Share Sale Fraud: Protecting AFS Licensees from ASIC’s Warning

Introduction

The Australian Securities and Investments Commission (ASIC) has issued updated guidance for Australian Financial Services (AFS) licensees following a significant increase in share sale fraud. Analysis from ASIC identified a sevenfold increase in reports of this fraudulent activity over the last four years, leading to devastating financial and emotional impacts on victims, with some losing entire investment portfolios. This spike prompted an industry review and the release of the revised Information Sheet 237 (INFO 237).

For AFS licensees that deal in securities, this guidance clarifies that preventing share sale fraud is now considered a core operational and regulatory risk, not just an ancillary anti-money laundering issue. This article outlines the better practices for fraud prevention and detection detailed in INFO 237, covering the enhanced controls ASIC expects market intermediaries to implement to protect their clients and business from fraudulent share sales.

Interactive Tool: Check If Your Share Sale Fraud Controls Meet ASIC Standards

Understanding Share Sale Fraud & ASIC’s Targeted Risks

How Share Sale Fraud Typically Occurs

Share sale fraud is the fraudulent activity of a person impersonating a legitimate investor to sell or transfer shares they do not own. Ultimately, this type of fraud generally follows one of two common patterns:

• Creating a new trading account: A fraudster will use stolen or fraudulent identity documents to open an account in the name of a real investor. They then provide a fraudulently obtained security reference number (SRN) or holder identification number (HIN) to sell the victim’s shares and direct the settlement proceeds to a bank account they control.
• Account takeover: In this scenario, a fraudster steals an existing client’s identity to compromise their trading account. Furthermore, they alter the contact details or bank account information on file to divert the proceeds from share sales.

The Broker’s Role as Primary Gatekeeper

ASIC positions brokers at the centre of preventing share sale fraud, making it essential to understand the full scope of compliance obligations for Australian stockbrokers. Specifically, fraudsters actively target vulnerabilities in a broker’s systems for:

• client onboarding;
• identity verification; and
• account modifications.

Because brokers are responsible for facilitating the execution and settlement of trades, ASIC expects them to act as the frontline gatekeepers. As a result, they are considered the primary control point for protecting both retail investors’ assets and the overall integrity of the financial market.

The Regulatory Foundations for INFO 237

Section 912A and General Obligations for AFS Licensees

The legal foundation for ASIC’s guidance on preventing share sale fraud is section 912A of the Corporations Act 2001 (Cth), which establishes the core of your AFSL general obligations. This Section establishes the general obligations for AFS licensees, a foundational area of practice for specialist AFSL lawyers.

Two key obligations form the basis for implementing robust anti-fraud controls, as follows:

• Section 912A(1)(a): AFS licensees must do all things necessary to ensure that financial services are provided “efficiently, honestly and fairly”; and
• Section 912A(1)(h): licensees are further required to have “adequate risk management systems“.

ASIC considers a failure to implement effective controls against share sale fraud a breach of these duties. Ultimately, the regulator views this as a failure of a firm’s core risk management framework.

AML/CTF Act: KYC & Ongoing Monitoring Obligations

Fraud prevention measures are also closely tied to obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). Since identity impersonation is central to share sale fraud, a licensee’s compliance with this Act is a critical line of defence.

Relevant obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) include:

• Client Identification: licensees must apply appropriate client identification and verification procedures, often called Know Your Customer (KYC) processes, as detailed in Part 2 of the Act;
• Ongoing Due Diligence: firms are required to monitor client transactions and activity throughout the business relationship to identify unusual patterns; and
• Suspicious Matter Reporting: under Section 41 of the Act, if a licensee forms a reasonable suspicion of fraud, it must submit a Suspicious Matter Report (SMR) to Australian Transaction Reports and Analysis Centre (AUSTRAC)

In addition, ASIC expects these fraud-detection measures to be embedded in a licensee’s broader AML/CTF program rather than treated as a separate process.

