CPD: Identity theft – financial advisers at the consumer protection frontline

From

Financial services is a high-risk sector, and advisers, and their processes, act as a vital first line of defence in protecting consumers.

The world is full of traps for the unwary. Seemingly every day, millions of Australians are bombarded with emails, SMSs and robocalls attempting to defraud them of money, data, and even worse, their identity.

And it’s only getting worse. Thanks to the love affair we have with our mobiles, and our increasing preference for online, rather than human, interactions, we are falling victim to scams and frauds at an ever-increasing rate.

According to the ACCC’s ‘Scamwatch’, Australians lost $175m to scams in 2020. In 2021, that figure was exceeded by the end of August, at which point losses of $192m had been reported by thousands of unsuspecting citizens[1].

Of all the different types of scams and fraud, perhaps the most insidious is identity theft. That’s because once someone has stolen your identity, they can not only access your money, but they can also do things in your name – take out credit, sign contracts, committing other crimes. And untangling yourself from these things can often be a long, complicated, and stressful process. Finding your credit rating has been destroyed by someone pretending to be you could actually be mild, compared to the potential damage identity theft can cause.

From a financial perspective, Australians lost over $3million to identity theft fraud during 2020. As Figure 1 below shows, for the first 10 months of that year, around 17,000 incidents of identity theft had been reported[2].

By 2021, identity theft had gone nuclear. According to Scamwatch, more than $2.2 million was lost to identity theft in August 2021 alone – a 500% increase on July 2021, and a 700% increase on August 2020[3].

Australians aged from 45 to 54 years old were most impacted by identity theft, followed by Australians between 25 and 34 years old.

Stories like this are common:

Identity theft, a victim’s story:

‘I received an SMS informing me that my mobile number was being ported to a different network provider. As I had not authorised this, I contacted my mobile provider to find out why my number was being ported. I immediately realised what was going on and phoned my bank. While on the phone, I tried logging in to my internet banking, but to no avail. As I was talking to the bank, I started receiving emails about my personal details being changed and the PIN to the credit card being changed.

I ordered this particular credit card two weeks ago. It was supposed to be delivered to my address, but I have not received the card to date. I told the consultant that my credit card just got activated and that the PIN had been changed. The consultant started blocking my accounts and cards. However, the following day when I went to the bank, they realised that the fraudster had managed to lift the block and maxed out my credit card.’[4]

Identity theft is arguably more psychologically harmful to its victims – having money stolen is one thing but the sense that one’s whole life and identity has been taken away would, for many, elevate the sense of violation to a whole new level.

Why does this matter for financial advisers?

There are three major reasons that makes identity theft scams particularly relevant to financial advisers. Ultimately all revolve around the concept of consumer protection.

Firstly, advisers are responsible for safeguarding their clients’ financial futures. Making clients aware of potential vulnerabilities and helping them take action to protect them – i.e., basic financial risk management – is arguably central to that responsibility.

 

Secondly, financial products in particular represent a high category of risk, due to the volume of sensitive personal financial and health data often required in establishing investment instruments and life insurance policies. The products that advisers have placed their clients into could well be the ones that are vulnerable in the event of identity theft.

And thirdly, Advisers, through their identification verification processes and client data protection obligations (under the Privacy Act and Anti Money Laundering Act) are very much at the forefront of protecting their clients, and community members more broadly, from identity theft.

Advisers agree they should help their clients protect themselves

A survey of Australian financial advisers several years ago[5], when scams were less common and less sophisticated (African Princes were pretty easy to see through), suggested a growing number of advisers felt they had a responsibility to help their clients protect themselves against identity theft. That study, conducted by Zurich, found that more than half of advisers under the age of 45, and nearly 60% of female advisers, felt this was a relevant area for them to help their clients with.

In the US, regulators agree, and for almost a decade, their Red Flag Rule has required financial services providers – including certain categories of financial advisers – develop and implement a written identity theft prevention program on behalf of their clients[6].

Whilst such specific rules aren’t yet in place in Australia, there are other requirements – such as those relating to anti money laundering – which work to mitigate the risk of identity theft somewhat.

How does identity theft occur?

Whilst identity theft involves more than simply stealing someone’s PIN number or password or credit card csv- the aim of many phone, SMS, and email-based scams – it is still remarkably easy to gather enough information about an individual to be able to assume their identity.

Identity theft can be perpetrated through both analogue and digital means. The old-fashioned way can involve people stealing your purse/wallet or intercepting your mail from an unsecured mailbox and obtaining newly issued debit/credit cards, bank/super statements, prefilled credit card offers, phone bills and other documents containing sensitive personal information. Common stories include people being offered drugs to go through people’s garbage bins.

