Although it may not be immediately obvious, IFAs are in the front line when it comes to financial crime. The data within a fact-find alone is a treasure trove to the financial criminal and, for the most part, advisers will probably have a far greater range and depth of sensitive information that could facilitate fraud than anyone else a consumer deals with.
Identity substitution fraud is one of the fastest-growing ways of separating people from their money. If a fraudster has the right information, they can simply notify a change of address, followed by a change of bank details and all too quickly they have the power to access customers’ bank accounts and long-term savings. Why target a few thousand pounds in a current account when you can go for multiple years of Isa contributions and other lump sum investments?
The ability for wrap accounts and platforms to contain the bulk of an individual’s wealth will probably make them a particularly attractive target. If a criminal has a document that summarises in a single place all a client’s key financial information, the name, address, previous addresses, dates of birth and a plethora of other information about an individual and their dependants, then you have a document that will enable a fraudster to circumvent almost any security checks.
Supplying information omitted from proposals is also a classic area of weakness.
Data security is not just about electronic data. The Data Protection Act has long been extended to cover paper. Last year, the FSA warned that it expects regulated businesses to carry out detailed checks, including financial standing, not just on their own employees but also cleaners and security staff within their buildings.
Recent FSA fines for data security failings have highlighted files left unattended on desks overnight as an example of inadequate practice. It is my understanding that the regulator is now including checks on these issues in regulatory visits so implementing a clear-desk policy and making sure you really know the financial background of anyone who has access to your office is not just important, it is now essential.
In recent years, email has become part of the fabric of business and personal life. We have become so used to using it every day that it is easy to forget that while it might be a highly effective way of communicating, in the vast majority of forms, it is also bereft of even the most basic security.
Sending an email is just like putting a postcard in the mail. If anyone suggested sending a copy of a client’s fact-find for them to check or perhaps a statement of all their investments, including the names of the institutions, account numbers and amounts invested, on a postcard, the reaction would inevitably be one of horror. Yet sending a normal email of this information in this way amounts to the electronic equivalent of exactly that.
It is important to recognise that the internet is home to large numbers of well organised gangs of professional financial fraudsters who deploy massive sniffer programs to seek out and recognise sequences of numbers and data in patterns that conform to key financial information.
An unsecure email can pass across servers around the world as it finds its way to the client. If there is a sniffer program on any one of these that is run by financial criminals, the data can be easily accessed.
It is good practice for advisers to remind clients how sensitive some of their data is and caution them against using non-secure email. Many may not appreciate the weaknesses in the system but if something does go wrong, then organising the reinstatement of investments after a client has become a victim of fraud is going to be a time-consuming process for any adviser and there is the risk that if the consumer can be demonstrated to have been negligent then they may have no recourse.
Over the last couple of years, a further risk to the system has become normal practice to millions of people, forwarding email from traditional email accounts to mobile phones.
The vast majority of such networks are not set up to deliver email securely. If an adviser firm allows its staff to forward mail from their office email accounts to their mobile phones, they have a clear duty to check the security used when the mail is forwarded. There is a strong case for only using such services on an occasional basis unless you can be certain that security is in place.
If a client decides to send you their sensitive data by email even though you have warned them not to and you forward it to an unsecure mobile phone, the data protection breach has now been incurred by the firm. A client may choose to be careless with their data but advisers do not have that option.
Helping clients understand the risks of financial crime and identity fraud and how to mitigate them is an important way of protecting clients’ interests. It is essential for advisers to practise what they preach and to be sure that any email communications are operated in an entirely secure manner. Any who fail to do so might find themselves on the wrong end of fines from both the FSA and the Information Commissioner’s office sooner than they think.