Client Service September 15, 2021

Protecting Elderly Clients From Financial Abuse

Sources offer lessons learned from thousands of potential elder abuse investigations, highlighting red flags and revealing the harm that can befall clients; for example, those victimized by a loved one lose nearly three times as much on average to fraud or theft as those victimized by a stranger.
Reported by

Art by SHOUT


Since AIG launched its Elder and Vulnerable Client Care Unit in 2016, its leader, Michele Kryger, says she has looked at thousands of potential elder financial abuse cases, with the number of such cases increasing by about 30% per year.

Those cases range from outright fraud or investment scams targeting the elderly to caretakers persuading their elderly charges to make financial decisions against their own self-interest. In other cases, family members might abuse their power of attorney. In fact, in 60% of cases, the perpetrator is someone who knows the client, Kryger says.

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news.

Kryger’s experience reflects a nationwide trend that financial advisers and plan advisers are increasingly seeing. An analysis by the Consumer Financial Protection Bureau found that financial institutions reported $6 billion in losses or attempted losses due to suspicious activity on seniors’ accounts from 2013 to 2017, the most recent period for which figures are available. The analysis suggests the annual losses increased substantially every year in that time frame.

The agency estimated the average loss for victims at more than $34,000, and those victimized by someone they knew lost nearly three times as much as when the perpetrator was a stranger. Some experts say the actual amount lost is likely much higher than the average figure, given that many victims opt not to report their losses, either because they are embarrassed or because they want to protect the person who harmed them.

“We have had clients ask us not to tell their children that they were a victim of financial abuse because they don’t want them to know,” Kryger says.

A 2018 report by the Securities and Exchange Commission (SEC) suggested elder financial abuse will likely continue to get worse as an aging, wealthy population begins to experience cognitive decline, which can make them much more vulnerable. While there isn’t strong data available yet on the rise or fall of financial abuse during the COVID-19 pandemic, some experts believe the increased isolation may have made some elderly clients more vulnerable to financial exploitation.

“Any time you have folks holed up and isolated, especially seniors whose family isn’t allowed to visit and who can’t go and see their professionals, you’re going to see an increase in scams,” says Liz Loewy, co-founder and chief operating officer (COO) at EverSafe, a financial wellness platform for seniors and caregivers. “The fraudsters know that, and they take advantage of it.”

Often, financial advisers are the frontline workers when it comes to preventing, identifying and reporting elder financial abuse or exploitation.

“Financial advisers can often see the symptoms of abuse before anyone else, and they can also help identify cognitive decline, even before family members,” says Ryan Bertrand, vice president and managing director of advanced markets at Transamerica. “While [clients] might avoid certain situations in their everyday lives, there are necessary conversations that they have with a financial adviser that can expose cognitive impairment.”

Spotting Red Flags

Elderly clients are vulnerable to fraudulent schemes in which unknown criminals swindle them out of their money, as well as to situations in which individuals in their trusted inner circle, such as friends or family members, exploit them financially. Financial advisers must remain alert for signs of both issues. Specifically, sources mentioned the following red flags:

  • Sudden changes to banking habits or actions that are contrary to goals previously discussed. This can be an indication that a schemer has convinced the client to take financial actions that are not in their best interest, especially if they’re not able to explain the changes.
  • A change in power of attorney or the addition of a new person to a joint account. While this can be a sign of smart estate planning, it’s also an opportunity for individuals to gain significant financial power that they can more easily abuse.
  • A new person who moves in with the client or suddenly becomes involved in their personal life. Romance schemes, in which a supposed love interest takes advantage of seniors, have become increasingly common, but family members who take a sudden interest in a grandparent or other elderly relative also require added scrutiny.

Jeffrey Sharp, principal at SilverStone Group, a Hub International company, says he has previously gotten phone calls from a child, niece or nephew of a client, saying, “‘I am handling Mom’s affairs now. She’s out of money, and we need $10,000 transferred to pay some bills.’”

“Immediately, a red flag goes up,” Sharp says. “You really need to have a healthy dose of skepticism as an adviser when you start getting calls from third parties.”

Taking Action

Registered investment advisers (RIAs) who believe a client is being exploited or scammed have an ethical obligation to act, as well as a legal obligation to do so in most states. Depending on the circumstances, that typically begins with a phone call to the firm’s compliance or legal department for guidance on next steps, Bertrand says.

“Compliance departments usually have a prescribed list of what should occur when dealing with clients in this situation,” he says.

Many times, a simple phone call or conversation with the client, or with a trusted contact or other family member with whom the adviser has a relationship, can clear up the matter, he says. If such efforts are not possible or are unsatisfactory, however, advisers may need to reach out to their state’s adult protective services program or to law enforcement.

Those agencies may soon have more resources with which to investigate such cases. The U.S. House of Representatives is considering a new bill, the Elder Justice Reauthorization and Modernization Act of 2021, that would authorize an additional $1.4 billion to state and local adult protective services.

In some cases, advisers may simply need to decline to immediately carry out a client’s request while confirmation (or an investigation) occurs. Depending on the circumstances, the Financial Industry Regulatory Authority (FINRA) allows advisers to put a temporary hold on a client’s account if they believe financial exploitation of that client is taking place.

