The email looked like one of the client’s typical missives: sent from his personal account, written in his typical casual style. He would be traveling again and needed his financial advisor to wire about $40,000 to an overseas account -- a hefty sum for most, but nothing extraordinary for someone of this particular man’s financial stature. Not enough to raise any red flags.
But the email, sent last year, was fraudulent -- crafted by a growing breed of identity thief that targets high-net-worth individuals and their personal financial teams, said Raul Vargas, a fraud operations manager with theft recovery service Identity Theft 911 who says he read the email. Combining traditional dumpster diving and computer hacking, the criminals glean enough sensitive information to digitally impersonate victims and exploit their business networks.
The SEC is taking steps intended to address such fraud schemes -- and the resulting changes could affect the way some advisors do business. Early last year, under a mandate from the Dodd-Frank Act, the commission and the Commodity Futures Trading Commission proposed new rules to curb identity theft for institutions under their jurisdiction -- a group that includes some RIAs.
The proposal, modeled on the Federal Trade Commission’s earlier Red Flags Rule, would require entities that hold transaction accounts for clients to devise a written plan detailing how employees should monitor for suspicious activity and respond to breaches.
Industry groups believe the proposal could pass this year. Yet critics of the rules say they are unlikely to provide much additional protection for clients.
It’s not even clear how many RIAs would be affected. Though the proposal cites the term “investment adviser” 44 times, the SEC estimates that the draft rules would only affect about 10% of RIAs -- largely dual registrants who also work as broker-dealers. (The agency declined to provide more details.)
Many industry groups foresee an even smaller impact. “I don’t see any change in process or procedure,” said Karen Barr, general counsel for the Investment Advisor Association, an industry group that counts more than 500 advisory firms as members. Her group is urging the SEC to strike RIAs from the proposal altogether.
“Investment advisors do a lot of what they are required to do already,” Barr said. “They protect client information and try to make sure that it is not obtained by other parties, and they are also supposed to be on the lookout for signs of anything suspicious.”
Even without regulatory impetus, however, some observers warn that firms need to increase their vigilance to combat the rise in schemes targeting advisors.
Crimes exploiting the relationship between clients and financial advisors are recent phenomena that have increased significantly in the past year, said Vargas. “There is a fairly wide sense of trust on behalf of the financial advisor, and they are expected to provide top-notch service to these clients and don’t want to put them through extra verification methods ... But, unfortunately, criminals have found that vulnerability.”
Brian Hamburger, founder and managing director of advisor compliance consultancy MarketCounsel, says many firms simply don’t train their staff to be as vigilant as needed. He has entered firms where employees leave post-it notes with client information on desks or send Social Security numbers over unencrypted emails. Until a firm experiences a breach, many are too busy running their businesses to worry about identity theft, he said.
“The proposal is not likely to impact your firm, but it doesn’t mean for a second that you shouldn’t be taking steps to address [potential fraud], because there are threats of civil litigation,” Hamburger said. “While there may not be significant regulations that cover investment advisors, ignoring identity theft is ignoring it at your peril.”
Catherine Holahan is a freelance writer based in New York. Her work has appeared in BusinessWeek, on MSN.com and CNBC.com.