Leading global Fund Administrator and technology provider SS&C have been sued by one of its hedge fund clients,Tillage Commodities Fund, claiming it ignored its own protocols and deceived clients into thinking it had sound technology to prevent Chinese hackers from spoofing its identity when transferring and stealing $5.9 million in US dollars. Chris Kentouris, from FinOps, does a great job of covering the details of the case here and it is well worth a read.
While the failings in SS&C’s payment validation process are yet to be debated and proven in court the fact that these payments were processed a further 5 times across 21 days without being caught is a symptom of a larger industry wide problem in Investor Servicing departments.
The Fund Administration Industry is gradually making progress in terms of automated reconciliation in the fund accounting and custody departments but in most cases the Investor Services department (also known as Transfer Agency or ‘TA’ for short) continues to manually reconcile funds deal board transactions to funds Bank Operating Accounts. In some cases, these aren’t reconciled at all.
This creates a massive risk that should be top of the agenda at every Fund board meeting.
Due to its simplicity, these spoofing attacks are one of the fastest growing forms of cyber fraud. According to a recent FBI alert, in the last 15 months, the FBI says Business Email Compromise attacks (BECs, for short), often CEO spoofing emails aimed at wire fraud, have increased 270 percent. During the period from October 2013 to April 4, 2016, the FBI reports losses total a record $2.3 billion.
SS&C’s case doesn’t make the top 5 of recent examples of this type of fraud but it shows how vulnerable Fund Administrators are to a massive loss.
As demonstrated with the SS&C case, if a criminal successfully spoofs the credentials of a client then Fund Administrators can lack the controls to identify that these transactions do not match against any approved investor transaction. For the uninitiated, transactions that normally move through an Investor Services Operating account include shareholder subscription, redemptions, dividends, rebates and expenses.
In its claim, Tillage says that three of the six fraudulent transfer requests referred to wiring money to investors, which implies fund redemption, but they were processed without the required redemption letters. Not to mention, the intended recipients were not investors in the Tillage fund.
Fund Recs has developed an automated software solution to reconcile transactions on the Investor Services Bank Operating account to the approved deal board held by the Administrator. Every transaction that flows through the bank account is required to have a matching approved transaction on the Funds deal board. Fund Recs software would have immediately flagged the first fraudulent transfer out as not having a matching approved transaction.
The daily reconciliation on Fund Recs cannot be completed without all movements being accounted for and this would have raised a flag with management indicating further investigation was warranted.
One of the key takeaways from the SS&C case and other similar cases in the past is that Investor Services departments must reconcile all transactions flowing through their Operating Bank accounts and that these should be verified against approved transactions.
The risk is too high to rely on manual processes, excel spreadsheets or human intervention.
Fund Recs develops cloud reconciliation software for the funds industry. We'll be sharing our experiences and thoughts on our blog as we build our company.