Staying Safe in Cyberspace
July 25, 2018
Image used with permission: iStock/mangpor_2004
Staying Safe in Cyberspace
Since the first Canadian on-line banking website went live approximately 30 years ago, the financial services industry has been an enthusiastic adopter of on-line technology, both for the delivery of its services and for the conduct of its business.
Firms and clients who are comfortable with this new world have enjoyed a huge improvement in convenience. Many transactions can be done by phone, email or over a website at any time of day or night – without ever darkening a financial firm’s door. Account information and reports arrive more quickly and are available at the click of a button, often without the need to receive or maintain bulky paper records.
While dramatically more convenient, the technology has brought with it some new vulnerabilities. So much can now be done without any face-to-face human contact that it’s much easier for a malefactor to pose as a client and steal their confidential information and/or financial assets. To combat this threat, financial firms large and small constantly strive to erect and maintain protective barriers to keep client information in and the bad guys out, without making it seriously inconvenient for clients.
At Nexus we have embraced much of this new technology wholeheartedly. In so doing, however, we go to great pains to make sure client information and portfolios are safe. Before 2017, this effort consisted mostly of protecting the firm’s systems, tools and data – including client data – from unauthorized access by outsiders. That effort continues unabated, with regular adjustments to our processes, and tools to identify and plug anything in our defenses that could possibly be a hole.
With the introduction of our client portal about 18 months ago, security of client information was top of mind. We felt strongly that client and Nexus access to the portal should require more than merely an email address and password. Indeed, we deferred launching until our portal provider had a reliable second form of authentication – one which requires a client to periodically obtain via cellphone text message, and input on the portal login page, a unique “verification” code. This two-step process is admittedly less convenient – for clients and us – than just an email address and password. However, in our judgement, such a comparatively minor inconvenience is a small price to pay to protect valuable and confidential client information. Moreover, as highlighted in this recent Globe and Mail article by columnist Rob Carrick, we note that the major banks are wrestling with the same trade-off as they begin introducing similar “two-factor authentication” more broadly.
Just as Nexus is concerned with client security, so, too is our custodian, RBC Investor Services Trust (“RBC”). Indeed, RBC and its parent organization, one of the country’s largest financial institutions, is constantly under attack by bad actors searching for weak spots in its defenses which could be exploited to steal client information and/or assets. In the face of sustained growth in the volume and sophistication of such bad actors’ fraudulent activity, RBC has taken two additional steps to protect clients. Beginning about a month ago, for certain large value payments from an RBC Investor Services Trust client account to a bank account, RBC now calls the accountholder to confirm that the payment instructions are legitimate.
Most recently, RBC has advised all firms like Nexus that it would cease making payments from an RBC Investor Services Trust client account to anywhere other than a bank account in the name of the accountholder. There are a few permitted exceptions, such as for tax payments to Canada Revenue Agency and donations of securities to charities. But the days of the custodian playing the role of bank are unfortunately over. For example, no longer will RBC send money directly from a Nexus/RBC investment account in the name of a holding company to a bank account of its major shareholder, or in the name of a trust or estate to a beneficiary’s bank account.
This change will surely inconvenience those who do not already have a bank account for the holding company (or the trust/estate) to which monies can be sent and from which cheques can then be issued to the company’s shareholders (or the trust/estate’s beneficiaries). They will have to move quickly to dig out the records, such as articles of incorporation or probated will, and pay a visit to their local branch to set up such a bank account. We will do our best to help those affected to devise and set up new, workable arrangements for getting funds from Nexus to their intended destination.
If you have any questions or concerns about how this all might affect you, please do not hesitate to contact us. RDC