Speech by SEC Staff:
Compliance Professionals versus Identity Thieves
John H. Walsh
Associate Director - Chief Counsel, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
NRS 21st Annual Fall Compliance Conference
October 5, 2006
The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or the other members of the staff.
I am really pleased to speak here today on identity theft. Identity theft is a problem that should have everyone's attention. At a minimum, as consumers, we should be alert to identity theft because we are all potential victims. Moreover, as compliance professionals, we should be alert to identity theft because we have a critical role in preventing it.
In the past, when we conducted an examination of a firm's controls to prevent identity theft these are usually called "information security" or "safeguarding" controls we sometimes encountered an odd phenomenon. The firm's compliance professionals, who are usually ready to help on a number of different topics, would toss up their hands and say (in words or substance):
"We know nothing about this. You'll have to deal directly with the engineers in the Information Technology Department. They are the only ones who know what we're doing."
Those days are gone. Or at least they should be. Information security has serious compliance implications. As you look at your firm, and consider its compliance risk profile, you should not forget the danger of identity theft. Just as you ask:
- How do our branch managers protect customers from rogue brokers; or,
- How do our portfolio managers protect clients from unauthorized investments; or
- How do our custodians protect investors' assets from misappropriation?
You should also ask:
- How do we protect our customers' personal information from identity thieves?
Today, I would like to discuss a few basic questions about identity theft: what is it; why is it a problem; what law governs it; and what are we doing about it in the examination program. Then I want to raise the most important question: What can you do to help prevent it?
1. What is identity theft?
As a good working definition we can say that it is the unauthorized acquisition, transfer, or use of another person's means of identification for criminal or fraudulent purposes. Means of identification can include a name, Social Security number, brokerage account number, or anything else that can be used to identify a particular person, including both physical items, like an identity document, or electronic authenticators, like a user-ID or a password.
2. Why is identity theft a problem?
The Federal Bureau of Investigation has reported that identity theft is one of the fastest growing crimes in America. According to the FBI's annual crime survey for 2005, losses attributable to identity theft were $33 billion for businesses and $4 billion for individuals.1 Similarly, the Federal Trade Commission has reported that identity theft was the most frequent complaint it received from consumers in 2005.2
Beyond these national statistics, identity theft is constantly being brought home to us as more than a theoretical problem. I am sure that many people here know someone who has been a victim. For example one of my colleagues, in my office, has been a victim of identity theft. It has taken him years to get the mess straightened out. Hopefully not too many of the people here today have been victims themselves. But the way things are going I expect we probably have a few. As these circles of experience grow, as investors come into personal contact with identity theft, they are likely to give it more attention and more weight in their calculus of what makes a market, or an individual firm, worthy of their confidence.
3. Specifically, what are identity thieves doing in the securities business?
In general, in the securities business, we are seeing four variations of identity theft. I will discuss each in turn.
The first variation is what I like to call "family fraud." In this variation a relative, usually a spouse, child, or in-law, uses personal knowledge of the customer to gain access to the customer's account. Most commonly, the identity thief then loots the account. When we first began to look at identity theft in our examinations, about four years ago, this was the most common variation of the problem that we identified.
The second variation is what I like to call the "classic account takeover." In this variation a stranger to your customer gains access to the account and then loots it. In many cases the looting is implemented by selling all the positions in the account and wiring the proceeds to a foreign jurisdiction, usually a very distant foreign jurisdiction.
The third variation is the "trading account takeover." This is an increasingly popular variation. In fact, if you are looking for a single "hot topic" in the world of identity theft, this is it. Here a stranger takes control of an account, but removes no money. Instead, he or she uses the account to trade.
In some cases the account may be used to buy securities the identity thief wants to unload. In other cases, it may be used to run a pump-and-dump manipulation; heavily trading a security to run up its price; and then, when the price gets high enough, taking profits out of a separate unaffiliated account. This is a clever fraud, because it avoids all the back-end controls you have in place to prevent funds from being improperly removed from your firm.
The fourth and final variation is what I like to call "alias fraud." In this variation the identity thieves play with their own money but they use the victim's identity as cover. Generally, they steal the victim's identity and use that identity to open an account. The thief then funds the account and uses it for trading or money laundering schemes. I call this alias fraud, because it looks like the victim is responsible for whatever bad conduct is going on.
