Numerous journalists have showcased their use of “deep-voice” and other Artificial Intelligence technologies to spoof electronic confirmation systems. Although these attempts to bypass security, so far, have largely been confined to retail banking and credit cards, private fund managers should focus on this new arrow in the scammer’s quiver.
All private fund managers, including managers that use third-party administrators to manage subscriptions, redemptions and investor information processes (e.g., wiring instructions), should assess their susceptibility to AI-fueled scams, such as combining a redemption or transfer request from a hacked or spoofed email account with a “live” verification by an AI-enabled voice or video impersonation tool.
While it is early days, and given that there is no one-size-fits-all solution, we would suggest that all managers review and stress test their verification processes and consider whether additional safeguards are appropriate. Compliance personnel should also review existing (albeit pre-AI) regulatory guidance and industry best practices for indicative guidance (e.g., the SEC’s Regulation S-ID Risk Alert).
One interim suggestion that we have is to implement a “2x2” requirement, i.e., requiring:
- A bidirectional communication record
- That occurs across two pre-approved media (e.g., “known” email accounts or telephone numbers)
for any investor-related change or transaction to occur.
For example, a voice request over a phone call originating from a pre-approved number must be validated by an email exchange with a pre-approved email address, or vice versa. We have distilled this suggestion into a (very simplified) matrix:
Obviously, this effort will require collaboration among legal, compliance, operations and other firm personnel. Outside counsel can assist in identifying state, federal and foreign privacy, data transfer and similar laws, in addition to traditional regulatory compliance advice.
Attachments
Download Now
