Page 50 - Investment Advisor - November 2021
P. 50

THE COMPLIANCE COACH

                By Thomas D. Giachetti




                The SEC Is Closely Watching How Advisors


                Protect Clients From Identity Theft


                It’s smart to go beyond a written program and implement multi-factor
                authentication.


                       ere’s a warning: Protecting                                  WHAT ABOUT MULTI-FACTOR
                       your clients from identity theft                             AUTHENTICATION?
                Hmeans don’t rely solely on your                                    Cary noted that “multi-factor authen-
                written  identity  theft  prevention  pro-                          tication” means going through verifi-
                gram under regulation S-ID. Make sure                               cation  of  at  least  two  of  these  types
                you implement a multi-factor authenti-                              of authentication factors: 1) knowledge
                cation where possible.                                              factors,  such  as  a  password,  2)  posses-
                  As we’ve told clients going through the                           sion factors, such as a token or text mes-
                Securities and Exchange Commission                                  sage on a mobile device or application,
                examination  process,  we’ve  noticed  an                           or 3) inherence factors, such as a bio-
                uptick in SEC staff inquiries related to                            metric characteristic (like a fingerprint).
                identity theft prevention. Typically these                            In practice, this usually means that
                questions are focused on whether regis-                             when a client or advisor representative
                tered investment advisors have adopted   the RIA should adopt a written identity   is logging into a site containing con-
                and are maintaining an effective written   theft prevention program meeting the   fidential or nonpublic personal infor-
                identity theft prevention program, espe-  requirements of Regulation S-ID. At a   mation, the multi-factor authentication
                cially  if their  money  movement prac-  minimum, the accounts reported on ADV   mechanism will require them to enter
                tices clearly subject them to Regulation   Part 1 Item 9 would be subject to the writ-  a code sent to their mobile phone or
                S-ID. To address these important issues,   ten identity theft prevention program.  another email address after entering the
                I  spoke with  my  partner,  and our  firm   However, we also caution RIAs to look   username and password.
                expert, Cary Kvitka.              at all of their money movement prac-  We encourage the use of multi-factor
                                                  tices at that time and decide if there is   authentication whenever practical for two
                WHICH RIAS ARE SUBJECT TO         a reasonably foreseeable risk that some-  reasons. First, there is always the possibil-
                REGULATION S-ID?                  one could abuse that particular practice   ity that the SEC can bring an enforcement
                Regulation S-ID applies to SEC-RIAs that   to abscond with its clients’ funds from   action against a RIA for a data breach affect-
                maintain “Covered Accounts.” While the   accounts that aren’t reported on ADV   ing its clients that could have been avoided,
                exact definition of a Covered Account is   Part 1, Item 9. While the term “reason-  especially if it could have been averted
                complex, at its core it is an account: 1)   ably foreseeable” is subjective, an advisor   using relatively inexpensive and functional
                designed to permit multiple payments to   that chooses not to implement a written   defenses like multi-factor authentication.
                third parties, and 2) “there is a reasonably   identity theft prevention program and   Second, unfortunately, we’ve been privy to
                foreseeable risk” that someone could per-  later suffers an identity theft attack to   data breaches that simply would not have
                petrate an identity theft attack, and defraud   the detriment of its client will be in an   transpired if the RIA implemented the use
                or use the investment advisor as a conduit   uncomfortable position — to say the least.  of multi-factor authentication.
                to steal client funds from that account.  Therefore, it’s wise to err on the side of   Beware, regulators are aggressively
                  Cary advised that if an advisor, or its   caution and implement a written identity   watching. Please don’t  be their  next
                representative, is deemed to have custody   theft prevention program if the advisor   enforcement victim.
                of any client funds or securities that it is   maintains accounts which permit the advi-
                required to report on Form ADV Part 1,   sor to direct transfers to third parties, for   Thomas D. Giachetti is chairman of the
                Item 9, then the affected accounts should   which there is even the slightest chance   Investment Management and Securities
                be treated as Covered Accounts for the   that an identity theft attack may result in   Practice Group of Stark & Stark. He can be   Adobe Stock
                purposes of Regulation S-ID. In that case,   the misappropriation of its clients’ funds.  reached at [email protected].



             48 INVESTMENT ADVISOR NOVEMBER 2021 | ThinkAdvisor.com
   45   46   47   48   49   50   51   52