“Time is the enemy of the thief,” says Judith Kozlowski, a senior fellow at the Women’s Institute for a Secure Retirement and a subject matter expert with the Department of Justice Elder Initiative. “The longer the financial institution can prolong the actual money from leaving the account or the securities from being transferred, the better it is for the person who is being exploited.”

Preventing Potential Problems

In addition to taking swift action when spotting or confirming financial abuse, advisers can also take several steps to ensure their clients don’t become victims of financial abuse in the first place.

“Advisers should pre-plan for a crisis, because you’re not going to get a lot of warning if an aging client does have a problem,” Loewy says. “Cognitive issues can happen almost overnight, and advisers need to be looking at ways to be holistic and get in front of these problems.”

Internally, that requires training advisers on signs of financial exploitation and an established procedure they can follow if they suspect financial abuse. Sources pointed out that, if advisers have been trained by a financial institution on how to spot red flags, they have immunity under the Senior Safe Act when reporting suspected financial abuse of clients.

In relationships with clients, prevention begins with making sure all clients have at least one “trusted contact” on file, experts noted. FINRA began requiring advisers to obtain such information from clients opening new accounts starting in 2017, but advisers should consider reaching out to clients with whom they’ve been working since before that time to add a trusted contact to their file.

In addition to simply having the name of a trusted contact, it can be helpful to build a relationship directly with that person or with others in the client’s family, experts say. That way, if an issue arises, the adviser can call that contact to discuss and resolve it as quickly as possible. In some cases, advisers may suggest that client’s family members receive read-only copies of financial statements, allowing them to see activity but not to initiate transactions.

Sources also said advisers can also work with their clients to educate them on the dangers of elder financial abuse, including by discussing common scams they might see and warning signs that they might be a victim. Making sure clients have a solid estate plan (and referring them to an estate planning lawyer if they don’t) can also thwart scammers.

“Advisers should be diligent about guiding their clients to get their documents, wills and powers of attorney in order,” Kozlowski says. “Even if it’s just going through a checklist in their annual meetings, it’s critical to make sure they have those things done.”

Compliance September 10, 2021

SEC Sanctions Offer New Cybersecurity Guideposts

One former SEC enforcement leader says actions against several advisory firms that allegedly had cybersecurity failures make a clear case for the use of multifactor authentication—but that’s just the beginning of cybersecurity.
Reported by

The U.S. Securities and Exchange Commission (SEC) recently announced it was levying a series of sanctions against eight registered advisory firms for failures in their cybersecurity policies and procedures.

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news.

According to the SEC, the failures led to pernicious “email account takeovers” exposing the personal information of thousands of customers and clients at each firm. The SEC says the eight firms, some of which operate collectively, have agreed to settle the charges, together paying $750,000 to settle the matter without formally admitting fault or wrongdoing.  

The SEC’s order against one of the entities alleges that, between November 2017 and June 2020, cloud-based email accounts of more than 60 firm personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information (PII) of more than 4,000 customers. According to the SEC, none of the taken-over accounts were protected in a manner consistent with the registered firm’s stated policies and procedures.

In a new interview, called to discuss the sanctions and the SEC’s expanding focus on connected issues, two expert attorneys with Baker McKenzie—Peter Chan and Valerie Mirko—say the ball is just getting rolling when it comes to SEC enforcement actions related to cybersecurity failures. Chan is a member of Baker McKenzie’s North American Financial Regulation and Enforcement Practice who spent 20 years working in senior enforcement roles at the SEC, and Valerie Mirko was general counsel at the North American Securities Administrators Association (NASAA) prior to joining Baker McKenzie.

Notable to the dialogue, presented in summary below, is the fact that Chan served as assistant regional director in the SEC’s Chicago regional office, where he led investigations and litigations of high-profile enforcement cases. Additionally, as the head of the Municipal Securities and Public Pensions Unit at the SEC’s Chicago office, he oversaw cases involving municipalities and public pensions throughout the Midwest, including disclosure failures by states, cities and underwriters in municipal bond offerings; pay-to-play and public corruption; and securities fraud victimizing municipalities and public pensions. For her part, Mirko’s prior experience includes providing advice on, among other areas, the SEC Regulation Best Interest (Reg BI) rule set, the fiduciary duty/standards of care, Employee Retirement Income Security Act (ERISA) pre-emption, retail enforcement issues, investment adviser oversight and data privacy.

 

PLANADVISER: Before we examine the SEC’s cybersecurity enforcement, can you both please comment on the agency’s activities during the early days of the Biden administration and under the leadership of the new SEC Chair Gary Gensler?

Peter Chan: So far, we are largely seeing what we expected in terms of elevated enforcement activity. Since Labor Day, in fact, it seems that SEC enforcement actions have picked up even more significantly.

