Safeguarding client information and avoiding wire fraud

10 tips to prevent wire fraud
- Pick-up the phone: Never approve the release of funds without verbal communication with your client.
- Ask questions: Ask questions fraudsters wouldn’t know. Engage in a dialogue with your client to pick up on abnormal behavior.
- Pre-filled wire instructions: Our suggestion would be to not send pre-filled wire instructions. If you do send pre-filled wire instructions please be sure to encrypt the email. Verbally confirm with your client that they actually requested the wire before sending the email.
- Improve Firm culture: Train your employees to spot red-flags. Have a Firm procedure and culture to call-back and confirm all requests from the phone number in the internal file. DO NOT use the phone number provided in the email and be suspicious of requests to send funds to a new account especially in a foreign jurisdiction.
- Encrypt all email traffic that contains personal identifying information – PII.
- Passwords: Consider implementing procedures similar to those your personal bank may use. Whenever you call in fora business transaction, they often will ask you a series of questions to confirm your identity.
- 2-step verification: Strongly encourage your clients to use a two-step verification process for their email accounts. This will make hacking much harder to achieve.
- Best of all: Have your client call the custodian directly to request a wire transfer. Custodians are beefing up their internal procedures to combat this current threat and may have more resources to throw at this issue than most Firms.
- Red flags:
a. Client is in a rush
b. Client is unable to speak on the phone.
c. Wires going to 3rd parties for the first time
d. Amount of money requested is outside their typical range - Email requests: Have multiple employees review a request.
When in doubt, have the Firm’s CCO make the final recommendation.
Full article:
Email request to wire funds and wire fraud
As part of Markel Cambridge’s value proposition to our community of brokers and policyholders, we periodically share knowledge that we hope, if utilized, will mitigate risk. These types of risks could do reputational and financial harm not only to your Firm, but the clients you serve. This particular risk management topic is about safeguarding clients’ records and information [see Exhibit I below]. More specifically, it is related to recent attempts by hackers and thieves to deceive a Firm into believing that an email request to wire money is legitimate.Some reputable custodians are now modifying contracts to make clear their responsibility when it comes to following your Firm’s request to wire funds from your clients account to another. The custodians are actually putting the financial responsibility back on you. [see Exhibit II below].
Technology has made it possible for anyone with an Android or iPhone to make a phone call in which the caller ID will register a different name than the actual caller. In theory, you can download an application to your phone so when you call your spouse, it may pop up as a phone call from Barack Obama or George Bush (politically neutral).
Once hackers gain access to your customers email account, and other private and personal information, they can increase the likelihood of you believing the scam. They will first send an email requesting money to be wired from their account to another account. You may feel this is suspicious so you write back and encourage them to call you. When they call back, the number that pops up may have been manipulated in order to deceive you into believe it is your customer.
We suggest the following:
- Pick-up the phone: Never approve the release of funds without verbal communication with your client.
- Improve Firm culture: Have a Firm procedure and culture to call-back and confirm all requests from the phone number in the internal file. DO NOT use the phone number provided in the email and be suspicious of requests to a new account especially in a foreign jurisdiction.
- Passwords: Consider implementing procedures similar to your personal bank. Whenever you call in for a business transaction, they ask you a series of questions to confirm your identity.
- BEST OF ALL: Have your client call the custodian directly to request a wire transfer. Custodians are beefing up their internal procedures to combat this current threat and may have more resources to throw at this issue then most Firms.
- CCO: When in doubt have the Firm’s CCO make the final recommendation.
Exhibits
Exhibit I: Safeguarding of client records and information [sample custodian agreement--wire transfer responsibility] The Firm will maintain reasonable administrative, technical, and physical safeguards reasonably designed to ensure the security and confidentiality of client records and information. To protect this information, the Firm should consider implementing some or all of the following:
Encryption requirements/considerations: Although the above reflects prudent procedures for the Firm to consider regarding information security/client privacy, the Firm, should encrypt certain specific client personal information (as codified in the Massachusetts Data Privacy Act). Specifically, the Firm should (and for Massachusetts clients, the Firm must) encrypt any electronic communication that contains the client’s first and last name (or first initial and last name) in combination with any of the following:
In addition, the Firm should also confirm that its service providers have taken reasonable steps to maintain all client personal information in a confidential and secure manner. Evidence of such service provider's acknowledgment/obligation may be included in the written contract between the Firm and the provider. Please note: Wire fraud/email request to wire funds As a result of various wire fraud schemes that have been perpetrated upon the advisory community, no Firm employee shall, without prior authorization from the CCO or a Firm officer, process any email request to wire funds from a client’s account. ALL such requests MUST be verified verbally directly with the client prior to the processing of any such wire (confirming the authenticity of the email request, the amount and intended recipient of the funds). Any questions pertaining to the Firm’s identity theft prevention and safeguarding initiatives should be addressed with the Chief Compliance Officer. Information courtesy of:
Exhibit II: Custodian agreement [sample] “We agree to be financially responsible for
We agree to promptly notify “CUSTODIAN” of any known or suspected unauthorized, negligent, or inadvertent disclosure of such personally identifiable information.”
|

This "document” is intended for general information purposes and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. This document cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. Markel does not guarantee that this information is or can be relied on for compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional or technical advice. Persons requiring advice should consult an independent adviser or trained professional. Markel does not guarantee any particular outcome and makes no commitment to update any information herein, or remove any items that are no longer accurate or complete. Furthermore, Markel does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on this content.
Markel® is a registered trademark of Markel Group Inc.
© 2023 Markel Service, Incorporated. All rights reserved.
Related Articles