PwC discusses Protecting Elderly Customers: CFPB and FINRA Step In

The Consumer Financial Protection Bureau (CFPB) released recommendations in March for how banks and credit unions can better protect elderly customers from financial exploitation. The CFPB issued its recommendations as the elderly population continues to rapidly grow, positioning banks and credit unions for a significant increase in elder financial exploitation (EFE) attacks.[1]

Other regulatory bodies have taken notice of this growing threat as well and are putting forth regulations and guidance of their own. For example, the Financial Industry Regulatory Authority (FINRA) last year proposed a regulation requiring broker-dealers to take action in response to suspected EFE.

EFE is a form of fraud in which perpetrators exploit common vulnerabilities in the elderly (e.g., cognitive impairment, lack of familiarity with technology) to, for example, take over their bank accounts or misappropriate their funds. Many perpetrators of EFE are family members or familial associates (e.g., caregivers) of the elderly victim. Others include employees at financial services (FS) firms, such as financial advisors that manipulate elderly customers into making high commission investments that are against their best interest.

To protect elderly customers from EFE, the CFPB recommends that banks and credit unions implement predictive analytics to detect suspicious activity that could indicate EFE (e.g., adding additional authorized users to accounts) and offer enhanced protection services to elderly clients (e.g., withdrawal limits). Meanwhile, FINRA’s proposed regulation focuses on tactical steps that broker-dealers should take if there is suspicion of EFE, requiring these firms to make efforts to reach out to a trusted third party, and allowing such firms to place temporary holds on potentially compromised accounts.

Because of the rapid growth of the elderly population and the increased regulatory focus on EFE, we recommend that all FS firms go beyond regulatory guidance and take several additional steps to protect elderly customers against exploitation. For example, FS firms should improve authentication controls to prevent fraudsters from hijacking the accounts of elderly customers.[2] Additionally, FS firms should strengthen their code of conduct to prohibit employees from taking unethical actions to exploit elderly customers, and enhance internal monitoring to ensure that employees are following the code of conduct. Finally, FS firms should include EFE as a formal part of their fraud risk assessments[3] to properly allocate resources to detect and prevent this form of fraud.

This post discusses how EFE is perpetrated, analyzes the regulatory response to the growing threat of EFE, and provides our view on what FS firms should be doing now.

What is EFE?

Perpetrators of EFE exploit vulnerabilities commonly found in the elderly to commit fraud. The elderly are particularly vulnerable targets of fraud as they are more likely to suffer from diminished mental capacity and lack familiarity with technology. Additionally, the elderly are attractive targets as they are more likely to have good credit, equity in their home, steady income streams consisting of pensions and Social Security, and a “nest egg” from a lifetime of wealth accumulation.

Approximately 90% of perpetrators of EFE are people that elderly victims trust, such as family members, financial advisors, caregivers, and even religious leaders. These perpetrators often misuse power of attorney (given to them to handle the victim’s finances) to misappropriate the elderly customer’s funds. Furthermore, financial advisors may commit internal fraud by manipulating elderly customers into making high commission investments that are against their best interest, and caregivers often overcharge elderly victims for services or ask the elderly victim to sign falsified timesheets.

Regulatory action

As the threat of EFE continues to grow, we have seen the CFPB, FINRA, and other regulators[4] take action to protect elderly customers. Both the CFPB’s recommendations and FINRA’s proposed regulation cover policies and procedures around training, reporting,[5] compliance, and record retention for EFE. However, the CFPB’s recommendations focus on best practices for banks and credit unions to prevent and detect EFE, while FINRA’s proposal focuses on ways that broker-dealers can respond to potential EFE attacks.

While the CFPB’s recommendations are voluntary best practices (and not requirements), banks and credit unions that do not implement a robust EFE program could be targeted by the CFPB for engaging in unfair, deceptive, or abusive acts or practices (UDAAP). The CFPB’s recommendations include:

  • Implement automated fraud detection systems and predictive analytics to better detect behavior that could indicate EFE.[6]
  • Expedite documentation requests for investigations related to financial exploitation, and develop relationships with Adult Protective Services (APS) and law enforcement to assist with investigations.
  • Offer enhanced protection services to elderly customers, such as withdrawal limits and alerts for account activity.
  • Educate elderly account holders, caregivers, and the public on EFE through educational programs and distribution of materials.

