures, such as those based on hardware or software tokens or on biometrics or behavioral patterns. Moreover, once fund groups have authenticated the person, they often take steps designed to protect the integrity of a properly authenticated session so as to provide assurance that the person on the other side of the transaction continues to be the properly authenticated person. In this regard, fund groups may, for example, terminate a session after some period of inactivity.
Separate and apart from authenticating the person, some fund groups also seek to authenticate the device (e.g., a telephone, computer, or mobile device) that is being used to effect a given transaction. Here, the focus is on whether the particular device has previously been used by the shareholder. Thus, for example, in telephone transactions, a fund group might use caller ID to determine the originating telephone number and compare that number to numbers used by the shareholder in prior transactions. In online transactions, there are a variety of means (e.g., through the use of “cookies” or by examining the configuration of the device used) by which a fund group might ascertain that the device being used is the same device previously used by the shareholder.
Fund groups may also seek to authenticate the transaction itself (i.e., the details of the transaction), by seeking to establish that a given transaction is consistent with previous transactions made by the same shareholder, and therefore more likely to be a legitimate transaction. Authentication of transactions, whether after the fact or in real time, tends to help reduce the incidence of fraudulent transactions, without having a significant adverse impact on ease of use or shareholder convenience.
Many fund groups also take steps to ensure that shareholders are able to authenticate the fund groups themselves (i.e., to confirm the identity and validity of the shareholders’ online connections to the fund groups). Often, this form of “mutual authentication” is accomplished through digital certificates signed by a trusted certifying authority or through the use of security images.
While technology plays a critical role in effective approaches to shareholder authentication, operational initiatives can be equally important. Operational initiatives include (1) assessments of relevant risks to transactional integrity, and (2) development of appropriate policies and procedures to mitigate those risks.
- overall threat environment (e.g., the growing threat from external actors, the evolution in the provision of services to shareholders, and the emergence and/or discovery of new vulnerabilities);
- risks associated with authentication systems generally (e.g., the ongoing effectiveness of existing authentication systems, and the consideration of new technologies and techniques);
- risks associated with particular transactions or groups of transactions (e.g., whether certain transactions may facilitate fraud in the future, or may, in combination with other transactions, be viewed as potentially suspicious); and
- potential legal consequences of transactional fraud (e.g., whether transactional fraud, or a fund group’s approach to preventing such fraud, might lead to regulatory scrutiny and/or private litigation).
The potential for damage from fraudulent transactions is already limited, to some extent, by the “closed” nature of most fund shareholder transactions—redemptions in fund shares tend to be made to the shareholder of record at the address of record, or to pre-designated persons or bank accounts. But fund groups may utilize additional measures to further limit the potential for damage from fraudulent transactions. For example, fund groups may adopt restrictions on shareholder redemptions that are made to other persons, addresses, or bank accounts. Fund groups may also impose transaction thresholds on purchases, sales, or exchanges and/or by placing restrictions on the types of transactions that may be effected through certain channels (e.g., via fund group websites or mobile apps).
Fund groups also take steps to appropriately safeguard authentication-related information and to protect online transaction systems—and the authentication-related information on those systems (which may include usernames and passwords, as well as the responses to security questions)—from both external and internal threats. With respect to authentication-related information, merely encrypting passwords can be viewed as insufficient because encryption is designed to be a reversible operation. To address this vulnerability, fund groups tend—in a process referred to as salting and hashing—to add characters to passwords and then run them through an algorithm designed to be irreversible. As for protection of the online transactions systems themselves, a full discussion of relevant network security measures is beyond the scope of this study, but has been described in greater detail in ICI Mutual’s previous risk management studies on computer security, identity theft, and digital age risks.
As with many risk management initiatives, people are often the weakest link in the authentication chain (i.e., process). Greater awareness by employees and shareholders alike may provide an important defense against fraudulent transactions and against identity theft (which may lead to fraudulent transactions).
, often conducted at regular (e.g., annual) intervals, may be specifically focused on customer service representatives who are directly interacting with shareholders, or may extend more broadly to fostering company-wide awareness with respect to fraud issues. about potential threats to their personal information and assets. While not requiring financial institutions to provide such information, regulators have encouraged these efforts as a defense against fraud and identity theft. The U.S. Securities and Exchange Commission’s recent cybersecurity initiative, for example, specifically focused on information that may be given to customers about steps that they may take to reduce cybersecurity risks in conducting transactions. Next