An RIA’s poor compliance procedures let hackers steal $290,000 of client funds
Financial advisers who aren’t prepared to defend against client spoofing attacks not only stand to lose client funds, but also face steep penalties from regulators.
FPPad readers have known since April 2012 that hackers are targeting financial advisers, masquerading as clients via email in a ruse to steal client funds.
Go read Why advisers can’t trust their clients anymore for a refresher of what spoofing attacks are and steps to defend them.
Spoofing Strikes Again
This week, several of the industry trade magazines broke the story about GW & Wade, a registered investment adviser based in Wellesley, Mass., regarding how hackers were able to steal $290,000 of client funds from the company. See RIA Fined By SEC After Hacker Uses E-Mails To Steal Client Funds from Financial Advisor magazine and SEC Sanctions 3 RIAs for Custody Rule Violations from Financial Planning magazine.
The lapse in compliance policies and procedures at the company also resulted in a civil penalty assessed by the SEC in the amount of $250,000.
Full details of the SEC Administrative Proceeding can be viewed here (opens a PDF in a new window).
Hackers Target Advisers
Hackers continue to target investment advisers because they’re the ones with the ability to direct fund transfers.
Solo advisers might not fall victim to a client spoofing attack so easily because they may detect right away that something about the client’s communication is just “not right.”
But when the same attack is deployed in a multi-billion dollar RIA with dozens of administrative employees, hackers have much better odds of success.
Convenience Creates Risk
Once again, according to the Administrative Proceeding, GW & Wade had hundreds of blank Letters of Authorization (“LOAs”) forms on file with only client signatures.
Only after a request was received would the company fill in the pertinent details on a pre-signed LOA and route it for processing.
The convenience of pre-signed LOA forms decreased the chances the company would suspect something wasn’t right with a client wire request. Instead of verifying the authenticity of the request, the company simply routed the pre-signed LOA forms with wire instructions included.
Although, one could argue that if GW & Wade DID try to obtain a client signature via email, following the spoofed client’s instructions, the attack still would have succeeded.
So assume for a moment that no pre-signed LOA forms existed, GW & Wade likely still would have fallen prey to client spoofing because the company would have tried to obtain a client signature via email. The hacker likely would have quickly complied using a signature cut and pasted from another document in the hacked email account.
Clearly, a separate factor of authentication is required to properly authenticate wire requests from clients (a secret phrase, a video chat, Why advisers can’t trust their clients anymore has more details).
Calculating Fees With Spreadsheets Is Hard
Also buried in the Administrative Proceeding is a note about excess fees charged by GW & Wade.
Allegedly since January 1, 2005, the company failed to exclude mutual fund class C share holdings in assets subject to the company’s advisory fee schedule.
The company likely was already receiving 12b-1 fees from the C share holdings, but evidently was “double dipping” by charging the firm’s advisory fee on the same C shares once again.
I have no additional details on the matter, but let’s assume that advisory fees were calculated using a spreadsheet loaded with the value of client holdings for each quarter.
If that spreadsheet isn’t designed to specifically recognize C share mutual fund holdings (which, quite frankly, opens up a Pandora’s box of trouble on its own) and exclude them from the advisory fee calculation, then it’s far too easy to roll up those C share holdings among all the other assets and calculate the fee due.
For GW & Wade, the company now has one year to reimburse in full every client affected by the excess advisory fees charged. That means going back over more than eight years of billing history to determine what the amount of excess fee was charged to each client, quarter by quarter, and credit each client accordingly. That applies to both current and former clients!
So for former clients, how many of you retain holding balances and pricing information indefinitely?
Talk about a huge big data challenge.
A story from New York Times personal finance columnist Ron Lieber quickly traveled through the Twitter universe and landed in my inbox. Lieber is a client of NAPFA-member 
