NEW ORLEANS - With all the shady activity going on within the fund industry of late, a panel of industry experts here at the Investment Company Institute's Operations Conference warned attendees of another set of criminals: those from outside the industry trying to steal personal information to swindle shareholders.
While identity theft and identity fraud are nothing new to the financial services industry and are commonly associated with credit cards, they are not usually associated with the fund industry, despite its vulnerability. This safe reputation is something the industry has prided itself on. However, as technology has become more widespread in the fund industry, and with the advent of new regulations requiring more complete records of investors' personal information, fund executives have slowly become more aware of the potential threat of high-tech thieves.
In the last five years, 27 million Americans have been the victims of identity theft, whether it was from a criminal taking over an existing account, or posing as the individual to open a new account. In the last year alone, there have been 10 million victims of identity theft, speakers said.
"Identity theft is not going to get any better in the near future," said Daniel T. Steiner, panel moderator and vice president and general counsel of ICI Mutual Insurance Company. "It is something that is happening all over."
The danger for mutual fund companies comes as firms try to provide individual customers with more convenience by offering tools and transactions via the Internet. Nanette Day, acting supervisory agent of the cyber crime squad at the Federal Bureau of Investigation, said that the majority of identity theft cases are via the Internet. And, firms are facilitating this kind of crime in some fashion by sending out unsolicited e-mails to customers. "When you start to send unsolicited e-mails to your customers, you are setting them up for identity fraud," Day said. She said that as customers get used to receiving these e-mails from firms they do business with, they are much more likely to open e-mails from criminals and fall prey to these cyber-predators.
One of the ways in which cyber criminals trap investors into providing personal account information is to send them unsolicited e-mails. The e-mails appear to have been sent by a firm the individual trusts with his or her assets.
One of the speakers suggested using Fidelity purely as an example. Say a perpetrator sends an e-mail containing a link to what appears to be Fidelity's Web site. The victim is unaware of the trap. Instead of being sent to Fidelity's Web site, they arrive at a phony Web site set up by the criminal. There, they are prompted to log in using his or her username and password. Once the individual readily provides this important information, the criminal goes to work transferring funds out of the account from the real site. In many of the cases, the criminals are from countries in Eastern Europe and Asia, Day said, and this makes them harder to catch.
Another way is for criminals to place a monitoring, or keystroke, device on a victim's computer via the Internet. This allows the criminal to see what the individual's log in and password are when they stroke the keyboard. This can potentially lead to devastating financial circumstances for the victims because often people use the same user name and password for multiple accounts set up with different financial institutions, including banks and credit cards.
"Once the vital information is obtained by the criminal, it becomes difficult for firms to detect. From a fund's standpoint, [they] have no way of knowing if this is the account holder or [the criminal]," said Mark Rasch, senior vice president at Chief Security Counsel Solutionary Inc.
"I don't think the systems are in place at the fund complexes yet" to deal with a major security breach, said panelist Anthony D'Elia, assistant vice president of Alliance Global Investor Services.
During a separate session, one on anti-money laundering, panelist David Loring, director of compliance for BISYS Fund Services, said that customer verification is a concern for his firm. In fact, he said, earlier this month BISYS uncovered a case of identity theft whereby an individual bought a Social Security number in order to work in this country. While this was not the case of a hardened criminal trying to empty the assets out of someone else's account, it was still a crime, he noted.
Back at the session on identity theft, panelists asked audience members how they would deal with various situations. Needless to say, many in attendance were unsure of what steps to take, such as who is liable for the losses and what firms need to do to prevent cyber theft. All were unsure of what to do should the main database be broken into. Many didn't know if contacting shareholders would be appropriate. In any case, identity theft is an area fund firms clearly need to start paying attention to.
Copyright 2003 Thomson Media Inc. All Rights Reserved.