Mutual fund dealers and reps should not be accepting trading instructions from clients via email, says the Mutual Fund Dealers Association of Canada (MFDA) in a compliance bulletin published on Thursday.
The bulletin details the results of a recent MFDA review of fund dealers’ use of various forms of electronic communications with their clients that it carried out in 2017. It highlights the risks involved with the use of online communications, such as email, and sets out recommended best practices for dealers.
Among other things, the bulletin cautions dealers against relying on email to seek, or accept, instructions from clients (such as trading instructions or other account-related changes).
“Client instructions typed in the body of an email do not constitute adequate evidence of client instructions, even where the client has signed [a limited trading authorization],” it says.
Instead, the bulletin recommends that dealers use other, more secure forms of electronic communication, such as a password-protected portal.
“MFDA staff are of the view that, based on the risk involved in the use of email to accept client instructions, and the availability of technologies that allow for better means of client identification and security (such as e-signature technology or a password protected web-portal), [dealers] should not accept client instructions via email,” it says.
The bulletin also warns against the use of reps’ personal email to communicate with clients, noting that this represents both a security and a supervisory risk.
“Email must be appropriately secured in order to protect from events such as hacking and privacy breaches. If the [dealer] does not have control of the email system being used, they do not have control of the security settings such as passwords and encryption nor can they monitor for cybersecurity incidents such as phishing attacks,” it says. “This could lead to breaches of not just the [rep’s] computer, phone or other endpoint device, but the [dealer’s] own systems.”
Dealers that are using more secure web portals for client communication must ensure “there are adequate security protocols in place for the web portal in order to defend against cyber attacks,” such as the use of strong encryption.
The bulletin also spells out the sorts of security incidents that dealers must report to the MFDA (and that reps must report to their dealer), including a breach of dealers’ systems, confidential client information that is mis-delivered, or compromised client email accounts.