Protecting against share sale fraud

AFS licensees that deal in securities may be vulnerable to share sale fraud. Share sale fraud refers to the fraudulent activity of a person who is not who they claim to be, selling shares that do not belong to them.

Share sale fraud often follows a similar pattern. For example, a person claiming to be ‘Jane Citizen’ creates a new trading account with a market participant (or their intermediary) to sell her shareholding. The identity documents used to open the new account are either stolen or fraudulent, and the security reference number (SRN) or holder identification number (HIN) is fraudulently obtained from a statement. The contact details belong to the bad actor and the bank account nominated for settlement – supposedly in the name of ‘Jane Citizen’ – is the bad actor’s own account.

Share sale fraud can also occur when a bad actor steals an existing client’s identity and compromises their existing trading account by altering the contact and/or bank account details held by the market participant to obtain share sale proceeds.

Share sale fraud is often difficult to detect, but robust account opening and client due diligence practices can be effective in preventing this type of fraudulent activity.

We have observed that fraudulent share sales often involve the sale or transfer of large parcels of shares. AFS licensees should review their controls to ensure they effectively prevent share sale fraud.

Client onboarding

Some controls that can be used when onboarding new clients include:

• requesting multiple forms of primary identification
• being alert to possible use of stock images, fakes, forgeries and documentation that may have been compromised in recent incidents, and independently verifying their authenticity
• meeting prospective share sale clients in person or implementing client video call-backs as part of the onboarding process
• contacting the relevant share registry to identify if the prospective client’s details (postal and email addresses, telephone number, etc.) were recently changed, as recent activity may indicate fraud
• using multifactor authentication to verify a client’s identity
• conducting additional verification checks on self-managed superannuation fund (SMSF) clients during onboarding, where client details change and for large transactions.

Licensees must apply appropriate client identification procedures to all their clients as part of their anti-money laundering and counter-terrorism financing (AML/CTF) ‘know your customer’ (KYC) program.

• Find further information on your KYC obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) on the Australian Transaction Reports and Analysis Centre (AUSTRAC) website.

Ongoing due diligence

We are aware of instances where existing client trading accounts were compromised by identity theft and hacking. These risks may be mitigated by:

• monitoring trading behaviour and conducting additional due diligence where trading is unusual for a client, a client makes large withdrawal requests or newly opened accounts are observed
• introducing a meaningful value threshold for share sale transactions (tailored to your business and designed to identify attempted fraud) that triggers a client call-back for further due diligence
• conducting further due diligence when clients add or request changes to personal information such as postal/email addresses and bank accounts (including, where possible, checking that bank accounts are held in the client’s name). AFS licensees should be vigilant when communicating with clients by email and should generally not accept client instructions to change personal details by email alone
• maintaining up-to-date and effective ongoing due diligence measures. These should be embedded into an AFS licensee’s AML/CTF program.

• Find further information on ongoing due diligence and your obligations under the AML/CTF Act on the AUSTRAC website.

Intermediary clients

We consider there is a heightened risk of share sale fraud where market participants offer white labelling services to other intermediaries, as market participants often do not have direct visibility of their intermediary clients’ due diligence practices. While the obligation to verify a client’s identity rests with the entity providing the designated service, we strongly encourage market participants to regularly (at least every 12 months) review the adequacy of their intermediary clients’ due diligence practices.

Periodic reviews and testing

As share sale fraud involves identity theft, AFS licensees should continually review and test the adequacy of their client onboarding, due diligence and fraud prevention practices. In particular, we expect AFS licensees to review their arrangements following any instances of fraud or near misses. Licensees should regularly review or spot check new accounts. These checks should preferably be conducted by someone not involved in the day-to-day client onboarding process. Periodic reviews of third-party providers should also be conducted to ensure data sources remain reliable.

AML/CTF training

We expect all AFS licensees dealing in securities that provide a designated service under the AML/CTF Act to provide formal AML/CTF training, at least every 12 months, to staff involved in client onboarding or providing a designated service. While the training provided can be internally or externally sourced, we expect AFS licensees to maintain a training program and a training register that records what training is conducted, when it is conducted, and who attends. We do not consider informal training such as staff announcements or ‘on the job learning’ to be a substitute for formal training.

• Find further information on AML/CTF risk awareness training programs on the AUSTRAC website.

Reporting suspicious matters

If you suspect on reasonable grounds that a person (or their agent) is not who they claim to be, and is attempting to engage in share sale fraud, you must provide a suspicious matter report (SMR) to AUSTRAC. Reports to AUSTRAC must be submitted within three business days after forming the suspicion, or within 24 hours if the suspicion relates to terrorism financing. All reports should reference ‘share sale fraud’. If you submit an SMR to AUSTRAC, you are not required to notify ASIC of the same information. You must not disclose to any person (other than AUSTRAC) that you formed a suspicion about a person or that you submitted an SMR to AUSTRAC unless one of the exemptions in the AML/CTF Act applies.

• Find further information on suspicious matter reports on the AUSTRAC website.

Important notice

Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice. We encourage you to seek your own professional advice to find out how the applicable laws apply to you, as it is your responsibility to determine your obligations.

You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases, your particular circumstances must be taken into account when determining how the law applies to you.