Panelists

1
(No Transcript)
2
Panelists

• Leon Mulgrew, CAMS DirectorFranklin Templeton
  Investor Services, LLC
• Manoj (Tito) Pombra, Chief Compliance
  OfficerMatthews International Capital
  Management, LLC
• Ken DeJarnette, Principal Deloitte Touche LLP

3
Agenda

• TA Best Practices
• Regulatory Oversight
• Technology Tools Best Practices
• Q A

4
Protecting Your CustomersPreventing Fraud
Before it Happens
Leon Mulgrew, CAMS Director Franklin Templeton
Investor Services, LLC
5
Fraud Prevention TA Best Practices cont.

• The Challenges of Protecting Your Customer
• A Short Story
• Account Opening Good Order Review
• Red Flag Training
• Escalation Procedures
• Fraud Investigators
• Account Opening CIP Process
• AML / Fraud Software
• Account Scoring
• Data Validation

6
Fraud Prevention TA Best Practices cont.

• Account Takeover Known Perpetrator
• Family Member / Friend / Ex Spouse
• Difficult to Defend Against
• Red Flag Training
• Suspicious Activity Reports
• Police Report Attitude Test
• Minimize Losses Move Quickly

7
Fraud Prevention TA Best Practices cont.

• Account Takeover Unknown Perpetrator
• Professional Bad Guy
• Red Flag Training
• Suspicious Activity Reports
• Website Controls
• Privacy Controls
• Ethical Fraudster Attack
• Industry and Other Conferences

8
Fraud Prevention TA Best Practices cont.

• Conclusion
• Stop them at the door with a combination of
  software and well trained associates
• Know your perp through a good investigation
• Stop the pros through good controls

9
Protecting Customer InformationPreventing Fraud
Before it Happens

• Tito Pombra
• Chief Compliance Officer
• Matthews Asian Funds
• Matthews International Capital Management

10
The Regulatory Oversight

• Federal regulators, including the SECs
• Office of Compliance Inspections and
• Examinations (OCIE), are focusing particularly on
• the issue of identity theft.  During recent sweep
• examinations, OCIE has reviewed firms policies
• and procedures to assess whether organizations
• are adequately addressing how they protect
• records and confidential information of
  customers. 

11
Does your firm have written policies and
procedures reasonably designed to

• Maintain the security and confidentiality of
  customer records and information
• Protect against anticipated threats or hazards to
  the security of that information
• Prevent unauthorized access to or use of customer
  records or information that may result in actual
  or potential harm to the customer and Regulation
  S-P, Section 248.30?

12
Assessing the effectiveness of policies on
protecting customer information

• Have the firm and its employees taken appropriate
  precautions in how to dispose of all documents
  containing confidential customer information?
• Has the firm provided training to its employees
  on procedures to ensure confidentiality of
  customer records?
• Have you calendared periodic internal audits to
  detect potential vulnerabilities? 
• Have you inventoried confidential customer
  information and assessed what safeguards are used
  to protect this information?

13
Conclusion

• Use appropriate disposal processes for the
  destruction of books and records no longer
  required
• Conduct due diligence on third-party service
  providers to ensure they have appropriate
  safeguards for protecting your customers
  information
• Test the effectiveness of your firms policies
  for protecting confidential client information
• Conduct independent IT security audits

14
Protecting Customer InformationPreventing Fraud
Before it Happens

• Ken DeJarnette, CISSP, CISM, CIPP
• Principal, Security Privacy Services
• Deloitte Touche LLP

15
Framing the Issue

• Internal versus external threats/risks
• Most are internal (malicious versus inadvertent)
• Most fraud/theft requires little technical
  sophistication
• Actual fraud versus incident
• Knowing what to protect
• What are we trying to protect and why?
• Where is it?
• How can it be used?
• How can one get at it?
• Clues in the regulatory/legal response

16
Common Challenges

• Identity
• Permissive access
• No classification
• Flat architecture
• Duties not segregated
• Third-party connectivity
• No asset controls
• Limited physical controls
• End-user computing
• Limited role and activitybased training/guidance
• Limited event detection

17
Reasonable Response

• Risk Based
• Process oriented
• Data lifecycle first
• Technical solutions second
• Includes
• Classifications
• Role and activity based awareness
• Identity Management
• Zone/segments
• Logging and monitoring
• Adjusted

Most common mistake Rushing to Policy Failing
to do what you say you do
18
Technical Focus

• Issues/Misunderstandings
• Identity management
• Provisioning/de-provisioning
• Role based
• Enhanced authentication
• Encryption
• In-flight
• At rest
• End-user
• Logging and monitoring
• What
• Where
• How

19
Questions
20
Upcoming NICSA Events

• October 23-26, 2007
• November 7-8, 2007
• November 15, 2007
• December 5, 2007
• February 17-20, 2008

NICSA Technology Summit 2007 Las Vegas
Midwest Regional Meeting Chicago West Coast
Regional Meeting San Francisco Distribution
Executive Seminar New York 26th Annual
Conference Expo Miami
For more information regarding these events
please visit NICSA.org
21
Contacts

• Leon Mulgrew
• Tito Pombra
• Ken DeJarnette

650-312-4958 lmulgrew_at_frk.com
415-955-8122 mpombra_at_matthewsfunds.com 415-783-4
316 kdejarnette_at_deloitte.com