Battling fraud attacks in times of crisis
Marty Burns, Chief Industry Operations Officer at the Investment Company Institute explores how funds have worked diligently to protect shareholder data against attacks and fraudulent activities during the coronavirus pandemic
Fund Operator POSTED ON 11/16/2020 6:03:39 PM
Fund Operator: What operational challenges did the COVID-19 pandemic pose for fund managers and how did fund managers respond to these hurdles?
Marty Burns: In general, the business continuity activity of Investment Company Institute (ICI) members has worked remarkably well.
At the beginning of the global COVID-19 outbreak, members used split workforces and work-from-home (WFH) approaches to manage localized outbreaks in China and other Asian locations.
These initial actions provided a good blueprint for implementing broader staff working arrangements as COVID-19 spread from Asia into other parts of the world, including United States.
Inconsistency in Shelter-In-Place (SIP) orders from state and local governments created confusion about which staff members may access facilities to support system maintenance, data and cybersecurity, and shareholder servicing.
"IT departments dealt successfully with issues ranging from delivery of equipment, to acquiring licenses, to assisting with optimizing internet bandwidth in employees’ homes."
In a letter to Governor Larry Hogan (MD) and Governor Andrew Cuomo (NY), ICI requested that they take the mutual fund industry and providers of critical services to funds into account when imposing their stay-at-home directives.
In short order, aided by guidance from the Department of Homeland Security and statements from the secretary of the Treasury, state and local officials clarified SIP orders designating mutual funds and their critical vendors as essential services, resolving most issues for staff to access facilities.
In order for continuity plans to work as designed, fund complexes made significant efforts to ensure WFH employees had proper equipment, were able to access systems securely, and had an equal level of data security protection as would be provided in member facilities.
IT departments dealt successfully with issues ranging from delivery of equipment, to acquiring licenses, to assisting with optimizing internet bandwidth in employees’ homes.
Although challenging, these issues were addressed effectively with essentially no disruption to shareholder servicing.
Mail and check processing were also concerns. Should a mail facility be closed, a fund may be precluded from accessing mail to process new purchases or other transactions.
"Mail and check processing were also concerns"
Also, if a facility where checks are printed was closed, a fund may be unable to process redemption checks in a timely manner.
Funds carefully managed the situation, nd between the ability of essential employees to access facilities and relief provided by the Securities and Exchange Commission (SEC), mail and check processing has continued without major disruption.
Lastly, business continuity plans previously had not considered long-term remote work arrangements for most staff.
As such, fund complexes made operations adjustments, such as establishing and implementing baselines for monitoring network activity to ensure optimal system performance, in order to meet control, compliance, and shareholder support needs.
Companies are cataloguing and monitoring how the process evolves so that when work returns to facilities, WFH allowances are removed and standard controls are reinstated.
Fund Operator: Were any risks, such as cybersecurity, intensified from the operational pivot during the pandemic, and how did fund managers respond accordingly?
Marty: Cybercriminals work overtime during periods of global crisis. COVID-19 brought a variety of attacks, including network intrusion attempts, email phishing, phone scams, and attacks aimed at the general anxiety people are feeling related to COVID-19.
In response, fund complexes have instituted additional procedures to surveil for unusual network activity and mitigate cyberattacks; are providing additional training reminders to staff to be particularly vigilant for scams and attacks; and have increased the scope of monitoring for fraudulent transactions whether through phone, mail contact, or through the internet.
"Cybercriminals work overtime during periods of global crisis"
ICI plays a leading role in helping the fund industry combat cybercrime.
In recent months, we’ve hosted member forums to share information, common practices, and fraud attempt details in support of member activities combatting cyberattacks and fraudulent activity.
Funds are very aware of and sensitive to the need to protect shareholder data and work diligently to allay any attacks or fraudulent activities.
Fund Operator: What permanent operational changes are fund managers considering in the aftermath of the COVID-19 pandemic?
Marty: Fund complexes will continue to assess how their business continuity plans performed under the COVID-19 event and will determine what adjustments are needed.
It’s important to keep in mind that there is no “one-size-fits-all” solution. Each complex is structured and managed differently, and permanent changes will be determined and implemented at a fund complex level—not necessarily broadly across the industry.
"It’s important to keep in mind that there is no “one-size-fits-all” solution."
Potentially, there will be some common themes, but extensive systemic changes are unlikely.
For example, the pandemic has provided complexes with important experience in successfully managing decentralized staff and many fund complexes are considering whether to make some percentage of staff permanently remote or expand the percentage that are already permanently remote.
Not all funds, however, will see this need, and ultimately those that do will have very different percentages of staff working remotely.
Fund Operator: Are there any regulatory changes that will need to be made in order to allow fund managers to better adapt to the new business environment?
Marty: The ability to deliver information to shareholders electronically, as well as in paper for those shareholders who prefer that option, remains a regulatory priority for ICI.
Social distancing, travel restrictions, and shelter-at-home orders significantly increase the challenges for timely distribution of shareholder information.
"The ability to deliver information to shareholders electronically remains a regulatory priority for ICI."
Although requirements were met during the pandemic thus far, greater regulatory flexibility in the use of electronic distribution could enhance the usefulness of the disclosure for shareholders, reduce potential exposure to pandemic disease for employees of mutual funds and service providers, and modernize delivery alternatives in line with an increasingly digital world.
ICI will continue to advocate for that change to better position the industry to manage evolving shareholder, business, market, and health circumstances.
Fund Operator: What is ICI doing to help its members and the fund industry as a whole through the pandemic and the current economic climate?
Marty: Since the onset of the novel coronavirus, the Institute has facilitated weekly calls with committees to provide updates to members and for members to raise questions and share ideas and successful practices in addressing virus-related challenges.
These calls provided a forum for members and Institute staff to identify issue to raise with SEC staff and to gather information to use in addressing myriad issues with regulators.
The Institute has also maintained its regular schedule of committee meetings by converting to virtual formats supporting broad participation by members.
The weekly calls and virtual meetings will be maintained as long as warranted by the events of the pandemic and into the return-to-work period.
"ICI will continue to work in support of shareholders and fund sponsors to identify additional issues arising from the pandemic"
Institute staff have maintained frequent contact with regulators to seek relief where needed in support of mutual fund coronavirus-related compliance challenges.
For example, the Institute and others advocated for relief on certain transfer agent requirements addressing mailing of shareholder information, fingerprinting of new employees, and processing of shareholder instructions (called turnaround rules), which the SEC granted.
ICI will continue to work in support of shareholders and fund sponsors to identify additional issues arising from the pandemic or the related business circumstances that need attention of regulators.
Get the recent popular stories straight into your inbox