Most of these variations contain significant danger of financial loss. Obviously, if the assets in the account are taken by a disaffected family member, or wired to the other side of the world, there is a direct loss. Similarly, there are likely to be significant losses when the customer's investments are traded away for securities the thief wants to unload, or are invested in a heavily manipulated security.
Only in the fourth variation, the alias fraud is the victim likely to escape direct financial loss. In fact some firms have had to deal with the opposite problem. When the victim finds out what is going on; contacts the firm; and the account is frozen; assets may be left in it. I can assure you, if we track down the identity thief, we will not try and return his money.
Nonetheless, in all of these variations, the victims of identity theft can suffer more than financial harm. After they have been victimized by identity thieves, individuals may find themselves unable to engage in basic financial activities, such as opening a brokerage account, obtaining credit, or cashing checks. In some cases victims may find civil or criminal records attributed to their identity, and may suffer significant consequences, such as being prevented from obtaining employment. It is important to remember that there is a lot more at stake here than direct financial loss.
4. What securities law governs identity theft?
For broker-dealers, funds and advisers, identity theft is reached by at least two areas of the federal securities laws. First, many identity theft schemes at securities firms fall within the prohibitions of the anti-fraud provisions, including Securities Act Section 17(a), Exchange Act Section 10(b), and Rule 10b-5 thereunder. Over the years the Commission has brought several identity theft-type cases under the anti-fraud provisions.
For example, in the mid-1990s the Commission brought a case against an inmate in federal prison and several parolees.3 The inmate initiated the scheme by setting up two entities with names that were purposely designed to mislead investors into believing that the entities were affiliated with a well-known financial institution. One of the perpetrators (one who was not already in prison) even assumed the identity of an executive of the real institution. The schemers prepared various forms of false identification, letterhead, other materials, and conducted a nationwide newspaper and direct marketing campaign aimed at luring elderly investors into purchasing bogus securities. Before the scheme was shut down they defrauded investors out of more than $300,000.
In another example, in 2001 the Commission brought a case against a registered representative, Robert Ingardia.4 The Commission found that he assumed his customers' identities, changed account information, including the customers' addresses, and then looted the accounts. In its Litigation Release the Commission identified this as a type of "identity theft" fraud.
More recently, a broker-dealer branch office manager, Frank Gruttadauria, conducted a similar fraud that lasted several years and involved the misappropriation of more than $100 million.5 Mr. Gruttadauria took over his clients' accounts through a number of means, including causing the actual broker statements for some of these customers to be mailed to entities or post office boxes under his control. His misconduct spawned a number of enforcement actions against him and his employers, and, as those of you who work on the broker-dealer side well know, new rules by NASD and the New York Stock Exchange. In approving the new rules, the Commission said that they "may reduce the potential for customer fraud and theft of customers' identities and funds."6
Finally, in 2003 the Commission brought a case against a computer hacker named Van Dinh.7 Mr. Dinh tricked a visitor to an investment analysis web site, who thought he was downloading a new stock-charting tool, into downloading malicious code a secret keystroke logging program known as "The Beast." This program allowed Mr. Dinh to monitor activity on the victim's home computer, including identifying the victim's on-line brokerage account, and log-in and password information. Mr. Dinh used this information to infiltrate the account and place orders to buy certain options that he held that were about to expire worthless. He managed to unload the options, and in doing so he depleted virtually all the available cash in the victim's account.
The second area under the federal securities laws relevant to identity theft is Regulation S-P, the Commission's privacy regulation. The Safeguarding portion of the regulation, 17 C.F.R. 248.30(a), requires broker-dealers, investment companies, and SEC-registered investment advisers to adopt written policies and procedures that are reasonably designed to safeguard customer records and information. Specifically, the policies and procedures must "protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer."8 They also must "protect against any anticipated threats or hazards to the security or integrity of customer records and information."9 Since the Commission adopted Regulation S-P, SEC examiners have reviewed firms' policies and procedures for preventing identity theft. That leads us to our next question.
5. What is the Office of Compliance Inspections and Examinations ("OCIE") doing with respect to identity theft?
In 2002 and 2003, when the current wave of identity theft first became apparent, OCIE conducted a sweep examination reviewing the policies and procedures that the largest broker-dealers and fund complexes had in place to address this problem. We reviewed broker-dealers responsible for half of all brokerage accounts in the industry, and advisory complexes managing about a third of all fund assets.
