The electronic age is both a blessing and a curse. It makes it so much more convenient to be able to send a client a quick email to ask a question, or send a required form for their signature, but the bad guys know this and take full advantage of this technology.
Most financial service provider’s written supervisory policies and procedures address email in regards to its review and archiving. Many go so far as to restrict its usage by their personnel to only work related emails. And those that have the time, money and resources take the extra step and outsource the hosting of their email to a third-party service provider and engage the services of a third-party IT administrator, or hire an in-house IT administrator to service, maintain and monitor the security of their email systems.
Additionally, most service provider’s written supervisory policies and procedures address custody and the safekeeping of client funds and securities. The policies will require checks and security certificates received from clients be locked in a safe place until they can be forwarded to the custodian, prohibit checks and certificates from being left out in the open on desks. They even go so far as to state that firm personnel are prohibited form stealing from clients.
It may be kind of obvious where this is going based on the previous. However, if it is not, let’s elaborate. If a client send an email requesting a distribution from their account to a third-party account held at a third party financial institution, or even a like named account held at a third-party institution, what are your procedures? Now bear in mind that when I say that the email comes from the client, it is understood that the email is coming from the address the client provided on all their new account forms, investment advisory agreement, suitability questionnaire, etc. So, I ask again, what is your procedure?
The answer should be that the individual assigned to deal with client requests for distributions will immediately pick up the phone and call the client to verify the request. One might think, but why; the email came from our client. Well, the answer is because there are quite a few people living in third and second world countries that have no jobs, no prospect of a job and have nothing but time on their hands. And with this time, they have been learning how to use a computer to hack into private networks of foreign countries, Wi-Fi enabled computers in people’s vehicles, Wi-Fi enabled smart TV’s, and yes, all the mainstream, private email host servers. With that being said, when an email is received from a client’s email address, it is quite possible that email account has been hacked and is now actually in control of someone who makes a living by obtaining funds from other people’s bank accounts via these types of distribution requests.
If there is any doubt to the validity of this post, please refer to this article posted on the Texas State Securities Board’s website.