Somewhat *** OFF TOPIC ***, but informative nonetheless...
online.wsj.com
New Privacy Leak: Some Mutual Funds Reveal Clients' Data
They Include Account Number With Name and Address On Certain Federal Filings
A Jolt for the Murphy Family
By MARK MAREMONT
Staff Reporter of THE WALL STREET JOURNAL
March 23, 2005; Page A1
Lois Hatten, a 60-year-old widow of a truck driver in Otsego, Mich., was astonished to find out recently that her Individual Retirement Account number was posted on the Internet, along with her name, home address and the approximate number of shares she holds in two mutual funds.
Even more surprising is who made the disclosure: her mutual-fund firm, Armada Funds.
In what appears to be a significant privacy breach, some of the nation's leading mutual-fund companies have publicly disclosed similar information about certain of their customers. The postings are readily accessible on a U.S. government Web site, and could leave these individuals vulnerable to identity theft or other crimes.
"I was pretty shocked," said Ms. Hatten, a retired former grocery-store employee, when told by The Wall Street Journal about the posting. "Nobody should know my business."
Among other fund companies that have made some customer account numbers publicly available: Pimco, a unit of German insurance giant Allianz AG; the Dreyfus unit of Mellon Financial Corp.; Bank of America Corp.'s Columbia Funds unit; Nuveen Investments; the First American Funds unit of U.S. Bancorp; AmSouth Bancorp's fund unit, and the CNI Charter fund unit of City National Bank of Los Angeles.
The leaks can be traced, in part, to Securities and Exchange Commission regulations that require fund firms to disclose the name, address and percentage ownership of any owner of more than 5% of a particular class of any mutual fund. The provision is meant to let shareholders know of anybody who might be in position to control or influence the fund.
The disclosures are typically contained in a "Statement of Additional Information" -- a supplement to the fund's prospectus -- and posted on the SEC's Web site. Many fund companies also post the supplements on their own Web sites.
Not-So-Private Equity
The proliferation of mutual funds in recent years, combined with some funds' array of different share classes, means that it sometimes doesn't take much to go over the 5% threshold. Armada lists Ms. Hatten, for example, as owning more than 7% of the "H Class" shares of two funds as of September 2003, even though her holding in each fund at the time was only about $10,000. Armada has since folded the Class H shares into another share class, and doesn't cite Ms. Hatten in its latest filing. But the filing that lists her account number, made in late 2003, is still on the Web.
Kathleen Barr, chief compliance officer at Armada Funds, a unit of the Cleveland-based bank National City Corp., says Armada was unaware of the breach before The Journal discovered it. "This is a big problem industrywide," she says. She adds that Armada now has contacted the customers involved and changed their account numbers, and has no reason to believe any of their accounts were affected.
Most other fund firms asked about such inadvertent disclosure agree they made a mistake. "It is not our policy to disclose account numbers," says a spokesman for CNI Charter, which also says it is changing customer account numbers and preparing amended filings.
It's impossible to say how many customers have been affected, because such information is scattered among thousands of regulatory filings, just one of which sometimes runs hundreds of pages. Some filings on the Web list scores of 5% owners. Not all are individuals; some are investment institutions. It appears the majority don't have account numbers attached. Still, there are some recent filings that appear to include account numbers for as many as 18 individual investors, along with their names and addresses.
The leaks come amid broader concern about electronic privacy. Congress earlier this month held hearings on the issue, after breaches of consumer information occurred at ChoicePoint Inc., LexisNexis and Bank of America. ChoicePoint, for instance, sold private data on 145,000 people to criminals posing as legitimate small-business customers, a breach that the people might never have known about but for a California consumer-protection law.
Review of 5% Rule
While the SEC requires disclosure of who holds 5% of any class of a fund and their addresses, "the law does not require brokerage-account numbers" be disclosed, said a spokesman for the agency. He wouldn't comment on individual filings. A person familiar with the SEC said its staff will review whether the 5% rule, first imposed in 1978, might need to be revised as part of a broader look at mutual-fund disclosure issues.
Some industry executives blame a fairly simple mistake: In putting together disclosure statements, fund companies or their outside administrators sometimes pick up account ownership information from a computer database. It often includes the customer's bank, mutual-fund or brokerage-firm account number. At AmSouth, a spokesman blames an "error" by an outside fund administrator for its posting of five account numbers in a recent filing, adding that the firm notified the customers and is taking steps to prevent a recurrence.
