RIA Compliance and Practice Management Blog

RIAs Need to Prioritize Wire Fraud Prevention Education and Procedures

Posted by RIA in a Box

Jan 11, 2017 10:44:26 AM

RIA Firms that utilized technology grew quicker in 2017Registered investment adviser ("RIA") regulators at the state and federal level continue to make information and cyber security a regulatory focus area. However, compliance issues aside, RIA firms need to continue to establish the proper policies and procedures to help prevent cyber security related-issues as such issues pose an enormous business risk to all investment advisory firms. In particular, an RIA firm improperly sending a wire to an unauthorized third party posing as a client continues to pose a growing threat. 

Download Our Free RIA Cybersecurity Compliance Checklist

As RIA compliance consultants, we continue to hear more concern from leading industry custodians that many investment advisory firms are not properly addressing unauthorized third party wire risk. While custodians continue to design and implement more controls and systems to protect against wire fraud, often the RIA firm is still responsible for confirming to the custodian that a client wire request is legitimate. This responsibility combined with the increasing sophistication of cyber criminals means that addressing this risk should be a top priority for investment advisory firms of all sizes.

Even when an RIA firm has established strong information security policies and defense systems, the firm can often do little to prevent client email accounts from being hacked. Unfortunately, hackers are beginning to more aggressively targeting high and ultra-high-net-worth individuals as the criminals recognize that such individuals offer greater wire fraud opportunity. This realization combined with increasing social engineering vulnerabilities means that all RIA firms are likely to experience client email hacking incidents.

Today, after a hacker gains access to an individual's personal email account, they immediately begin scanning past email correspondence to identify any financial advisor relationships. Past correspondence is examined to learn how to best imitate the client in future correspondence with the advisor. Next will often come either 1) a seemingly innocent email inquiring about the current balance of accounts or 2) an immediate wire request sent via email. At times, the hacker will even wait to send the wire request to correspond with a client's scheduled travel plans which can also be found in the client's email account. This is generally followed by an "urgent" wire request along with additional context which notes that he or she is "traveling" and "not accessible." There will also often be a convincing story as to why the funds need to be transferred to a third party account perhaps related to a large purchase or needing access to the funds while traveling internationally.

If the proper procedures are not in place and strongly enforced, the advisor or staff member may feel pressure to please the client and be too quick to approve the wire request with the custodian. Once the funds are improperly sent to a third party there is often little that can be done to retrieve the funds. With that being the case, the investment advisory firm may now have a financial liability that can reach into the millions of dollars. Furthermore, often advisors do not realize that many traditional errors and omissions ("E&O") and cyber liability insurance policies may not cover this type of loss. Thus, such a mistake can instantly jeopardize the future viability of the firm.

Given the immense business risk, we strongly recommend that all RIA firms take these immediate steps to help mitigate wire fraud risk:

  1. Educate clients on information security best practices: RIAs should consider providing cyber security education and training to clients. While not all client email account hacking incidents can be prevented, better education can help to reduce the risk.
  2. Educate clients on the firm's wire confirmation procedures: RIA firms should always verbally confirm all wire requests regardless of the circumstances. This policy and rationale needs to be communicated to clients at the start of the relationship to properly set expectations.
  3. Establish proper policies and procedures designed to mitigate wire fraud risk: RIA firms need to verbally confirm all wire requests. Best practices for verbal client confirmation may include 1) the RIA must call the client at a previously designated phone number to confirm to prevent a third party from calling and posing as the client and 2) a "secret word" can be established with the client to confirm all wire requests or to otherwise covertly alert the RIA firm that he or she is under distress and being improperly coerced to send the wire.
  4. Regularly train all RIA firm staff members: All investment advisory firm principals and staff members need to properly understand wire fraud risk. Furthermore, all staff should be trained on how to identify possible "phishing" or fake emails coming from a client. In addition, the message needs to be delivered that even when under client pressure, it is never acceptable to not follow firm policy even if it results in client dissatisfaction.
  5. Test wire fraud policies and procedures: RIA firms should consider mimicking these types of incidents to gauge how prepared the firm is and to serve as learning and teaching opportunities. Such mock tests can also help to identify potential gaps in current policies and procedures.

How an RIA Firm Can Create a Culture of Compliance Checklist

 

Topics: RIA Operations, RIA Compliance, RIA Technology

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts

POSTS BY TOPIC

cta-ria-compliance

cta-ria-operations

cta-ria-technology