Understanding the Role & Status of INFO 237

INFO 237 is formal regulatory guidance, not legislation. It does not create new laws but clarifies ASIC’s interpretation of existing obligations under the Corporations Act 2001 (Cth) and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).

The guidance is significant because it reflects the findings of a recent ASIC-led industry review, which identified widespread, unacceptably weak controls among AFS licensees. Furthermore, INFO 237 outlines ASIC’s expectations for direct enforcement.

While not legally binding itself, the document serves as a benchmark for what the regulator considers “adequate risk management systems“. Therefore, failing to follow the better practices outlined in the guidance may expose a licensee to regulatory action if fraud occurs and its controls are found deficient.

ASIC’s Mandated Onboarding Controls (INFO 237)

Implementing Multi-Layered Identity Verification

To combat sophisticated share sale fraud, AFS licensees must move beyond basic KYC checks. ASIC’s guidance in INFO 237 expects brokers to implement a multi-layered approach to identity verification during client onboarding, which involves more than just collecting a single form of identification.

Effective controls include:

• Multiple primary IDs: requesting multiple forms of primary identification to cross-verify a client’s identity;
• Fraud detection: actively looking for signs of fraudulent documentation, such as the use of stock images, fakes, or forgeries; and
• Independent verification: independently verifying the authenticity of the documents provided, rather than taking them at face value.

This independent verification is particularly important for documentation that may have been compromised in recent data breaches.

Callbacks & Video Verification for High-Risk Clients

Adding a human verification layer is a key expectation for strengthening onboarding processes, especially for clients who present a higher risk of fraud. Therefore, ASIC’s INFO 237 recommends that AFS licensees implement procedures to meet directly with prospective share sale clients.

When in-person meetings are impractical, licensees should use alternative methods to verify the client’s identity. This can include implementing mandatory video call-backs as a standard part of the onboarding process for certain client types. Ultimately, this step helps ensure that the person opening the account is the true owner of the identity documents being presented.

Verifying Data Against Share Registries: A Critical Control

A crucial control measure unique to share brokers is the requirement to verify a prospective client’s details against the relevant share registry’s records, a process that often requires specificlegal advice for share brokers. Fraudsters often gain access to a victim’s shareholding information and change the contact details held by the registry before approaching a broker to sell the shares.

Before onboarding a new client for a share sale, you must contact the share registry to check whether there have been any recent changes to the client’s details, such as their postal address, email address, or phone number.

If the information provided by the prospective client does not match the registry’s records, or if there has been a recent change, this must trigger a manual “stop” on the onboarding process. As a result, the transaction should not proceed until further verification is completed to resolve the discrepancy.

Enhanced Due Diligence for High-Risk Clients & SMSFs

Onboarding processes must be risk-based, with enhanced scrutiny applied to clients who present a greater potential for fraud. ASIC’s guidance specifically identifies Self-Managed Superannuation Funds (SMSFs) as a high-risk category that requires additional verification checks.

The heightened risk associated with SMSFs stems from their complex structures and the large transaction values they often undertake. Therefore, AFS licensees should conduct additional due diligence in the following scenarios:

• Onboarding phase: applying extra scrutiny during the initial establishment of the client relationship;
• Detail changes: conducting enhanced checks when an SMSF client requests changes to their personal or account details; and
• Large transactions: implementing further verification when the client initiates high-value trades.

Ongoing Due Diligence & Anti-Fraud Controls

Monitoring Trading Behaviour & Transaction Patterns

Fraud prevention extends beyond initial onboarding and requires continuous monitoring of client accounts. AFS licensees must have systems in place to detect red flags that may indicate an account has been compromised. Furthermore, ASIC’s INFO 237 requires brokers to conduct additional due diligence when certain triggers are present.

Key indicators of potential fraudulent activity include:

• Unusual trading behaviour: deviating from a client’s established patterns.
• Large withdrawal requests: especially if they are out of character for the account holder.
• High-value activity: observed in newly opened accounts shortly after onboarding.

