(The news featured
below is a selection from the news covered in SEC Today, which is distributed to
subscribers of SEC
Today.)
SEC Official Reviews Developments In Identity Theft
John Walsh, an associate director and chief counsel in the
SEC's Office of Compliance Inspections and Examinations, said that his office
has recently initiated a new sweep examination for identity fraud in response to
an increase in the number and sophistication of identity thieves. Identity
thieves appear to be directing increased attention at the securities business,
he said, so compliance professionals should ensure that their policies and
procedures to prevent such fraudulent activities are effective. Walsh also noted
that the President's Task Force on Identity Fraud will soon issue a public
report that should provide helpful information on identity theft. Walsh's
remarks to the NRS fall compliance conference were posted on the SEC's Web site.
Compliance professionals should consider the risk of
identity fraud when they review their firm's risk profile, according to Walsh.
Identity theft is one of the fastest growing crimes in America, he said, with a
number of variations aimed at the securities business. Walsh described the forms
of identity theft the staff has identified, including family fraud, where a
family member gains access to a customer account. This was the most common
variation of identity theft when the staff first began to look at this problem
in its examinations several years ago, according to Walsh.
The classic account takeover fraud occurs when a stranger
gains access to an account, sells the positions and wires the proceeds to
another, often foreign, jurisdiction. The trading account takeover fraud is the
latest development, Walsh said, which involves a stranger who takes control of
an account and uses it to trade. The account may be used to buy securities that
the thief wishes to unload, or it may be used to run a pump-and-dump scheme. The
alias fraud is where identity thieves use their own money but use the victim's
identity as cover for trading or money laundering schemes.
Walsh noted that victims of identity fraud can suffer more
than financial harm. There is a lot more at stake than direct financial loss, he
said. Walsh urged compliance professionals to re-read NASD Notice to Members
05-49 on safeguarding confidential customer information. He recommended it for
advisers as well, even though it is not directed at them. He said that NASD
members should consider whether to conduct periodic audits for potential
vulnerabilities in their systems to ensure that customer records and information
are safe from unauthorized access.
Walsh said that NASD members should inquire about the
firm's front-end access controls for online accounts. If the identity thieves
are able to get past the front-end controls, the damage is done, he said. Walsh
also recommended a publication by the National Institute of Standards and
Technology called the "Electronic Authentication Guideline" which
recommends that firms determine the level of risk in granting access and the
levels of control that should be imposed based on that risk. NIST recommends
that the highest level risks be protected by multi-factor authentication.
Walsh encouraged firms to review their educational
materials that are provided to customers, including any information on their
policies for any losses due to identity theft. Finally, he urged firms to be
alert to new developments since identity theft is a rapidly evolving area.
|