Meanwhile, FINRA’s proposed regulation focuses on ways that broker-dealers can respond to suspected EFE attacks. The proposed regulation requires that broker-dealers make reasonable efforts to encourage their elderly customers to appoint a trusted contact person. This contact person will often be a child that is both financially savvy and trustworthy. If the broker-dealer suspects or detects EFE, they should reach out to the trusted contact person for assistance in protecting the account holder’s assets.

Additionally, the proposed regulation gives authority to qualified persons (i.e., employees that serve in a supervisory, compliance, or legal capacity related to the elderly customer’s account) to place a temporary 15 day hold on disbursements of funds if they suspect EFE. During that 15 day period, the broker-dealer or investment advisor must launch an internal investigation to determine whether EFE has occurred.

What should FS firms be doing now?

Comply with regulatory guidance

FS firms should be proactively preparing for the rapid increase in the elderly population and accompanying fraud risks. To start, FS firms should meet CFPB, FINRA, and other regulatory guidance. Steps to do so include:

Train employees on how to spot EFE

FS firms should provide training for employees (especially those who interact with elderly customers) on how to detect EFE. These employees should know how to spot red flags that indicate an elderly customer may be acting under duress or intimidation, such as evidence that the elderly customer is being coached (e.g., a voice in the background giving instructions) or evidence that the elderly customer has been physically abused. Employees should know when, how, and to which parties these red flags should be reported.

Implement a predictive analytics program to detect EFE

FS firms should use predictive analytics to detect suspicious activity and block potentially fraudulent transactions (as recommended by the CFPB). Predictive analytics uses algorithms to monitor customer activity for signs of fraud. Because elderly customers’ patterns of activity may differ from general account holders, FS firms should include behavioral analytics (to detect deviations from individual customer’s behavior) and customer segmentation analysis (to capture the behavioral patterns of elderly customers and detect deviations from such patterns) in their predictive analytics program.

Appoint a trusted contact person

A trusted contact person should have regular access to a computer, smartphone, or tablet, check email often, be reachable by telephone, and have a home address. FS firms should grant trusted contact persons read-only access to accounts, copy them on certain correspondence such as fraud awareness literature, alert them of account changes or dormancy, and contact them in the event of suspicious activity (so long as the trusted contact person is not believed to be involved in the suspicious activity).

Incorporate EFE into the compliance program

FS firms should be aware of relevant state securities laws that provide protections for elderly customers and update their compliance programs accordingly. Additionally, FS firms should consider designating elderly customers as a vulnerable population in their Fair and Responsible Banking Program.[7]

Develop an enhanced EFE fraud program

FS firms should not treat their EFE protections as a check-the-box compliance exercise. As regulators increase their focus on protecting elderly customers, we expect more regulatory developments in this area. To prepare for increased regulation – and to better protect their customers – FS firms should go beyond existing regulatory guidance and implement an EFE fraud program (or enhance their current EFE fraud program). Implementing such a program requires the following steps:

Strengthen the code of conduct

By strengthening the code of conduct, FS firms can take important steps toward protecting their elderly customers from internal EFE and set a precedent for action against any would-be internal fraudster.

Fiduciary appointments: FS firms should prohibit employees from acting as a personal fiduciary of any customer account without the express written consent of Human Resources, Corporate Compliance, or the head of the employee’s business line.

Accepting inheritances: Employees and their immediate family members should be prohibited from accepting an inheritance from a customer unless the customer is a family member or personal friend whose relationship with the employee was established apart from their employment with the FS firm. If a customer names an employee as a beneficiary, employees should contact Human Resources or Corporate Compliance.

Responsible sales activities: The code of conduct should include language that expressly prohibits unethical sales activities. For example, unethical financial advisors might pressure elderly customers into selling their existing annuities and moving to other annuities long before the surrender charge schedule ends, restarting the surrender charge schedule clock with the new annuity.[8] The unethical financial advisor would also collect commissions and fees on the move to the new annuity.

Additional examples of unethical sales activities include records falsification, falsifying applications or other customer documents, forgery, commissions churning (i.e., excessive buying and selling of securities in a customer’s account to generate commissions and fees that benefit the broker), and product slamming (i.e., adding costly add-ons to a customer’s account, often without the customer’s consent).

