Protect clients from ID theft -- or else
WASHINGTON -- As federal authorities warn of the mounting threats of identity theft, the SEC has moved ahead with rules mandating that many advisors implement policies and procedures to help shield their clients' information from scammers.
As a threshold matter, not all advisors are necessarily subject to the SEC's Red Flags rules, but having in place a framework to deal with identity theft might be considered a best practice for all firms, according to Peter Mafteiu, principal at Sound Compliance Services.
"You really need to be aware and at least train your people on what red flags are and why we're talking about them," Mafteiu says. "It may be a gray [area] about whether you meet the technical definitions, but I still think it's incumbent on you as a fiduciary to protect your clients and have some procedures in place."
RULES ALREADY IN EFFECT
Red Flags rules to guard against identity theft have been on the books since 2003, but they had been implemented and enforced by the Federal Trade Commission and other agencies outside the advisory sector.
Then, with the passage of the 2010 Dodd-Frank Act, the SEC and the Commodity Futures Trading Commission gained the authority to write rules to flag for signs of identity theft that would be imposed on certain advisors, broker-dealers and other regulated entities in the financial services sector.
The SEC set a compliance deadline for the Red Flags rules, or Regulation S-ID, for Nov. 20, 2013, and has offered guidance to help advisors determine whether the rules in fact apply to them.
In general, advisors overseeing transaction accounts that are deemed "covered" under the rules must develop a formal set of policies and procedures for identifying, detecting and responding to warning signs of identity theft.
"If you have authority to direct payment from the investor's account to a third party, you can potentially be implicated," said Jennifer Porter of the SEC's Division of Investment Management earlier this year at an industry conference. The commission also notes that all covered entities have the same responsibility under the rules, which offer no exemption for smaller firms.
Advisors who hold custody over their clients' accounts will almost certainly be covered by the Red Flags rules, Mafteiu says, though he urges all firms to establish regular training programs to get staff up to speed on how to detect and prevent potential identity theft.
"Once-a-year training is not enough," he says. "It really does rely on the administrative levels staff and their professionalism to catch this stuff."
A favorite scam involves hackers who gain control of a client's email and, posing as the client, send the advisor bogus instructions to transfer funds, often to an offshore account.
Mafteiu recalls the experience of one advisor that works with his firm. That practice, a small shop in the Pacific Northwest, received an email purportedly sent from a wealthy client that advisors at the firm knew to be traveling overseas. In the guise of the client and his wife, the fraudsters explained the couple had fallen in love with and were determined to buy a piece of property, asking the advisory firm to wire $30,000 to a bank located in the Democratic Republic of the Congo.
The message came through in perfect English. In this case, that was a red flag. An administrative staffer who regularly communicated with the real client was accustomed to receiving messages with no capitalization and sloppy punctuation. The hackers were persistent, badgering the firm to wire the funds. But the firm would not, and when staffers were finally able to reach the clients overseas, they confirmed what they suspected, that the request was bogus. The advisors turned the matter over to the FBI.
"[The] industry's just been bombarded by hackers who are hacking into personal email accounts and then posing as that client and sending instructions to wire to a registrant," Mafteiu says. "Whether it's four or 40 people, everybody has to understand the mission -- it's a combined mission to stop hackers from hacking clients and giving fake instructions."
The SEC has been deliberately broad in developing its Red Flags rules. For instance, there are no specific mandates keyed to certain types of warning signs, nor are there any directives stipulating specific policies and procedures that covered firms must implement.
The commission instead opted to provide the industry with guidance and a set of examples to help illustrate scenarios in which advisors and other financial professionals might invoke their procedures for responding to potential identity theft.
That approach fits with the tack the government has taken more broadly on issues of cybersecurity, eschewing prescriptive mandates that some warn could limit businesses' ability to respond to an ever-changing array of threats.
"The stock-in-trade for the cyber criminal is to be innovative and to find the newest hole," says Michael Weissmann, a partner at the law firm Bingham McCutchen.
As advisors develop a risk-based framework of policies and procedures to combat identity theft and other threats to sensitive information, experts note that they should keep in mind the damage that a breach or identity theft incident can inflict on a practice, not only attracting the attention of regulatory authorities, but potentially costing the firm clients.
"There's regulatory risk for sure," Weissmann says. "But there's also reputational risk that can't be underestimated. I think that firms need to be aware of that."