From robo-advisors to digital transactions to straight-through digital processing and onboarding, the wealth management industry is embracing the cyber world we live in today. But knowing who’s who (otherwise known as identity authentication) is the keystone of security—particularly with e-signatures. When you neglect authentication—or even just minimize its importance—you’re raising your risk and vulnerability to an attack. And in an industry where clients expect the utmost security for their personal data, advisors and firms cannot afford to slack off in their security measures.
Consider the cyber hack of the U.S. Office of Personnel Management (OPM), which affected 22 million people, including millions of federal employees with security clearances. This breach put a spotlight on the need to protect personal information like names, addresses and even fingerprints—not just credit card numbers. According to the New York Times, OPM did not employ two-factor authentication, which left the agency vulnerable to a high-tech security breach. And remember the JPMorgan breach where hackers accessed the email addresses and phone numbers of the holders of 83 million household and small business accounts? Same story: no two-factor identity authentication.
In wealth management, the stakes are high. Often, digital documents contain financial and investment information, bank account numbers and other personally identifiable information that, when in the wrong hands, could be destructive to your client.
Yet, that’s not to say that digital documentation should be avoided. In fact, when used correctly, digital processes can actually become more secure than paper-based processes because a good identity authentication strategy—alongside other security tools such as encryption—ensures that only the right people have access to protected documents and data.
There are five primary authentication methods to consider.
With this method, the signer clicks on a link in an email to be authenticated. This approach is typically best for low-risk transactions—documents containing information that would easily be found elsewhere, like an online directory. However, it can be paired with another form of authentication to further mitigate risks.
Shared Secret Questions
With shared secret questions, the signer is asked to answer more personal questions chosen by the sender, such as the last four digits of an account number or the signer’s mother’s maiden name. The answers to such questions are usually not found in your wallet, which can be stolen, and so offers a higher level of security and assurance.
With text message (or SMS) identity authentication, the signer receives a text message on their mobile phone with a one-time password to enter before she can view or sign the documents in question. Often, text message authentication is used following another authentication method to add another layer, or second factor, of security.
Know Your Customer (KYC)
When using KYC, signers are prompted to supply their Social Security number and date of birth. If the SSN is valid and matches with the DOB, the user is verified. With the many compliance regulations in the financial services industry, this option is worth considering, and it can also be used as a second-factor method.
Knowledge-Based Authentication (KBA)
KBA is the most secure method of authentication and is a best practice when e-signing documents, such as contracts or investment transactions. Like KYC, the signer must identify the last four digits of his Social Security number and date of birth. Once that is verified, the signer then must answer multiple choice questions based on 30 years of public records information. An example could be, “What make and model of car did you own in 1992?” Once the signer provides the correct answers to four questions, he is authenticated.
Like locks on a door, one factor is safe—but two are safer. Using at least two different methods of the authentication, called two-factor authentication, significantly reduces your risk that the wrong people could gain access to your clients’ information.
When deciding which method to use, consider the possible outcomes if the information within your digital documents were compromised, and then plan accordingly. More likely than not, it will be the higher levels of authentication that make the most sense for your practice.