The more contemporary way often involves social media, where unsuspecting ‘oversharers’ can inadvertently give away their birthday, their friends, their address, their car registration and their travel plans (along with lots of photos of themselves). Posts on social media complaining about your bank or telco also signal to the world who you use for these services, creating the opportunity for targeted phishing scams.

A criminal doesn’t have to be overly savvy to join the dots and work out your date of birth and other details which, in the wrong hands, can be used for all manner of illicit purposes.

Our increasing reliance on our mobile devices and our demand for convenience and speed is forcing more and more institutions to offer phone-based and online identity verification, instantly adding a new vulnerability point into the mix.

The ‘tap and go’ world we live in also creates a new risk to protect against, with the RFID chips embedded in our cards, and even our passports, easily read by cheap scanning devices (which explains the growing popularity of RFID safe wallets and document holders).

What can criminals do once they have stolen an identity?

Committing financial fraud is the aim of most identity thieves. Once someone has your identity they can:

  • apply for a credit card, bank account or other financial service
  • set up a mobile phone account
  • access your email accounts
  • run up credit card debts or obtain loans (and destroy a person’s credit rating by defaulting)
    apply for identification vehicles such as a birth certificate, driver’s licence or even a passport
    access superannuation and other savings; and
  • apply for Centrelink benefits.

A more complete form of identity theft occurs when the perpetrator actually abandons their own identity – for a variety of reasons – and attempts to use the stolen one to create new lives for themselves. Scarily, this can sometimes take a long time to detect.

Tips to help your clients protect themselves from identity theft

Tips to share with your clients include:

  • put a lock on their letterbox and clear it regularly
  • keep personal and financial papers secure, and shred when no longer required
  • ensure that virus and security software on computers and mobile devices is up to date – new threats emerge daily, so currency is important
  • set up two factor authentication across those accounts and services that offer it
  • don’t use the same PIN and password across all cards and websites
  • don’t use unsecured (e.g., free public) Wi-Fi for internet banking or financial transactions
  • never respond to scam or phishing emails (or robocalls) promising huge rewards for information or punitive actions for non-response
  • regularly review financial statements and report unauthorised transactions immediately
  • make sure to regularly check your credit file online (for free) and monitor it for suspicious activity
  • download the myGov Authenticator app and connect it to your account
  • et up a voice-biometric ID and additional secret question with the Australian Tax Office
  • always use the most secure settings on social media sites and never accept unsolicited ‘friend’ requests
  • avoid publicising your date of birth, and think twice before providing it to any company/institution you don’t know and trust
  • if starting a new job, only provide your TFN to the new employer once you have commenced – the ATO warns of employment scams that seek to access TFNs
  • if you are travelling, or just extra conscious of the risks around RFID data theft, you can protect your cards in special wallets, usually made of aluminium or some other material that blocks signals.

FSC/FPA Guidance around customer identity verification

Financial Advisers are often a ‘first line of defence’ in verifying the identity of an individual, whether that be when setting up new products, or transacting or cancelling existing products. Robust verification is obviously a key plank in reducing the risk of identity theft.

As such Advisers must ensure they have robust identity verification processes – ‘know your client’ (KYC)- in place for all types of customer interactions.

For the purposes of establishing new accounts, the FSC Guidance note 24 – ‘Managing AML/CTF, FATCA and CRS Customer Identification Obligations’ – is particularly relevant.

This Guidance Note[7] aims to encourage the use of a common set of processes and procedures by FSC and FPA members to perform a customer identification/due diligence procedure that meets AML/CTF, FATCA and CRS requirements.

The Guidance note explains the type of information that must be collected depending on the nature of the service being provided and the type of entity it is being provided to (individual, sole trader, partnerships etc). It also explains the circumstances when product issuers can rely on the verification process performed by advisers, and when re-verification may be required.

The note also provides guidance around practical points such as record keeping, and what information they are not required or permitted to share with product issuers.

APRA and ASIC on provision of SOAs to superannuation funds.

One current narrative playing out with regards to customer information sharing is that around the requests by superannuation fund trustees to confirm the scope of advice, for the purposes of approving fee deductions.

APRA and ASIC have urged trustees to not solely rely on the signed fee consent forms advisers need to provide from July 1, 2021, but to also keep an eye on SOA’s and related documents as part of their “trustee oversight practices” to make sure fee deductions are appropriate.

However, amidst concerns about the level of personal sensitive information contained in an SOA, one legal expert has said that, whilst the practice of requesting SOAs goes back to the sole purpose test, trustees should generally have no real need to review the whole SOA.