Not every fund firm has the problem. Fidelity Investments says it has a policy against including account numbers in such filings. Regions Financial Corp.'s Morgan Keegan fund group says it goes further. It includes only the name, hometown and ownership stake of the customer, omitting the street address and any other identifying data.
Banks and brokerage firms generally say the information listed in the filings wouldn't be enough to compromise a customer's account, because they have several layers of security protection.
Robert Douglas, a former private investigator who has testified before Congress on information privacy, isn't so sure. Armed with the data posted, "realistically and without too much difficulty an unscrupulous person could steal that money," he says.
Mr. Douglas, who heads a consulting firm called PrivacyToday.com, says many identity-theft crimes entail "pretext calling": The fraudster phones a customer-service center and pretends to be an account owner. The more information the caller has about a real account holder, the more likely it is he can convince the customer-service representative that he is that person.
Suppose that "I now know the custodian, the account number, the account holder's address and the name of one security in the account," Mr. Douglas says. Additional persuasive information, such as a Social Security number, can easily be purchased on the Internet. Once a bank, mutual-fund firm or brokerage house is convinced the caller is genuine, Mr. Douglas adds, it's relatively simple to arrange to wire money out of the account.
'Very, Very Disturbed'
That prospect alarms Richard Murphy of West Simsbury, Conn., who was "very, very disturbed" to learn that information about his wife's ownership of a Pimco fund had been posted on the Internet in July, along with similar data for roughly a dozen other people. In addition to Nancy Murphy's name and address, the SEC Web site listed the account number of a family brokerage account that contains other holdings besides the mutual fund.
"Once they know the brokerage-account number, it wouldn't take much more to get into that account and make some transactions," says Mr. Murphy, a 62-year-old actuary. "You wonder why Pimco would consider it appropriate to put it out on the Web site."
A spokesman for Pimco, a big Newport Beach, Calif., firm best known for its bond funds, says the firm "inadvertently" included extra information about customers in a "very small number of cases." He says the firm has reinforced its operational procedures to prevent a recurrence, and has notified the affected investors' representatives.
Scottrade Inc., a discount brokerage firm, says it launched an inquiry after finding out that Pimco had posted a Scottrade account number for one of its customers, a man in Niagara Falls, N.Y. "That seems like the antithesis of any privacy policy," says a Scottrade spokeswoman. "Why have that information out there if it doesn't need to be?"
Scottrade quickly changed the customer's brokerage-account number and password, and doesn't believe the account was tampered with, says the spokeswoman, Kelly Doria.
Many people whose names appear on the lists of 5%-plus holders are surprised they are such big owners. Joe Isaac, a retired U.S. Treasury agent in Jacksonville, Fla., was listed along with his aunt as holding 6.5% of the Class C shares of Columbia Balanced Fund. "I wouldn't think we would own that much of it," says Mr. Isaac. "You're talking about millions of dollars that goes into these funds. I certainly don't have that kind of investment."
A Closer Look
In its December 2004 disclosure, Columbia Funds listed Mr. Isaac's name and address, the number of a brokerage account through which he owns the fund shares and the size of his holding. After being contacted by The Journal, Mr. Isaac said he informed his broker, Wachovia Securities.
"They were really upset," he said, adding that the brokerage firm told him it had begun investigating the matter. He also said it had changed his account number, which Wachovia confirms. Mr. Isaac was among 17 individual holders whose names and what appear to be their account numbers were listed in the filing by Columbia Funds.
Columbia says it is examining its processes to find out what happened. The firm is "committed to preserving customer privacy" and intends to "take additional steps above and beyond general industry practices to fulfill this commitment," says a spokesman, Tom Gariepy.
A spokeswoman for Dreyfus funds, meanwhile, says the firm is "currently re-evaluating" the way it provides account identification in its filings, saying the information comes to it from a transfer agent. A U.S. Bancorp spokeswoman says First American officials are still looking into the matter.
Finding all affected customers of all mutual funds may be difficult, requiring fund companies and brokerage firms to sort through thousands of filings. And it won't be enough just to scan recent ones. Some of the disclosures were made years ago and remain publicly available. Even if a customer has since sold that mutual fund, he or she may still have an IRA account or brokerage-account number that was listed in the filing.
At Armada Funds, Ms. Barr says, scanning filings "will be a huge endeavor. Every single page will have to be reviewed for that. But it will just have to happen."
Write to Mark Maremont at mark.maremont@wsj.com
EK!!! |
