Protecting against share sale fraud
This is Information Sheet 237 (INFO 237). It gives guidance to AFS licensees about how they can mitigate the risks to their clients and business of share sale fraud. This information sheet covers:
Australian financial services (AFS) licensees that deal in securities may be vulnerable to share sale fraud. We have identified a rise in the instance of share sale fraud, primarily in connection with issuer-sponsored holdings.
Share sale fraud refers to the fraudulent activity of a person who is not who they claim to be, selling shares that do not belong to them.
Share sale fraud often follows a similar pattern: a person claiming to be ‘Jane Citizen’ (for example) creates a trading account with a market participant (or their intermediary) to sell her issuer-sponsored shareholding (generally as a one-off trade). The identity documents used to open the account are either stolen or fraudulent, and the security reference number (SRN) is fraudulently obtained from a share registry statement. The bank account nominated for settlement – supposedly in the name of ‘Jane Citizen’ – is the fraudster’s own account.
Share sale fraud is often difficult to detect, but robust account opening and customer due diligence practices can be effective in preventing this type of fraudulent activity.
One-off share sales
We have observed that one-off share sales are particularly vulnerable to share sale fraud, with many share sale frauds involving the sale of large parcels of issuer-sponsored holdings. We encourage AFS licensees to consider implementing the following additional controls when handling one-off share sales:
- sight prospective one-off share sale clients in person (or via video conference) to check they match the supplied identity documents. Where possible (and with the client’s consent), record an image of the prospective client’s face
- telephone prospective one-off share sale clients to check for red flags (e.g. the customer does not sound like the person they are claiming to be)
- record and compare the geographic location of the full IP address (including port number) used to submit an application to open a trading account with the address of the prospective client and/or identity document certifier
- record the device type and internet browser used to open a trading account and keep this information on the client’s file. Compare this information with the device type and internet browser used for high-risk transactions/interactions (e.g. one-off sales or changing account details) and conduct further due diligence should there be inconsistencies
- record and compare the geographic location of the nominated settlement account’s BSB with the address of the prospective client
- contact the relevant share registry to identify if the prospective client’s details (address, telephone number, etc.) were recently changed. Recent activity may be an indicator of fraudulent activity
- use a two-factor authentication process (where appropriate) when attempting to verify a client’s identity
- where possible, verify two primary photographic identification documents before opening a trading account
- introduce a $25,000 (or lower) threshold for one-off share sale transactions that trigger a client call-back for further due diligence. For example, the client call-back could:
- ask the client to verify personal information (age, address and date of birth)
- ensure the age, accent and gender of the client’s voice is consistent with the client information held on file, and
- pay attention to any unusual pauses or hesitation in answering personal details, rushing or forcing ID details, or aggressive responses to verification requests
- settle one-off share sale transactions using cheques (addressed to the holder of the trading account) to reduce the risk of third parties fraudulently accessing funds.
Customer due diligence
As share sale fraud involves identity theft, we strongly encourage AFS licensees to continually monitor the adequacy of their client onboarding and customer due diligence practices. AFS licensees should regularly review or spot check new accounts – these checks should preferably be conducted by someone not involved in the day-to-day client onboarding process. AFS licensees should also consider implementing client call-backs (to conduct due diligence) as part of the onboarding process.
Ongoing customer due diligence
We are aware of instances where the trading accounts of existing customers have been compromised by hacking. The risks associated with fraudulent access to existing customer accounts may be mitigated with effective ongoing customer due diligence (OCDD) measures. OCDD should be embedded into an AFS licensee’s AML/CTF program, and AFS licensees should conduct further due diligence when customers request changes to personal information (such as postal/email addresses and bank accounts). AFS licensees should be vigilant when communicating with customers via email and should generally not accept client instructions by email alone.
- Find further information on ongoing due diligence and your obligations under the AML/CTF Act on the AUSTRAC website.
We consider that there is a heightened risk of share sale fraud where market participants offer white labelling services to other intermediaries, as market participants often do not have direct visibility of their intermediary clients’ customer due diligence practices. While the obligation to verify a customer’s identity rests with the entity providing the designated service, we strongly encourage market participants to regularly (at least every 12 months) review the adequacy of their intermediary clients’ customer due diligence practices.
We expect all AFS licensees dealing in securities that provide a designated service under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) to provide formal AML/CTF training, at least every 12 months, to staff involved in client onboarding or providing a designated service. While the training provided can be internally or externally sourced, we expect AFS licensees to maintain a training program and training register that keeps a record of what training is conducted, when it was conducted, and who attended. We do not consider informal training such as staff announcements or ‘on the job learning’ to be a substitute for formal training.
- Find further information on AML/CTF risk awareness training programs on the AUSTRAC website.
Reporting suspicious matters
If you suspect on reasonable grounds that a person (or their agent) is not who they claim to be, you must provide a suspicious matter report (SMR) to the Australian Transaction Reports and Analysis Centre (AUSTRAC) within three business days after forming the suspicion, and within 24 hours if the suspicion relates to terrorism financing. If you make an SMR to AUSTRAC, you are not required to notify ASIC of the same information. You must not disclose to any person (other than AUSTRAC) that you formed a suspicion about a customer or that you submitted an SMR to AUSTRAC unless one of the exemptions in the AML/CTF Act applies.
- Find further information on suspicious matter reports on the AUSTRAC website.
Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law on that topic, and it is not a substitute for professional advice. You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.
Information sheets provide concise guidance on a specific process or compliance issue or an overview of detailed guidance.
This information sheet was issued in June 2019.