“What trustees need to check is the adviser’s name, the client’s name and the scope of the advice,” Simon Carrodus said.  “That information will usually be contained in the first two or three pages. The rest of the SOA can be removed or redacted. Trustees don’t need to see the whole SOA.”[8]

The future of identity protection and verification is digital

On 1 October 2021, amidst the COVID driven shift to online the Federal Government released the exposure draft of the Trusted Digital Identity Bill 2021, designed to improve the way Australians are able to verify their identity when accessing online services[9].

The Bill expands upon the Trusted Digital Identity Framework established by the Government in 2015.

The Bill has two main aims:

  • to simplify the process of proving and verifying the identities of individuals online whilst protecting their privacy and the security of their personal information, and
  • to introduce a secure and trustworthy digital identity system that will facilitate the expansion of Australia’s digital economy.

Whilst the legislation has yet to be passed, there is no doubt it will encourage the entry of new digital verification services into the market, adding to those already available.

In financial services, identity verification is an area of heightened focus. In a recent survey[10] of financial institutions, fifty-three per cent said that gaps in identity verification processed were inhibiting their digital growth. 70 per cent said they believed faster KYC and straight through processing during digital onboarding would provide competitive differentiation.

We are slowly seeing the adoption of digital based identity verification spread throughout the financial sector, in areas including banking, personal lending, and even life insurance, with market leader TAL introducing their Green ID service[11]. This platform allows the insurer to verify a client’s identity against reliable and trustworthy data sources in real-time, resulting in a quicker and easier experience at claim time as it eliminates the need for clients to send in certified identification documents.

What should you do if your client is a victim of identity theft?

Notwithstanding those advisers who believe it’s not their place to get involved in this area, the reality is that you could be one of the first to know identity theft has taken place, either when viewing your client’s accounts or statements, or because you’re the one they call first for matters like this.

If your client is a victim of identity theft, it’s important to act quickly. While the extent and nature of the theft will dictate specific action, it’s important that these first steps are taken by your client and documented for future reference:

  • contact all financial institutions – highlight disputed transactions, change PINs and passwords, and discuss whether other account changes are required
  • report the matter to the police with as much documented evidence as possible
  • contact all three Credit Agencies (Experien, Equifax and Illion) to request a block on their credit files, this will mean no credit applications can be made until after the matter is resolved and the block lifted (if the damage is already done, they may need to use the services of a credit repair specialist)
  • contact any other Federal agencies such as the ATO, Centrelink, and the Australian Passport Office and state agencies such as the Motor Registry.

If your clients aren’t sure that their online security practices are adequate, you can get them to take the ATOs online self-assessment, which covers business and personal security practices.

Importantly, you need to discuss this issue with your clients

Whilst it may be tempting – and legitimate – to decide this issue is not really a financial adviser’s responsibility, it is undeniably an area where your clients can be exposed to financial risk. Those advisers who get on the front foot and discuss this issue with clients, helping them protect themselves from harm and assisting them recover if they do fall victim to an identity thief, are likely to be rewarded with increased trust and loyalty.

 

Take the FPA accredited quiz to earn 0.5 CPD hour:

CPD Quiz

The following CPD quiz is accredited by the FPA at 0.5 hour.

 

 

———

References:
[1]  https://www.savings.com.au/news/identity-theft-rises-over-500-august”
[2] https://www.canstar.com.au/credit-score/identity-theft/
[3] https://www.savings.com.au/news/identity-theft-rises-over-500-august
[4] https://www.scamwatch.gov.au/get-help/real-life-stories/scam-victims-tell-us-their-stories/identity-theft-i-lost-6028-when-scammers-stole-my-identity
[5] https://www.professionalplanner.com.au/2014/07/financial-advisers-and-identity-theft-new-research-reveals-divided-adviser-community/
[6] https://www.sec.gov/news/press-release/2013-2013-57htm
[7] https://www.fsc.org.au/web-page-resources/fsc-guidance-notes/1531-24gn-fsc-fpa-aml-fatca-and-crs-guidance
[8] https://www.professionalplanner.com.au/2021/07/check-soas-as-well-as-consent-forms-regulators-tell-trustees/
[9] https://www.digitalidentity.gov.au/sites/default/files/2021-09/Trusted%20Digital%20Identity%20Bill%202021%20exposure%20draft.pdf
[10] https://www.rfigroup.com/australian-banking-and-finance/news/future-identity-verification-building-customer-digital-trust-simply-and-seamlessly
[11] https://adviser.tal.com.au/latest-news/the-simple-process-to-verify-your-client

You must be logged in to post or view comments.