Personal finances: The code of conduct should explicitly prohibit employees from participating in financial transactions with customers and borrowing money from elderly customers. Consequences for violations must be clearly spelled out and should include disciplinary action (including termination) as well as potential civil and criminal penalties against the employee. Every employee should be required to sign an acknowledgment of receipt of the code of conduct.

Monitor for internal suspicious activity

To enforce the strengthened code of conduct, FS firms must build a strong internal monitoring program by installing software to monitor emails and internet activity, recording phone calls, and enforcing records retention policies throughout the organization. The internal monitoring program should be clearly communicated to employees.

Additionally, broker-dealers should implement transaction monitoring systems that raise alerts when elderly customers are moved or rolled over into different products, especially high fee or high commission products that may not be in the best interest of the customer.

Finally, fraud reporting hotlines should be made available to customers so that they may report potentially fraudulent or unethical behavior on the part of employees.

Integrate EFE into fraud risk assessments

FS firms should integrate EFE into their fraud risk assessments. This will allow FS firms to provide leadership with the information necessary to understand the magnitude of the threat of EFE, adjust controls and processes accordingly, and properly allocate resources to combat EFE.

Implement multi-factor authentication

Robust authentication controls are necessary to protect against fraudsters accessing the accounts of elderly customers. FS firms should implement multi-factor authentication to verify customer identity using at least two of the following:

  • Something the user knows (e.g., username, password, PIN).
  • Something the user has (e.g., phone, token).
  • Something the user is (e.g., fingerprint, voice, iris).

When developing their authentication systems, FS firms should consider that certain technological authentication methods, such as iris scanning and text message confirmation, may be too difficult for their elderly customers to use. FS firms must strike a balance between risk mitigation and ease of account access.[9]

Perform enhanced due diligence

FS firms should perform enhanced due diligence prior to adding joint account holders, accepting a power of attorney, changing beneficiaries, or appointing a trusted contact person on an elder’s account. Where allowed by law, FS firms should consider running criminal background searches on these individuals.

File Suspicious Activity Reports voluntarily

While the CFPB recommends that banks and credit unions file Suspicious Activity Reports (SARs) when mandatory under the Bank Secrecy Act, we recommend that FS firms go beyond the minimum regulatory requirements as a matter of good corporate stewardship and social responsibility. Additionally, FS firms should analyze trends in their SAR filings to identify control gaps and enhance controls accordingly.

ENDNOTES

[1] The elderly population is expected to more than double between now and the year 2050, when one out of five Americans will be aged 65 or older.

[2] For our perspective on how FS firms can improve their authentication controls, see PwC’s Financial crimes observer, Fraud: Email compromise on the rise (February 2016).

[3] For additional information on fraud risk assessments, see PwC’s Financial crimes observer, Bank fraud: Old defenses won’t stop new threats (April 2016).

[4] For example, the North American Securities Administrators Association recently released a model act that requires reporting of EFE incidents to state securities administrators, Adult Protective Services, and a trusted contact person. The model act provides immunity from civil or administrative liability for broker-dealers and investment advisors that report suspected EFE incidents.

[5] FINRA’s proposed regulation only requires that broker-dealers and investment advisors develop policies and procedures around reporting. Comment letters from industry representatives have encouraged FINRA to explicitly require in the final rule that broker-dealers and investment advisors report EFE incidents to certain government agencies (e.g., APS, securities regulators).

[6] For additional information on predictive analytics, see the Financial crimes observer cited in note 3.

[7] The Fair and Responsible Banking Program is an enterprise-wide program that focuses on compliance with the Equal Credit Opportunity Act, Fair Housing Act, and UDAAP, and mitigates risks and practices of unlawful discrimination and illegal practices against vulnerable groups.

[8] A surrender charge is an early withdrawal penalty for withdrawals that are in excess of the free withdrawal percentage. Surrender charge schedules are expressed in percentages and tend to decrease over time until the surrender charge is no longer applicable, usually after 6 to 8 years after annuity purchase.

[9] For our view on how FS firms can strike this balance, see the Financial crimes observer cited in note 2.

The preceding post comes to us from PwC.  It is based on their memorandum, which is dated May 2016 and available here.