Operational Initiatives
While technology plays a critical role in effective approaches to shareholder authentication, operational initiatives can be equally important. Operational initiatives include (1) assessments of relevant risks to transactional integrity, and (2) development of appropriate policies and procedures to mitigate those risks.
In conducting risk assessments, fund groups tend to consider the following:
- Overall threat environment (e.g., the growing threat from external actors, the evolution in the provision of services to shareholders, and the emergence and/or discovery of new vulnerabilities);
- Risks associated with authentication systems generally (e.g., the ongoing effectiveness of existing authentication systems, and the consideration of new technologies and techniques);
- Risks associated with particular transactions or groups of transactions (e.g., whether certain transactions may facilitate fraud in the future, or may, in combination with other transactions, be viewed as potentially suspicious); and
- Potential legal consequences of transactional fraud (e.g., whether transactional fraud, or a fund group’s approach to preventing such fraud, might lead to regulatory scrutiny and/or private litigation).
The potential for damage from fraudulent transactions is already limited, to some extent, by the “closed” nature of most fund shareholder transactions—redemptions in fund shares tend to be made to the shareholder of record at the address of record, or to pre-designated persons or bank accounts. But fund groups may utilize additional measures to further limit the potential for damage from fraudulent transactions. For example, fund groups may adopt restrictions on shareholder redemptions that are made to other persons, addresses, or bank accounts. Fund groups may also impose transaction thresholds on purchases, sales, or exchanges and/or by placing restrictions on the types of transactions that may be effected through certain channels (e.g., via fund group websites or mobile apps).
Fund groups also take steps to appropriately safeguard authentication-related information and to protect online transaction systems—and the authentication-related information on those systems (which may include usernames and passwords, as well as the responses to security questions)—from both external and internal threats. With respect to authentication-related information, merely encrypting passwords can be viewed as insufficient because encryption is designed to be a reversible operation. To address this vulnerability, fund groups tend—in a process referred to as Salting and Hashing—to add characters to passwords and then run them through an algorithm designed to be irreversible. As for protection of the online transactions systems themselves, a full discussion of relevant network security measures is beyond the scope of this study, but has been described in greater detail in ICI Mutual’s previous risk management studies on computer security, identity theft, and digital age risks.