Compliance

A Proposed Customer Identification Program And Privacy Concerns

Cody Shultz 25 September 2024

A Proposed Customer Identification Program And Privacy Concerns

A difficult balance must be struck between complying with laws aimed at foiling money launderers and those aimed at protecting legitimate privacy. This article delves into the proposed idea of a Customer Identification Program in the US, and the risks, and possibly, the opportunities that presents.

The following article discusses how a proposed regulation by the Securities and Exchange Commission and Financial Crimes Enforcement Network (FinCEN) may affect privacy for high net worth individuals. The proposed rule requires investment advisors to establish Customer Identification Programs (CIPs), which could lead to sensitive personal information being collected and stored for regulatory purposes.
 
In particular, the article looks at the balance advisors must maintain between complying with anti-money laundering and counterterrorism financing rules and safeguarding the privacy of HNW individuals. This balance remains a constant issue for the world’s wealth industry. The article also highlights potential risks, such as cybercriminals exploiting centralized data, AI voice cloning, and deepfake scams, making privacy protection even more critical for these individuals. 

The article, by Cody Shultz, senior director of Guidepost Solutions, offers practical advice for HNW individuals, urging them to understand how their data is managed and suggesting methods to reduce their digital footprint. It also touches on tax-related considerations for privacy-enhancing measures. The editors are pleased to share these ideas; the usual editorial disclaimers apply to views of guest writers. If you wish to respond, email tom.burroughes@wealthbriefing.com.

In May 2024, the Securities and Exchange Commission and the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) jointly proposed a new rule that would require SEC-registered investment advisers (RIAs) and exempt reporting advisors (ERAs) to establish, document, and maintain written customer identification programs (CIPs). The proposal is designed to prevent illicit finance activity involving the customers of investment advisors by strengthening the anti-money laundering and countering the financing of terrorism framework for the investment advisor sector. 

Essentially, this means that advisors will be required to take reasonable and practicable measures to verify their clients' identity. Implicit in this requirement is the necessity of storing the information in case of an inquiry from government officials. Given the premium high net worth individuals place on privacy, there is now a balancing act for advisors to keep clients happy while also not running foul of regulators. Likewise, an HNW individual must assess if requests from advisors are reasonable and fully understand how their personally identifiable information (PII) is kept private. 

This is particularly important when assets are held across several financial institutions, which may have different interpretations of what they consider “reasonable and practicable.”

More specifically, HNW individuals should educate themselves on how their PII is used, stored, and accessed. Ensure that you can answer these types of questions:

-- Where and how will advisors store your PII?
-- Do you have a right to delete your records? 
-- Does the advisor’s cell phone contain your full name, address, birth date, or other PII? 
-- What happens if that cell phone is lost or misplaced? 
-- Who within the advisor’s organization will have access to your PII? 
-- How will access be audited, and who is responsible for responding to unauthorized attempts to access your PII?
-- If your advisor changes over the course of the relationship, who is responsible for ensuring that the previous advisor no longer has access to your PII?
-- What remedies are available if your PII is stolen or improperly accessed?
-- How long after such a breach will you be informed?
-- Are you only informed if a breach is confirmed, or will an alert come earlier if a breach is suspected?

While all these questions are awaiting answers, another group of people will be eagerly watching.

For criminals, this proposal (and the uncertainty surrounding it) is a great idea, because it centralizes the location for identifying new victims from the HNW demographic. In previous years, the bad guys used to check media reports to identify the richest people in a particular state or city. Consider this list of the richest person in each state, with their photo, city of residence, and estimated net worth. Yet when reviewing, for example, the “50 Wealthiest People in Philadelphia” criminals would not target those at the top, even though they had greater wealth, but rather focus on those occupying the lower half of the list. Why? Those lower on the list have significantly less, if not an outright absence, of security protections.

In a 2023 study released by CapGemini, the US saw those classified as HNW individuals grow by more than 7 per cent with a total number now around 7.5 million individuals. But where is this growth coming from? According to USA Today, non-traditional methods used by entrepreneurs to generate wealth include computer parts refurbishing, social work, and selling ice cream in neighborhoods with a fleet of trucks. The bad guys make the right assumption that those who have recently come into wealth, especially significant wealth, are not likely to consider their personal privacy and the new vulnerabilities created by that wealth. 

