Walsh Warns on Identity Theft
"Identity thieves appear to be directing increased attention to the securities business, and their attacks are growing in sophistication."
If you weren’t concerned about identity theft before, you will be after reading OCIE chief counsel John Walsh’s recent speech on the topic. Speaking at the NRS fall compliance conference, Walsh noted that the FBI has described identity theft as one of the fastest growing crimes in America and that the Federal Trade Commission reported it as the most frequent consumer complaint in 2005. The SEC, for its part, is seeing four types of identity theft in the securities business, according to Walsh:
"Family fraud," in which a spouse, child, or other relative uses personal knowledge about a client to gain access to the client’s account, often to loot the account.
"Classic account takeover," where a complete stranger gains access to a client’s account and loots it, in many cases by selling all the positions in the account and wiring the proceeds to a foreign jurisdiction.
"Trading account takeover," where the thief takes control of an account but does not remove any funds. Instead, the thief uses the account to trade, perhaps buying securities the thief wants to unload, or running a pump-and-dump securities price manipulation. Walsh described this as an increasingly popular scheme. "This is a clever fraud, because it avoids all the back-end controls you have in place to prevent funds from being improperly removed from your firm," said Walsh.
"Alias fraud," where the thief trades with their own money but uses the client’s identity as cover, so that the client appears responsible for the bad conduct occurring in the account. "Generally, they steal the victim’s identity and use that identity to open an account," explained Walsh. "The thief then funds the account and uses it for trading or money laundering schemes."
Registered investment advisers are required by Reg.S-P to adopt written policies and procedures reasonably designed to safeguard client records and information. The policies and procedures must protect against unauthorized access to or use of those records or information that could result in substantial harm or inconvenience to any client. They also must protect against any anticipated threats or hazards to the security or integrity of client records and information.
The key, of course, is the word "reasonably." An adviser that has long-standing, personalized relationships with a handful of clients will not be expected to adopt the same types of identity theft procedures as an adviser with thousands of retail clients that interact with the adviser via an on-line environment. And it’s also worth pointing out that Reg. S-P technically applies to only to retail client information, although your institutional clients will undoubtedly appreciate their information being safeguarded, as well.
Walsh noted that the SEC is currently conducting an identity theft sweep. The sweep, which is being run by OCIE and the SEC’s San Francisco office, covers broker-dealers as well as advisers. "We hope to find robust controls to comply with Regulation S-P," he said.
Walsh offered a few suggestions for firms to consider, in the form of an identity theft "to-do" list:
First, read NASD Notice to Members 05-49, "Safeguarding Confidential Customer Information." The NTM suggests that a firm consider, at a minimum:
Whether its policies and procedures adequately address the technology that it is using;
Whether it has taken appropriate technological precautions to protect customer information;
Whether it is providing adequate training to its employees, both in how to use its technology as well as in ensuring that customer records and information are kept confidential; and
Whether it is conducting, or should conduct, periodic audits to detect potential vulnerabilities in its systems and to ensure that its systems actually are protecting customer records and information from unauthorized access.
Second, go through the above questions with the people at your firm who are responsible for information security. How does the firm know that its policies and procedures, technological precautions, and employee training processes are adequate? Has an audit been conducted?
Third, if your firm offers on-line accounts, find out what your firm’s front-end access controls are for these accounts. On this note, Walsh offered some recommend reading: the National Institute of Standards and Technology’s "Electronic Authentication Guideline."
Fourth, review educational materials provided to clients. "Are you doing everything you can to educate them on the dangers of identity theft, on the security features you offer them, and on the potential consequences of an identity attack?" asked Walsh.
Fifth, keep an eye out for new developments. "This is a fast moving area," said Walsh. "If you fall behind, you and your customers could find yourselves in danger very quickly." He noted that the President’s Task Force on Identity Theft, of which the SEC is a member, is expected to release a public report shortly. That report, said Walsh, will be "very helpful."