Balancing adoption of digital processes and protecting against cybercrime are going to be key areas for financial advice businesses in 2021, says Anthony Rafferty, CEO, Origo
News that the FCA had suffered over 80,000 unsolicited emails a month in the last quarter of 2020, included phishing emails and malware attacks, should have set alarm bells ringing across the financial services industry – if they weren’t doing so already.
Cybercrime attacks have increased substantially since the onset of the coronavirus crisis, as cybercriminals have been taking advantage of the necessity for firms to implement home working as well as the general increased use of online services, to put out a flood of phishing and scam emails, looking to capture individuals’ personal and financial details as well as penetrate companies’ security systems.
Cybercrime is now big business and criminals know that it is easier to get an individual to make a mistake when reading an email than it is to hack a company’s software. Furthermore, the odds are stacked in the cybercriminals’ favour, as they only have to get lucky once to access someone’s email or a business’s system, whereas individuals and companies have to be constantly vigilant against these attacks.
Once a criminal has access to someone’s email they can use it to obtain confidential information and attempt identity fraud. A recent Financial Ombudsman Service (FOS) ruling on an identity fraud is a case in point and serves to highlight the need for advice firms to put in place robust cyber security protection.
The FOS ordered the advice firm in question to reimburse a client who had lost money transferred from her SIPP by the firm, following receipt of an email seemingly from the client but in fact from a fraudster impersonating the client.
While this case dates back to late 2018, attempts at this type of fraud are now not uncommon in the financial advice market. There is plenty of anecdotal evidence of advice firms receiving emails from clients requesting money to be transferred which on investigation are discovered to be an attempt at fraud. More often this is enabled by the criminal gaining access to unsecured emails which often gives them all the information they need to perpetrate a fraud attempt.
A first, simple and effective way for firms to protect themselves and their clients when communicating on financial transactions and confidential information, is to employ robust email encryption.
In the type of case ruled on by the Ombudsman, as an example, a firm using encrypted email with a challenge question known only to the client, first could have helped prevent hacking of emails between the client and the firm – which provided the criminal with the details they needed to perpetrate the fraud – and second, would have ensured that the person communicating with the firm was the client.
At the same time and against this backdrop, there is a very real need for the industry to move forward with digitisation of its processes if it is to be able to deliver the level and quality of service expected by consumers in the age of Amazon Prime.
As this occurs, advice firms are likely to be amongst the first to benefit, as they will not only be able to deliver a faster more efficient service for clients but also achieve cost savings within their businesses.
Arguably, one of the positive effects of the Coronavirus pandemic for many financial services businesses has been to confirm the viability of remote working. The potential to increase efficiencies, reduce costs, increase profitability and improve the wellbeing of employees, has not been lost on leading companies.
Similarly, reducing time-consuming administration tasks through efficient use of technology, as well as reducing costs for a business also allows staff to be employed in the elements of the business that technology cannot deliver, those that require the human touch. Currently, people buy from people, rather than machines.
Greater integration of systems
Which is why one of the key advances I believe we will definitely see this year is the greater integration between the systems of platforms, asset managers, pension providers, adviser back-offices and software, enabling the more effective processing of data between them. We can expect that pre-population of details, account opening, valuations and remuneration, amongst others, will increasingly be things that happen in the background with little or no human intervention, with audited tracking where appropriate, allowing adviser firm staff to focus on delivering quality service to clients.
Review your processes
Another aspect the pandemic has thrown into sharp relief, is where the industry’s processes are lagging behind the times. This was brought home to me personally in the past year when instructing a new financial adviser and going through the very manual, inconsistent and paper-based Letter of Authority process.
For the industry to develop and better serve its end customers, it has to embrace more openly digital processes – and sooner rather than later. Digital Letters of Authority and digital signatures are easy examples of where things could and are being improved, for instance in the greater adoption of digital signatures by platforms and providers during the pandemic.
There is an imperative here. As an industry and as businesses we need to be using technology more effectively to help improve our efficiencies and profitability, whilst employing sensible precautions to protect against those who seek to exploit our vulnerabilities – human and technological – for criminal gain. The good news is that there are solutions coming to or already in the market that make both readily achievable.
There are three steps advice firms can take to help mitigate cybercrime:
- The first step is to understand the risks and where the risks lie in the value chain – is it between providers and advice firms, i.e. are providers and platforms still insisting that advisers send client details in an unsecure manner; or is it between the adviser and the client, such as via unencrypted email?
- Put in place appropriate controls, particularly for inward and outward communications, which will include technology solutions such as system protection and encrypted emails, formal processes and procedures, staff awareness and training.
- Finally, think ahead and be prepared. Have a written policy and instructions for staff to follow where fraud is detected or to manage an attack.