To the fraudster, this is a potential treasure trove. Criminals will be attracted to the weakest link in any process and advisers need to be careful to ensure they do not have flaws in their systems.
There have been cases this year where fraudsters have tried to cash in people’s investments without their knowledge. This practice is referred to as account takeover fraud.
Cifas, the UK fraud preven-tion service says incidences of this type of fraud increased by 45 per cent in the first six months of this year compared with 2006.
The process often starts by the fraudster contacting an insurer to notify a change of address. The next step is they will notify a change of bank account to an accoun they have opened. Finally, a request is made for the surrender of investments, with the proceeds being paid to the bank account they have notified.
Given the value of longterm savings contracts when compared to the amount people keep in their current accounts, it is easy to see why the investment industry presents an attractive target.
The FSA published a special edition of its financial crime newsletter this month to draw attention to authentication and safeguarding customer identity.
It is engaging on a wider study to examine the controls that firms need to put in place to protect client data and will publish the results next spring but the FSA has already indicated some of the things it sees as key steps to protect clients.
One of the most important issues is authenticating that a person is who they say they are. This may seem obvious but in a small firm the adviser may know clients but do the admin people? It may be tempting to think that providing customers with information on investments quickly may be part of providing a personal service, at what point does it become too casual and represent a security risk?
If an old client or a client of the firm that you have not spoken to before contacts you, what is your organisation’s policy for dealing with such enquiries?
The FSA newsletter makes it clear that the regulator is looking for firms to have specific procedures to authenticate who a person is whenever transactions are taking place or personal information is being exchanged.
The newsletter identifies as an area for improvement the fact that some firms rely on recognising a customer’s voice and the social interaction that takes place.
Private banks and wealth managers are identified as regular culprits.
Firms need to make sure that clients’ personal data cannot be stolen or used for fraud. There need to be clear steps to make sure that, in the event of the theft of an adviser’s laptop or desktop computer, data cannot be easily extracted for criminal purposes. With more people using combined PDAs and mobile phones, these devices should also include security features if they are used for client data.
Nationwide’s very public loss of customer information, and the fine that accompanied it, are a clear demonstration of this risk.
I have seen most institutions become far more cautious about information held by staff. There is a need for similar action by adviser firms. Client management system providers have an obvious role to play here and should be well placed to help advisers meet obligations.
Advisers should also have clear and documented procedures for maintaining the integrity of systems. Provision of anti-virus and firewall systems are obvious examples but many firms pay little attention to maintaining the confidentiality of system log-ons and passwords are also important.
In the light of this news-letter, any adviser who, when visited, has an array of notes on display with the passwords for different insurers’ extranet systems can probably expect to be called to account.
It is noticeable that the FSA questions the use of embedded hyperlinks in emails as it suggests that this can make people vulnerable to phishing attacks.
This highlights the absence of secure email infrastructure in our industry. A couple of organisations have been talking to me recently about plans to introduce such services and this can’t happen soon enough. I am amazed we have survived so long without one. In an era of unparallelled attention to companies’ carbon footprints, secure email represents an opportunity to reduce waste and cut costs. Perhaps regulatory attention will provide a catalyst.
The FSA also highlights the importance of helping customers be more securityconscious. Having processes to authenticate clients and protect data are reasonable expectations but I think this is going a bit far and perhaps the FSA should focus on getting the first two right.
There are more than enough things for regulated firms to educate consumers about without burdening them with a responsibility to teach consumers what ought to be common sense. Perhaps the most that should be expected of firms on this last point is that they should lead by example.
Putting procedures in place to authenticate clients may seem like yet another burden on the adviser but with the public so sensitive to identity theft I believe it could represent a good opportunity for firms to demonstrate the value they place on their relationship with their clients and the data they hold about them.
It makes sense to turn the exercise into a customer care opportunity at the same time.