10 best practices
- Pick-up the phone: Never approve the release of funds without verbal communication with your client.
- Ask questions: Ask questions fraudsters wouldn’t know. Engage in a dialogue with your client to pick up on abnormal behavior.
- Pre-filled wire instructions: Our suggestion would be to not send pre-filled wire instructions. If you do send pre-filled wire instructions please be sure to encrypt the email. Verbally confirm with your client that they actually requested the wire before sending the email.
- Improve Firm culture: Train your employees to spot red-flags. Have a Firm procedure and culture to call-back and confirm all requests from the phone number in the internal file. DO NOT use the phone number provided in the email and be suspicious of requests to send funds to a new account especially in a foreign jurisdiction.
- Encrypt all email traffic that contains personal identifying information – PII.
- Passwords: Consider implementing procedures similar to those your personal bank may use. Whenever you call in fora business transaction, they often will ask you a series of questions to confirm your identity.
- 2-step verification: Strongly encourage your clients to use a two-step verification process for their email accounts. This will make hacking much harder to achieve.
- Best of all: Have your client call the custodian directly to request a wire transfer. Custodians are beefing up their internal procedures to combat this current threat and may have more resources to throw at this issue than most Firms.
- Red flags:
a. Client is in a rush
b. Client is unable to speak on the phone.
c. Wires going to 3rd parties for the first time
d. Amount of money requested is outside their typical range
- Email requests: Have multiple employees review a request.
When in doubt, have the Firm’s CCO make the final recommendation.
Email request to wire funds and wire fraud
As part of Markel Cambridge’s value proposition to our community of brokers and policyholders, we periodically share knowledge that we hope, if utilized, will mitigate risk. These types of risks could do reputational and financial harm not only to your Firm, but the clients you serve. This particular risk management topic is about safeguarding clients’ records and information [see Exhibit I below]. More specifically, it is related to recent attempts by hackers and thieves to deceive a Firm into believing that an email request to wire money is legitimate.
Earlier this year, we sent out a Best practice-avoid wire fraud to all of our policyholders and brokers showing real life examples of wire fraud scams. Since then, we’ve discovered a few more tricks that the hackers are using as well as some development in how custodians are responding.
Some reputable custodians are now modifying contracts to make clear their responsibility when it comes to following your Firm’s request to wire funds from your clients account to another. The custodians are actually putting the financial responsibility back on you. [see Exhibit II below].
Schwab has recently sent a video directly to the advisory community pleading for more diligence when it comes to accepting a wire request. Markel Cambridge Alliance would like to reiterate that message and remind our advisory community of their role and power when it comes to approving wire requests. We’ve recently begun asking our policyholders their procedures, and most responses have been very encouraging, however, some were not. One response stated that they do not have any procedures because they tell the custodian to wire the money. Yes, that is true, but the custodian is relying on you as the fiduciary representative of the client to instruct them.
Technology has made it possible for anyone with an Android or iPhone to make a phone call in which the caller ID will register a different name than the actual caller. In theory, you can download an application to your phone so when you call your spouse, it may pop up as a phone call from Barack Obama or George Bush (politically neutral).
Once hackers gain access to your customers email account, and other private and personal information, they can increase the likelihood of you believing the scam. They will first send an email requesting money to be wired from their account to another account. You may feel this is suspicious so you write back and encourage them to call you. When they call back, the number that pops up may have been manipulated in order to deceive you into believe it is your customer.
We suggest the following:
- Pick-up the phone: Never approve the release of funds without verbal communication with your client.
- Improve Firm culture: Have a Firm procedure and culture to call-back and confirm all requests from the phone number in the internal file. DO NOT use the phone number provided in the email and be suspicious of requests to a new account especially in a foreign jurisdiction.
- Passwords: Consider implementing procedures similar to your personal bank. Whenever you call in for a business transaction, they ask you a series of questions to confirm your identity.
