Practice Wise: Advisors - Client Data Privacy is Your Business

Sheryl Rowling’s new Practice Wise column is available first in Morningstar Office Cloud.

In the old days, keeping clients' data secure was pretty easy. It just required a lock and key. Now, with external service providers, remote access, and web-based products, keeping clients' personally identifiable information private is more complicated.

At the same time, with cyber breaches occurring on a regular basis (think Equifax, Yahoo, Marriott, and even Redtail), the risk to your client data is increasing.

But it's not just theft of data that we're talking about. There's also the question of how all that personal and financial data is handled by the companies we hire to service and manage client accounts. Are they taking that information, sharing it with other companies, or profiting off it in some way other than the service we are paying them for? If so, how?

As advisors, it is our job to be concerned about the policies, procedures, and culture of every person and entity having access to client data. In fact, isn't it part of our fiduciary duty?

It isn't just my opinion that this is an important issue. The SEC is also becoming more aggressive in enforcing cybersecurity measures by advisors. In an April 2015 Investment Management Guidance Update, the SEC stated, "because funds and advisers rely on a number of service providers in carrying out their operations, funds and advisers may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers."

In this article, I will discuss the issues that advisors face around client data privacy, offer some due-diligence tips, and provide some thoughts on how communicating with your clients about this issue can help differentiate your business.

How Private Is Your Client Data? A recent New York Times series on privacy noted that "platforms are under no obligation to protect user privacy. They are free to directly monetize the information they gather by selling it to the highest bidder."

Data privacy is described in companies' privacy policies. Yet, how many of us actually read them?

Let's look at a few examples in our industry.

The privacy policy for Junxure (part of AdvisorEngine) says, "We do not sell, rent, or otherwise share your personal information with any third parties except to persons assessing our compliance with industry standards; our attorneys, accountants, and auditors; and as permitted or required by law." It does provide for sharing within its "corporate family" for marketing purposes. However, "if you are located in a jurisdiction where such sharing requires your permission, we will only do so with your consent."

Straightforward enough.

Other companies let you know they may share aggregated and anonymized client information with outside companies.

EMoney's privacy policy allows for a certain amount of sharing of information that has been rendered anonymous. "Except as described in this Policy, eMoney will not give, sell, rent or loan any personally identifiable information to any third party. … Personally identifiable information does not include "Usage Data" which we define as encoded or anonymized information or aggregated data (such as IP addresses) we collect about a group or category of services, features or users, which does not contain personally identifiable information. … We may share Usage Data with third parties, including our customers, partners and service providers, for various purposes, including to help us better understand our customers' needs and improve the Site as well as for advertising and marketing purposes."

Then there is Envestnet Tamarac, which not only will share aggregated data with outside companies, it will also share your contact information. As I outlined in a previous column, its privacy policy is one reason we have stopped doing business with Envestnet Tamarac.

"Envestnet collects information about you … and may include information included on your Client Profile and related forms—such as name, address, Social Security number, date of birth, assets and income—along with "personal information about your account activity, including your transactions, balances, positions and history."

Although the policy states that "We do not sell personally identifiable information … to third parties," it affirms that Envestnet Tamarac "may share customer information with Envestnet corporate affiliates … [and] may disclose some or all of the information we collect about our customers and former customers … to nonaffiliated businesses. In addition, we may develop, use, distribute and publish information and statistics derived from your data and the content that you contribute for use on a masked, aggregate basis.”

"For financial professionals utilizing our technology platform, Envestnet may make available your business contact information and information regarding the use of their investment strategies to third-party investment managers and exchange-traded funds, mutual funds, and similar investment vehicles."

It's important to read all the way through the policies. At the top of Riskalyze's privacy policy, it states that "the most important part of this Privacy Policy is the simple principle that your data belongs to you. You are not transferring the ownership of data about you or your clients by storing it in Riskalyze. Your clients are your clients, and the data that you store in Riskalyze belongs to you."

That may seem like a strong statement. But then eight paragraphs later, it discloses that “Riskalyze may also collect user information on an aggregate or anonymous basis, which shall not personally identify you, and disclose the aggregate or anonymous data to prospective partners or other outside parties for their use."

Orion's privacy policy includes this easy to understand presentation (Click images for better viewing):

For the record, here's the privacy policy for Morningstar Office:

"As a general rule, Morningstar will not make any personal Authorized User or Client information gathered using Morningstar Direct available to anyone outside of Morningstar and its affiliates—except as instructed by You, the Licensee (if any) or where required to comply with law. Please note, however, that there are several exceptions to this rule. First, if we use service providers, these service providers may have access to Authorized User and/or Client personal information to perform contractually specified services on behalf of Morningstar and/or You. Second, if You indicate that You are interested in receiving information about a particular third party's products/services, or You opt to receive certain products or services through Morningstar (including Third Party Data), we may provide Authorized User personal information to that third party for purposes of fulfilling your request(s). With respect to any service provider, Morningstar contractually requires that all personal Authorized User or Client information be kept confidential.

Where Do You Draw the Line? Back to my earlier questions. Is your client data private? Does it matter to you? To your clients? If a vendor experiences a data breach or releases (or sells) private client information, would your clients come to you about your decision to do business with that provider? Would you have liability?

Is sharing information with affiliated companies for marketing purposes OK with you and your clients? How about for joint marketing with other financial companies? Is it OK for your service provider to distribute or sell "aggregated data?"

At what point do you need to disclose these policies to your clients? Should you get their permission for anything other than strict confidentiality?

In my firm, we have created "black and white" policies about what we consider to be permissible use of our clients' data. The line stops at sharing information with their own corporate affiliates for marketing purposes. Anything beyond that is a no-go for us.

Due Diligence The only way to protect yourself and clients is to do due diligence on all service providers, including custodians, software, and back-office providers.

I suggest a checklist like this, which I created with the assistance of Joe Daigle, an industry consultant who I have worked with in the past.(You can find a downloadable version of the checklist here.)

If the answer to any of these questions is unsatisfactory, ask for an explanation—and then carefully evaluate whether or not you want to work with this vendor.

Talk to Your Clients Clients are hearing about—and even experiencing—the perils of cybercrime, data breaches, and invasions of privacy. One thing is universally true: They are all concerned.

Telling your clients how you protect their data is not only important, it can help build trust and enhance your client relationships—and there's a good chance it will differentiate your firm from others who aren't raising this issue.

Explain to your clients the steps you are taking to protect their data—and be honest about the limitations of your ability to shield them from issues at outside firms. Walk them through your guidelines and thought process, especially if you are working with companies that say they may share client information.

They will sleep better at night knowing that their advisor is taking all the steps possible to keep their data safe—within your office, with custodians, and with vendors. And you'll be doing a better job looking out for your clients.