We have recently returned to this issue. Identity thieves appear to be directing increased attention to the securities business, and their attacks are growing in sophistication. To respond to these changes in the risk environment we have initiated a new sweep examination program that is being conducted by OCIE and the San Francisco District Office.
We are again reviewing firms on both sides of the industry: both broker-dealers and advisory complexes, and their policies and procedures for preventing identity theft. We hope to find robust controls to comply with Regulation S-P and to prevent the types of identity theft frauds illustrated by the Commission's enforcement cases. However, because the sweep is under way I will not discuss its size or any possible findings. Suffice to say we are pursuing it actively.
This brings me to our final question. As I said above, I have saved the most important for last.
6. What can you do to help protect your customers from identity theft?
Suppose this conference is over; you are back in your office; and you want to do your best to protect your customers from identity theft. What do you do next? I am not in a position to tell you definitively what you should or should not do. But I would like to offer a few ideas that you may want to consider. They are in the nature of a "to-do list." This is the kind of list that I would have for myself, if I were in your shoes.
To-Do List Item Number One: re-read NASD Notice to Members 05-49. It is entitled "Safeguarding Confidential Customer Information" and was issued in July 2005. This is certainly true for those of you who are NASD members. But I would recommend it to advisers as well, as interesting reading, even if it is not binding on you.
There is a lot of valuable information in NTM 05-49, but I would like to emphasize a few points. Perhaps most importantly, in a discussion of what the NASD described as "Members' Obligations," it said there is no "one-size-fits-all" policy but members should consider, at a minimum:
- Whether the firm's policies and procedures adequately address the technology it has in use;
- Whether the firm has taken appropriate technological precautions to protect customer information;
- Whether the firm is providing adequate training to its employees, both in how to use its technology and in ensuring that customer records and information are kept confidential; and
- Whether the firm is conducting, or should conduct periodic audits to detect potential vulnerabilities in its systems and to ensure that its systems are in practice protecting customer records and information from unauthorized access.
To-Do List Item Number Two: Sit down with the people at your firm who are responsible for information security and go through these questions. No matter how small your firm may be, someone should be responsible for information security.
As you go through the questions, ask your information security managers: how do they know that their policies and procedures are adequate; that their technological precautions are appropriate; that employee training is adequate? The NASD suggests one way to answer these questions: conduct a periodic audit. Has your firm ever had such an audit? If not, what can your information security managers offer as a demonstrable basis for their answers?
To-Do List Item Number Three: As you go through the questions, be sure to ask about your firm's "front-end access controls" for on-line accounts. These controls have always been important, but they are even more so today, now that identity thieves have figured out how to exploit an account without removing any funds. In this environment, once the identity thieves get past the front end controls, the damage is done.
If you want to do your homework before meeting with your information security managers, let me recommend a publication of the National Institute of Standards and Technology or "NIST," called "Electronic Authentication Guideline." It was originally published in September 2004, updated in April 2006, and is available on NIST's website.10 It lays out a very sensible approach, in language accessible to non-technicians. In essence, it recommends that you assess the level of risk involved in the access being granted, and then impose differing levels of control based on the risk.
In general terms, NIST recommends that you protect the highest level risks with multi-factor authentication. Several brokerage firms are already doing this. They provide a token to their customer to use on a voluntary basis when accessing their account. In addition, the bank regulators recently issued guidance on the use of multi-factor authentication in electronic banking transactions.11 You may want to ask your information security managers what they have done to stay informed of technical and regulatory developments in this area.
To-Do List Item Number Four: Take a look at the educational materials you provide to your customers. Are you doing everything you can to educate them on the dangers of identity theft, on the security features you offer them, and on the potential consequences of an identity attack? For example, firms often have differing positions on how losses due to attacks will be allocated between the customer and the firm. Do your materials fully explain your policies in this regard?
To-Do List Item Number Five: This is the final item. Keep an eye out for new developments. This is a fast moving area. If you fall behind you and your customers could find yourselves in danger very quickly.
There is one matter in particular that you should watch for. The President has established a Task Force on Identity Theft composed of federal financial and other regulators and federal law enforcement agencies. The Commission is a member of that Task Force. In the coming weeks the Task Force expects to release a public report that compiles information from all of the participating agencies. It should be very helpful with a lot of interesting information on identity theft.
In sum, for identity thieves to exploit your customers, they first have to get through your controls. That makes your policies and procedures of critical importance. If you have not done so already, it is time for you and your firm to join the fight against identity theft.