As a practical control, INFO 237 recommends introducing a meaningful value threshold for share sale transactions. This threshold, tailored to your business, should automatically trigger a client call-back to a pre-verified number for further verification before the transaction is executed.

Controls for Changes to Client Details

Fraudsters often attempt to take over an existing account by changing key personal information to divert funds and communications. Consequently, any request to alter client details presents a high-risk event that demands enhanced verification.

Under ASIC’s guidance, AFS licensees must conduct further due diligence when clients request to add or change their postal address, email address, or bank account details. Where possible, this should include checking that the nominated bank account is held in the client’s name.

Relying on email instructions alone to make these changes is considered inadequate. Therefore, licensees should use more secure methods, such as a call-back, to confirm the legitimacy of the request before making any changes.

Managing Intermediary & White-Labelling Risks

ASIC has identified a heightened risk of share sale fraud in arrangements involving intermediary clients, such as white-labelling services. In these structures, the primary market participant often lacks direct visibility into the intermediary firm’s due diligence and client onboarding practices.

While the legal obligation to verify a client’s identity rests with the entity providing the designated service, ASIC strongly encourages market participants to take a proactive role in managing this risk. According to INFO 237, market participants should conduct regular reviews of their intermediary clients’ due diligence practices to ensure they are adequate. Ultimately, these reviews should occur at least every 12 months.

Integrating Fraud Controls with AML/CTF Programs

Embedding Fraud Controls into AML/CTF Frameworks

Effective fraud prevention measures should be structurally embedded into your firm’s existing Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) program. Furthermore, ASIC’s guidance in INFO 237 clarifies that fraud detection and ongoing due diligence should not be treated as separate, siloed processes. Ultimately, integrating these controls ensures a cohesive and robust compliance framework in which red flags for identity theft and share sale fraud are managed with the same rigor as those for money laundering.

Requirements for Submitting Suspicious Matter Reports (SMRs)

Under section 41 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), AFS licensees have a legal obligation to report suspected fraudulent activity. Therefore, if you form a reasonable suspicion that a person is not who they claim to be and is attempting to commit share sale fraud, you must submit an SMR to AUSTRAC.

The timeframes for reporting are strict, as follows:

• Fraud or other criminal activity: an SMR must be submitted within three business days of forming a suspicion; and
• Terrorism financing: the report must be submitted within 24 hours.

In addition, ASIC’s guidance in INFO 237 specifies that all reports related to this type of activity should explicitly reference ‘share sale fraud’ to assist AUSTRAC with data analysis and trend identification.

The Importance of Staff Training & Awareness

ASIC expects AFS licensees to provide formal AML/CTF and fraud training to all relevant staff at least every 12 months. This requirement applies particularly to employees involved in client onboarding or the provision of designated services. By contrast, informal ‘on-the-job learning’ is not considered an adequate substitute for a structured training program.

To meet regulatory expectations, your firm should maintain a training register that documents:

• the content covered;
• the date of the training; and
• a list of attendees.

Furthermore, the training program itself should cover several key areas, including:

• Current fraud typologies: addressing the latest methods of fraudulent activity;
• Specific red flags: identifying the warning signs for share sale fraud; and
• Internal procedures: establishing clear steps for escalating suspicious matters.

Conclusion

ASIC’s updated guidance in INFO 237 signals a critical shift in regulatory expectations, responding to a sevenfold increase in sophisticated share sale fraud. AFS licensees are now expected to move beyond basic compliance and implement comprehensive, end-to-end fraud prevention systems that integrate robust onboarding, continuous monitoring, and real-time intervention.

Navigating these enhanced obligations requires a proactive review of your existing compliance framework to ensure it is operationally effective. For an independent review of your firm’s onboarding and anti-fraud controls under INFO 237, contact our AFSL compliance framework lawyers at AFSL House today to strengthen your regulatory defensibility.

Frequently Asked Questions