- BEST OF ALL: Have your client call the custodian directly to request a wire transfer. Custodians are beefing up their internal procedures to combat this current threat and may have more resources to throw at this issue then most Firms.
- CCO: When in doubt have the Firm’s CCO make the final recommendation.
Exhibit I: Safeguarding of client records and information [sample custodian agreement--wire transfer responsibility]
The Firm will maintain reasonable administrative, technical, and physical safeguards reasonably designed to ensure the security and confidentiality of client records and information. To protect this information, the Firm should consider implementing some or all of the following:
- Prohibit an employee from providing client information over the telephone or in response to an e-mail message unless the employee has:
- identified the other person as the client, [Use an identifying word or phrase like a unique password for each client]
- a fiduciary representative of the client
- an authorized agent of the client, or
- a party that needs the information to complete a transaction for the client (such as broker-dealers, custodians, or administrative service providers)
- Maintain appropriate security measures for computer and information systems, including the use of passwords and firewalls.
- Use locks and other appropriate physical security measures to safeguard client information stored in paper format. For example, employees are expected to secure client information within locked cabinets during non-business hours.
- Dispose of client information stored in electronic or paper form in such a manner (for example, through the use of a shredder) as to reasonably ensure such information is protected from unauthorized access.
- Engage a third-party service provider only after the Firm has entered into a contractual agreement that prohibits the service provider from disclosing or using confidential personal information except as necessary to carry out its assigned responsibilities.
- At all times, to maintain the integrity and security of client information, there must be reasonably up-to-date firewall protection and operating system security patches installed on all computer systems containing client information.
- Current versions of computer system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions installed on all computer systems containing client information.
- All computer systems shall be monitored for unauthorized use of, or access to, client information.
Encryption requirements/considerations: Although the above reflects prudent procedures for the Firm to consider regarding information security/client privacy, the Firm, should encrypt certain specific client personal information (as codified in the Massachusetts Data Privacy Act). Specifically, the Firm should (and for Massachusetts clients, the Firm must) encrypt any electronic communication that contains the client’s first and last name (or first initial and last name) in combination with any of the following:
- Social Security number
- Driver’s license number or state-issued identification card number; or
- Financial account number or credit/debit card number (with or without required security codes, access codes, personal identification numbers, or passwords that permit access to a client’s financial account)
In addition, the Firm should also confirm that its service providers have taken reasonable steps to maintain all client personal information in a confidential and secure manner. Evidence of such service provider's acknowledgment/obligation may be included in the written contract between the Firm and the provider.
Please note: Wire fraud/email request to wire funds
As a result of various wire fraud schemes that have been perpetrated upon the advisory community, no Firm employee shall, without prior authorization from the CCO or a Firm officer, process any email request to wire funds from a client’s account. ALL such requests MUST be verified verbally directly with the client prior to the processing of any such wire (confirming the authenticity of the email request, the amount and intended recipient of the funds). Any questions pertaining to the Firm’s identity theft prevention and safeguarding initiatives should be addressed with the Chief Compliance Officer.
Information courtesy of:
Thomas D. Giachetti, Esq.
Chairman, Securities Practice Group
Stark & Stark
993 Lenox Drive, Building Two
Lawrenceville, NJ 08648
Exhibit II: Custodian agreement [sample]
“We agree to be financially responsible for
- Any unsatisfied financial obligation in our Client’s account in the event the obligation is the result of instructions or an order we, any third-party action on our behalf, or a third-party service provider working for us directed to “CUSTODIAN”;
- Losses resulting from unauthorized access to our disclosure of personally identifiable confidential Client account information due to our failure, or the failure of any third-party agent acting on our behalf, to adequately protect and secure access or disclosure of confidential Client personal or account information under our control.
We agree to promptly notify “CUSTODIAN” of any known or suspected unauthorized, negligent, or inadvertent disclosure of such personally identifiable information.”
The information provided in this article is intended for general informational purposes only and should not be considered as all encompassing, or suitable for all situations, conditions, and environments. Please contact us or your attorney if you have any questions.