Measures Related to Client Accounts

FINANS TILSYNET Postboks 1187 Sentrum 0107 Oslo Circular Measures Related to Client Accounts

CIRCULAR: 2/2023 DATE: 10.08.2023 THE CIRCULAR APPLIES TO: Real estate agencies Lawyers who have provided security to operate real estate agency activities

Measures Related to Client Accounts 2 | Finanstilsynet

1 Introduction The purpose of the Real Estate Agency Act is to facilitate the trade of real estate through intermediaries in a secure, orderly, and efficient manner. 1 Real estate agencies and lawyers who operate real estate agencies (lawyer-mediators) handle large sums and must ensure that received client funds are stored and processed securely.2 In real estate agencies, the board is responsible for ensuring that the agency has routines for the secure handling of client funds, and for updating these routines as needed.3 The agency must systematically assess whether risk management and internal control are sufficient to handle identified risks in a secure manner.4 The responsible professional is responsible for establishing secure risk management and internal control for client funds according to guidelines set by the board.5 For the real estate agency activities of lawyers, the lawyer themselves is responsible. This circular describes what Finanstilsynet considers the minimum requirements for the secure handling of client funds. This circular supplements Finanstilsynet's Circular 7/2014 on contracts, settlements, and client fund handling in entities operating real estate agencies.

2 Risk Storage and handling of client funds involve a risk of loss beyond pure settlement errors, including unauthorized withdrawals. The risk may be related to dishonest employees, or that employees may be exposed to extortion or forged instructions for the disposal of client funds from criminals seeking to improperly disburse client funds. This can occur, for example, through the use of fake emails, so-called spoofing6, deepfake7, phishing8, and social manipulation such as romance scams.

3 Measures Real estate agencies must identify and assess the risk of loss of their clients' funds. The risk assessment must include the risks mentioned above.9 Based on the risk assessment, the real estate agency must establish and follow up on internal control measures 1 Cf. Real Estate Agency Act § 1-1 2 Cf. Real Estate Agency Act §§ 6-3 and 6-9, cf. § 1-1 3 Cf. Real Estate Agency Act § 3-3 4 Cf. Regulation on Risk Management and Internal Control § 6 5 Cf. Real Estate Agency Regulations § 2-8 6 "Spoofing" is the forgery of a phone number or email address. The recipient is misled to believe that the communication comes from someone other than who it actually does. 7 "Deepfake" refers to a technology that uses artificial intelligence to produce realistic videos, images, or audio recordings that can give the impression that someone said or did something they actually did not. 8 "Phishing" involves an attacker trying to deceive the recipient into giving up personal information, such as passwords, credit card numbers, or bank account information. 9 Cf. Real Estate Agency Regulations § 2-8, cf. Regulation on Risk Management and Internal Control

Measures Related to Client Accounts Finanstilsynet | 3 that are appropriate and sufficient to handle and reduce identified risks. The requirement for secure real estate transactions implies, in Finanstilsynet's assessment, the following duties for both real estate agencies and lawyer-mediators: • Two-factor authentication must be used for logging into the agency system to register transactions with client funds. • Dual signatures must be established for the client account. The use of dual signatures creates security for both the agency/lawyer-mediator and the person conducting the transaction. Dual signatures may be omitted where this is not practically possible, for example if this would cause settlements to halt due to illness or vacation absence, or for lawyer-mediators operating alone. • The responsible professional/lawyer-mediator must administer, provide online banking access, and grant powers of attorney to dispose of the client account. This access cannot be delegated further. The responsible professional can serve as administrator together with another person in the agency, in such a way that the two jointly can allocate online banking access and grant powers of attorney to dispose of the client account. • The responsible professional/lawyer-mediator must carefully evaluate who, and how many, have a legitimate need to dispose of the client account. The evaluation must include whether the individual should dispose of funds alone or together with others, or whether access should be limited to approving transactions and in what ways. The evaluation must be documented. There must be routines for deleting disposal rights and follow-up to ensure this happens. • Persons who administer or dispose of the client account must have formal settlement competence, meaning personal approval as a real estate agent10, lawyer11, or meet the requirements to be a real estate agent assistant12 or settlement assistant13. • Where possible, automatic blocks for the disposal of the client account should be established related to, for example, the size of transactions or the number of transactions to the same account, in online banking and the agency system. • Where real estate agencies and lawyer-mediators use an agency system that generates payment files, the transaction file must be checked for potential manipulation before it is sent to the bank. If the check is performed manually, it should not be the same person who enters transactions and checks the transaction file. The check must be logged. • Dual signatures must be established for sending payment files to the bank. Dual signatures may be omitted where this is not practically possible, for example if this would cause settlements to halt due to illness or vacation absence, or for lawyer-mediators operating alone. 10 Cf. Real Estate Agency Act § 4-5 first paragraph 11 Cf. Real Estate Agency Act § 2-1 first paragraph no. 2 12 Cf. Real Estate Agency Act § 4-5 second paragraph 13 Cf. Real Estate Agency Act § 4-4 second paragraph

Measures Related to Client Accounts 4 | Finanstilsynet • The agency system must be configured so that access controls and security blocks for client fund transactions cannot be bypassed. Access control in online banking should be configured so that employees cannot routinely approve/enter individual payments directly in online banking without going through the agency system.

FINANS TILSYNET Postboks 1187 Sentrum 0107 Oslo POST@FINANSTILSYNET.NO WWW.FINANSTILSYNET.NO