When you think back to the prior administration, there was significant enforcement activity as well, much of it focused on retail investors. Under the new chair, Gary Gensler, I think we have seen the enforcement focus become somewhat stronger, but also broader. Our sense is that the policy focus and boundaries are broadening, for example in terms of cybersecurity, but also in terms of, as another example, reviewing the regulation of digital assets in a potentially very aggressive way. I also think that, as Chair Gensler has mentioned directly, the SEC is not going to shy away from addressing big market structure issues—and using enforcement as opposed to merely guidance to do so.

Valerie Mirko: I agree with that. The SEC’s mission has been pretty stable for the past several administrations, with the focus on protecting retail investors. Of course, there is always some change in the types of enforcement cases that ultimately are pursued.

 

PLANADVISER: What do you make of the SEC’s recent enforcement actions that focused on cybersecurity failures—and, specifically, the use, or lack of use, of multifactor authentication?

Mirko: The three enforcement actions that came out at the end of August have already been coming up a lot in our discussions with clients. One practical takeaway is that the SEC has signaled an expectation that multifactor authentication, or ‘MFA,’ should probably be in place for email accounts operated by registered entities. The assumption is that these are email accounts being operated by people who are likely going to have access to sensitive information, so the SEC believes MFA should be in place as a matter of course.  

In a way, this is a departure from earlier SEC cases, which focused much more on the lack of stated cybersecurity policies and procedures. The current enforcement actions are actually looking closely at the content and execution of the stated procedures. For example, if you say in your procedures that you use MFA and in practice you do not, that is automatically an issue. Or if a firm had a third-party account takeover and it turns out its policy did not address using MFA, that’s a problem.

Chan: I would just add that MFA is expected, we can say, but it’s not enough and it’s not the end of cybersecurity innovation. Both Valerie and I know from prior experience that the SEC, as a regulator, is careful about making absolute policy prescriptions. In this case, there is a strong endorsement of MFA, but the bigger message is that advisers and others who have a duty to protect customer information are expected to evolve and to be fully caught up with the latest type of attacks and the latest type of protection. We need to be careful and note that the SEC is promoting best practices that are currently considered to be reasonable and effective. Three to five years from now, MFA might not be enough, and the SEC’s view on reasonableness will have evolved.

Focusing on the protection of information is the key here. For the SEC to sanction eight firms and to announce it in one press release, it is sending a message. Advisers must be alert to the changing cybersecurity environment.

 

PLANADVISER: Does it make sense for firms to be trendsetters in this area? For example, would a firm want to explore relatively novel security technologies such as voice print authentication or facial recognition?

Chan: I don’t know that I would go as far as recommending any specific technology like voice or face recognition. What we can say is that, from a regulatory hygiene perspective, it is better for the industry as a whole to lead in terms of answering what is the right approach to cybersecurity—versus having the regulators try to do it. That’s the way it should work best. If the SEC sees that the industry as a whole has taken the lead and is taking cybersecurity seriously, there is going to naturally be less incentive to control and dictate. If the whole industry is not moving forward together, it is inviting regulatory intrusion.  

 

PLANADVISER: And can you share any advice or insight for firms that experience a negative cybersecurity event, such as an email breach or a network intrusion?

Mirko: I think the most important thing for firms to do is to not wait until there is a cyber intrusion to put a response plan in place. This means taking the time and resources to do tabletop exercises and simulations, so that you can have various plans in place to be ready for the different types of cyber intrusions that could occur. I will say that, by and large, the industry has been very forward-thinking in this way. The big challenge, of course, is that businesses evolve, and the threats evolve, so it is always hard to game out everything in advance. There needs to be more of a robust plan in place and better internal coordination compared with what happened at the sanctioned firms.  

Chan: ‘Stop the bleeding’ is a piece of guidance that is commonsense but so important. You must figure out what the parameter and scope of the breach is and how to minimize or stop it as soon as possible. This will require having relationships and contacts in place with the right technical resources, attorneys and forensic researchers who you can rely on. You don’t want to spend the first 24 to 48 hours after a major breach asking for names and referrals.

In the recent sanctions, the SEC also cited a failure of adequate and timely disclosures going to clients. Responding to an event like this is not just about informing the regulators. Firms have a duty to tell those who are potential victims what happened, so they will be alert and take steps to protect themselves. By trying to sugarcoat the extent of a breach, you are actually handicapping the client from taking measures to protect themselves.

 

PLANADVISER: Any other important themes or lessons learned you can share?

Chan: Just having written policies and procedures is not enough. The SEC criticized one of the firms for failing to actually follow existing policies that the SEC otherwise found to be sufficient. Firms should review and operationally confirm that their actual practices are consistent with their written cybersecurity policies. Periodic training and awareness initiatives will also help personnel consistently follow firm written cybersecurity policies.

Mirko: Ensure that statements on cybersecurity incidents are timely but also accurate. The SEC faulted one firm for inadequate compliance in connection with inaccurate statements as to when the firm actually discovered the incidents. Finally, the SEC did not specifically say that its regulations require MFA in all cases, but it made clear its expectations that firms should likely have MFA in place, as it is a reasonable approach to thwart phishing, credential stuffing and other modes of attack. Firms should take steps to assess MFA requirements to protect sensitive client and customer information.

«