Transactional fraud may have significant adverse consequences for affected fund groups, including legal damage in the form of regulatory scrutiny and/or private litigation.
Over the years, regulators have focused increased attention on authentication, among other cyber issues. As early as 2005, the Federal Financial Institutions Examination Council issued its Guidance on Authentication in Internet Banking Environment, (later supplemented in 2011).1
Securities regulators have also become more active in this area.2 In April 2014, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert describing its cybersecurity examination initiative, which included a cybersecurity questionnaire for broker-dealers and registered investment advisers. One section of this questionnaire specifically focused on the authentication of customers.3 While OCIE’s questionnaire was not specifically directed at the fund industry, fund groups may find it helpful to consider the authentication-related questions both as guidance in this area and as an indication of OCIE’s examination priorities.
In February 2015, OCIE provided summary observations from its cybersecurity examination initiative. With respect to authentication issues, OCIE found that approximately half of the firms examined had received fraudulent e-mails seeking to transfer funds, and that some of those e-mails resulted in losses.4
In September 2015, OCIE issued a risk alert announcing a second round of cybersecurity examinations of investment advisers and broker-dealers. OCIE enumerates six areas of focus, including access rights and controls.5 The risk alert includes a sample document request list, which requests, among other things, information on the use of multi-factor authentication for customer access, and on policies and procedures related to verifying the authentication of customer requests to transfer funds.6
In a proceeding outside the fund industry, the SEC sanctioned an investment adviser for failure to properly authenticate transfer requests that were sent by e-mail. In this proceeding, a fraudster had hacked into an advisory client’s e-mail account and had sent e-mails requesting fund transfers to a foreign bank. Because the fraudster purportedly needed the funds immediately but had no access to a telephone, the investment adviser sent transfer instructions to its clearing firm, using a photocopy of the client’s signature on file. The SEC found, among other things, that the investment adviser had no “procedures in place to confirm the authenticity of transfer requests made by e-mail.”7
In discussing shareholder authentication, this study chiefly focuses on the steps taken by fund groups to confirm the identity of existing shareholders who seek to access and transact in their accounts. It should be noted, however, that in initial account openings, fund groups take steps—and indeed are required to take steps—to verify the identity of persons seeking to open accounts. In this regard, the SEC (together with the Treasury Department through the Financial Crimes Enforcement Network) has issued rules regarding customer identification programs for mutual funds, and has specified the information that should be collected to verify identities. This information includes, at a minimum, a customer’s name, date of birth, address, and identification number (e.g., a Social Security number).8
Back