Relatedly, FINRA also released an article on how the bad guys are impersonating legitimate broker-dealers on social media platforms. While John Doe at Acme Bank may be a real advisor at the bank, the person clients are talking to on Facebook with an “exclusive stock investment group” is not. 

Even if an HNW individual already has an advisor, extra caution is warranted as AI voice cloning becomes significantly easier to deploy. Digital Trends comments on the AI version of Al Michaels developed by NBCUniversal which provided highlights for the Paris Olympics. Consider the consequences of taking a call from someone who sounds exactly like your financial advisor but is not. Do you have safeguards in place to mitigate this risk?

So, what can you do about it? 
As always, knowledge is the primary mitigator and being aware of emerging methods that criminals use to target HNW individuals is a significant step. Consider signing up for the free Cybersecurity and Infrastructure Security Agency's newsletter or following this US government agency on Twitter/X (CISA Cyber (@CISACyber)/X). Another good resource is the website of former investigative journalist Brian Krebs who discusses cybersecurity news regularly.

Finally, make it a habit to do monthly searches of your name and company across various social media networks. This can be automated to some degree with Google alerts (Google Alerts – Monitor the Web for interesting new content), but it is a best practice to complement this with manual searching to be aware of any emerging impersonation attempts. 

The significant consequences for not being prepared are no longer hypothetical. Most famously, Arup, the design and engineering firm behind the Sydney Opera House, was targeted by criminals when a finance employee was tricked by scammers over a week-long period. The employee made 15 bank transfers totaling more than $25 million. He was duped, in part, due to AI-generated deepfakes of the company’s chief financial officer and other staff that appeared on a video conference call. 

Less sophisticated attacks are getting a modern technological twist as deepfake sextortion grows more commonplace. Criminals will connect with a user on a dating app, and after exchanging photos, create a deepfake image of the victim on a nude body and threaten to share it with their family and friends unless a small ransom is paid.

To personalize your level of risk, conduct a digital vulnerability assessment to understand the universe of information that is available about you on the internet and deep/dark web. Even if you take steps to minimize the information you share online, or fully distance yourself from any form of social media, everyone has that one family member who posts way too much information on Facebook. 

One recent example involved a family where the wife’s mother had shared a photo of her and the two grandkids in the client’s kitchen making cupcakes. Publicly shared, in the background of this photo was a paper from the children’s private school hung on the refrigerator. The paper included the name of the school, its address, the pick-up and drop-off times for the kids, and the kids’ names. In another case, a private art transaction was made public, after a client had purchased a painting from an intermediary using Venmo as the payment method with a description of the piece as the note. As Venmo transactions are public by default, it was simple to determine when the art was purchased, and from whom.

The bottom line
Most everyone these days has been involved in a data breach, but few understand what exactly was taken and just where that information is floating around. If your information is compromised, rarely is your entire data set available in one location, but savvy criminals can cobble together a digital profile from multiple locations, quite often including publicly shared information on social media pages.

Once you know what pieces of your identity are exposed online, you can take steps to mitigate those leaks through an opt-out program. This way, if a bad guy decides to target the HNW individual holding spot #47 on the Topeka, Kansas most wealthy list, and they have significantly reduced their online profile, it cripples their ability to commit identity theft. Since it takes a bit of effort, they will just move on to #48. Practical low-effort solutions include not using your name as your email address. If johnsmith@gmail.com is involved in a data breach, it’s a decent guess that it belongs to John Smith. However, if you use a randomly generated username such as WesternNomad388, it throws in another layer of difficulty of unmasking who is behind the account. 

Similarly, recognize when you are required to put your real information into an online profile. When signing up for an airline frequent flyer program, the Transportation Security Administration (TSA) will certainly need your true name. However, consider your Amazon account. Won’t your packages still get delivered even if a different name is on the label?

Finally, as a bit of good news, this entire exercise may be part of a possible tax-deductible fringe benefit* for an HNW individual’s business under Title 26 CFR § 1.132-5 for an Independent Security Study. This type of study is performed by an independent security consultant to determine whether there exists a business-oriented security concern based on objective facts and circumstances regarding the safety of the executive. Implementing the consultant’s recommendations may reduce tax liabilities and operational costs, as well as providing privacy and security for executives and their families at their home and principal place of business. 

*This material is not intended as tax advice and has been prepared for informational purposes only. You should consult your own tax advisors before engaging in any transactions.

Register for WealthBriefingAsia today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes