Annuity issuers are finally beginning to beef up the security of their client sites. Firms have bolstered login requirements, strengthened security measures and educated users about online crimes. A number of annuity client websites now offer detailed tutorials on phishing and other online scams. Several firms have ramped up their login security features.
Pacific Life, for one, has overhauled its entire client login process. The firm implemented computer recognition, which allows only users logging in from verified IP addresses to access account information.
Users can verify their computer by successfully answering a predetermined security question. Clients are also asked to select an image and create a custom caption that will appear on the password screen in order to confirm the page’s authenticity.
|Private Enhanced Security Login|
Allianz and TIAA-CREF also enhanced their respective client login processes. Allianz tightened its password criteria, forcing clients to choose more secure passwords. Clients are required to change their password every 90 days; Allianz is the only firm we track that requires regular password updates. In January, TIAA-CREF introduced a new login system that incorporates security questions into the regular username/password login process.
More firms are also employing automatic logouts. This simple but effective feature automatically ends a user’s session after they have been idle for a set period of time (most of our firms will now automatically log a client off after 15-30 minutes of inactivity).
Such improvements are more the exception than the rule, however. Pacific Life and Vanguard are the only firms that have incorporated computer recognition as well as customizable security imagery and captions into the login process. Most of the firms we track continue to use barebones login requirements. Too many firms have neglected to make online security a priority.
Although annuity firms have improved client security, they lag behind brokerages and banks. When Corporate Insight launched annuity coverage in 2006, for example, all of the firms in our roster simply required clients to enter a username and password to gain access to online account information. At that time, many banking, credit card and brokerage firms had already added stringent two-factor authentication methods to their login processes.
The speed at which annuity transactions are processed may help explain why annuity firms have short-changed security. Unlike transactions on brokerage websites, where trades are completed instantaneously, annuity transactions take at least one business day to clear. There’s significantly more time to detect fraud.
Because most investors purchase annuities through advisors, there’s usually a second set of eyes monitoring the contracts for suspicious activity. The heavily regulated nature of the product provides additional layers of protection. But these are not reasons for complacency or lax security. The sensitive personal information found on annuity websites will always make them potential targets for identity thieves. More than ever, firms must stress safety and prevention.
© 2009 Corporate Insight, Inc. All rights reserved.
Industry Views are special reports that are sponsored and independent from RIJ’s editorial content.