Compliance is one area where wealth management firms can’t afford to take shortcuts. That said, with so many aspects of the business requiring compliance checks, it’s difficult to predict which direction regulators will take during an audit, and thus difficult to assign compliance resources effectively. Predicting where regulators will focus their investigations is like navigating without a map. Based on current security trends and recent events in the wealth management industry, it’s a safe bet that digital signature fraud will be an X on the audit map.
As the COVID-19 pandemic necessitated remote work, wealth firms were compelled to quickly reinforce cybersecurity and processes for protecting sensitive data. Digital signature processes were assumed to be secure. That is, until early 2023, when LPL Financial, one of the largest independent broker/dealers received a $3 million fine after dozens of its brokers were found to have falsified signatures.
It’s easy to understand how wealth firms were lulled into a false sense of security. All popular e-signature platforms tout their security features. The large fine provides a painful reminder that firms shouldn’t risk their reputation—or their clients’ data—on the assumption that the outsourced surveillance of their digital signature security processes has been fully and correctly vetted.
Based on FINRA Regulatory Notice 22-18, firms should have the following policies and procedures in place in advance of a digital signature audit:
- Employee training on the correct usage of digital signature platforms and how to identify potential forgery or other misuse;
- Pre-use checks on all digital signature platforms;
- Supervision of all digital signature platform utilization;
- Review of customer records and transaction data to identify potential digital signature fraud;
- Investigation of any potential instances of digital signature irregularities or issues.
If your firm doesn’t have all of these policies and procedures in place, it’s time to re-evaluate your digital signature process. Otherwise, you could be headed for an expensive and unnecessary penalty for not checking the tech behind the X on your digital forms.
For 2024, it’s even more critical compliance teams understand their firms’ digital signing processes. Among the multitude of areas FINRA scrutinizes, they’ll certainly want to ensure firms have trustworthy signer authentication in place, such as multifactor authentication or ID verification; that compliance process documentation is clear, concise, and up-to-date; and that those processes include methodical surveillance for detecting digital signature fraud red flags, e.g., the same IP address, mobile phone number, and/or email address used to authenticate the digital signature of multiple signing parties.
Because monitoring for digital signature red flags is a critical part of the supervisory system mentioned specifically in RN 22-18, it makes sense to pay particular attention to this aspect of your firm’s compliance posture. Importantly, consultants or subcontractors should include similar auditing capabilities and safeguards.
If you haven’t already, inquire about your firm’s digital signature processes and the compliance policies that govern them to see if they are detailed enough to withstand an audit. If not, there’s no better time than the present to start.
Jay Jumper, President of SIGNiX, a leading provider of secure and compliant digital signature solutions.