Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

Fund groups typically implement a range of policies and procedures that are designed to limit the potential for damage from fraudulent transactions. Following implementation of these policies and procedures, fund groups typically reassess them over time.

Common Means of Limiting Potential Damage

Fund groups may employ some or all of the following means of limiting potential for damage from fraudulent transactions:

• Blocking certain transactions (e.g., those involving dollar amounts over a given threshold):
  • A number of fund groups do not permit redemptions in excess of a set amount per day, but may have different thresholds for purchases or exchanges.
  • In some instances, the threshold for redemptions may vary depending on whether the proceeds are to be paid by check or by wire or an Automated Clearing House (ACH) transaction.
• Subjecting certain transactions or combinations of transactions to additional controls:
  • Fund groups may require the use of signature guarantees for changes in shareholders’ bank accounts of record or addresses of record.
  • Fund groups tend to provide confirmations of address or bank account changes to the shareholders by mail or by other appropriate means.
  • Fund groups may impose time delays on transaction requests submitted after changes to account information (e.g., a redemption processed on the same day as an address change, and wire redemptions processed within a certain number of days of a change in bank account information).
• Requiring additional review of certain transactions that, in light of other facts and circumstances, may be viewed as potentially suspicious.
  • Fund groups may flag, for secondary review or for shareholder confirmation, a purchase request that is far in excess of a low account balance, or a one-time redemption to a foreign bank account.
• Imposing different restrictions based on the means of transmitting the transaction requests:
  • Fund groups may have different transaction limits for voice-initiated transactions as compared to the limits for online transactions, and/or may place more stringent restrictions on transactions conducted through mobile apps than on those conducted through the full websites.
  • Fund groups may restrict the types of transactions that may be permitted by certain means (e.g., an online transaction system may permit shareholders to purchase, redeem, and exchange fund shares, but may not permit other types of transactions, such as address changes or bank account changes).
  • Many fund groups do not accept e-mailed transaction requests, citing concerns about the security of e-mail accounts.¹

Ongoing Review of Transaction Limitations

Fund groups tend to periodically reassess the transaction limitations they have in place and to determine whether these limitations remain effective and feasible. As one fund group representative consulted for this study observed, shareholder expectations are changing and limitations, such as waiting periods, are less acceptable to some shareholders now than they may have been in the past. Other requirements, such as the requirement that a shareholder obtain a signature guarantee to effect certain transactions, are also under pressure, with some shareholders reporting that signature guarantees have become more difficult to obtain in recent years. Responding to these concerns, some fund groups consulted for this study have been exploring potential substitutes for signature guarantees, including the use of enhanced authentication techniques (e.g., voice verification).

With respect to bank account changes, fund groups often take steps to verify that the new bank account does, in fact, belong to the shareholder. Some fund groups consulted for this study report that, in recent years, due to changes in privacy and other laws, banks may refuse to provide such verifications. To address this issue, some fund groups use “micro-deposits” to verify that the shareholder controls the new bank account (i.e., a fund group makes one or two deposits of a few cents in a shareholder’s bank account, with the shareholder thereafter required to confirm the deposit amounts to the fund group). Fund groups may also consider whether to engage third-party service providers to verify bank account information. (One fund group consulted for this study reported that it has considered engaging the services of one such service provider.)

1. See, e.g., FINRA, Customer Account Protection: Verification of Emailed Instructions to Transmit or Withdraw Assets from Customer Accounts (Jan. 2012), http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p125462.pdf; Fraud Alert Involving E-mail Intrusions to Facilitate Wire Transfers Overseas, FBI, Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3) (Jan. 20, 2012), http://www.ic3.gov/media/2012/EmailFraudWireTransferAlert.pdf.