In the old days, keeping clients' data secure was pretty easy. It just required a lock and key. Now, with external service providers, remote access, and web-based products, keeping clients' personally identifiable information private is more complicated.
At the same time, with cyber breaches occurring on a regular basis (think Equifax, Yahoo, Marriott, and even Redtail), the risk to your client data is increasing.
But it's not just theft of data that we're talking about. There's also the question of how all that personal and financial data is handled by the companies we hire to service and manage client accounts. Are they taking that information, sharing it with other companies, or profiting off it in some way other than the service we are paying them for? If so, how?
As advisors, it is our job to be concerned about the policies, procedures, and culture of every person and entity having access to client data. In fact, isn't it part of our fiduciary duty?
It isn't just my opinion that this is an important issue. The SEC is also becoming more aggressive in enforcing cybersecurity measures by advisors. In an April 2015 Investment Management Guidance Update, the SEC stated, "because funds and advisers rely on a number of service providers in carrying out their operations, funds and advisers may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers."
In this article, I will discuss the issues that advisors face around client data privacy, offer some due-diligence tips, and provide some thoughts on how communicating with your clients about this issue can help differentiate your business.
How Private Is Your Client Data? A recent New York Times series on privacy noted that "platforms are under no obligation to protect user privacy. They are free to directly monetize the information they gather by selling it to the highest bidder."
Data privacy is described in companies' privacy policies. Yet, how many of us actually read them?
Let's look at a few examples in our industry.
Other companies let you know they may share aggregated and anonymized client information with outside companies.
"Envestnet collects information about you … and may include information included on your Client Profile and related forms—such as name, address, Social Security number, date of birth, assets and income—along with "personal information about your account activity, including your transactions, balances, positions and history."
Although the policy states that "We do not sell personally identifiable information … to third parties," it affirms that Envestnet Tamarac "may share customer information with Envestnet corporate affiliates … [and] may disclose some or all of the information we collect about our customers and former customers … to nonaffiliated businesses. In addition, we may develop, use, distribute and publish information and statistics derived from your data and the content that you contribute for use on a masked, aggregate basis.”
"For financial professionals utilizing our technology platform, Envestnet may make available your business contact information and information regarding the use of their investment strategies to third-party investment managers and exchange-traded funds, mutual funds, and similar investment vehicles."
That may seem like a strong statement. But then eight paragraphs later, it discloses that “Riskalyze may also collect user information on an aggregate or anonymous basis, which shall not personally identify you, and disclose the aggregate or anonymous data to prospective partners or other outside parties for their use."
"As a general rule, Morningstar will not make any personal Authorized User or Client information gathered using Morningstar Direct available to anyone outside of Morningstar and its affiliates—except as instructed by You, the Licensee (if any) or where required to comply with law. Please note, however, that there are several exceptions to this rule. First, if we use service providers, these service providers may have access to Authorized User and/or Client personal information to perform contractually specified services on behalf of Morningstar and/or You. Second, if You indicate that You are interested in receiving information about a particular third party's products/services, or You opt to receive certain products or services through Morningstar (including Third Party Data), we may provide Authorized User personal information to that third party for purposes of fulfilling your request(s). With respect to any service provider, Morningstar contractually requires that all personal Authorized User or Client information be kept confidential.
Where Do You Draw the Line? Back to my earlier questions. Is your client data private? Does it matter to you? To your clients? If a vendor experiences a data breach or releases (or sells) private client information, would your clients come to you about your decision to do business with that provider? Would you have liability?
Is sharing information with affiliated companies for marketing purposes OK with you and your clients? How about for joint marketing with other financial companies? Is it OK for your service provider to distribute or sell "aggregated data?"
At what point do you need to disclose these policies to your clients? Should you get their permission for anything other than strict confidentiality?
In my firm, we have created "black and white" policies about what we consider to be permissible use of our clients' data. The line stops at sharing information with their own corporate affiliates for marketing purposes. Anything beyond that is a no-go for us.
Due Diligence The only way to protect yourself and clients is to do due diligence on all service providers, including custodians, software, and back-office providers.
I suggest a checklist like this, which I created with the assistance of Joe Daigle, an industry consultant who I have worked with in the past.(You can find a downloadable version of the checklist here.)
If the answer to any of these questions is unsatisfactory, ask for an explanation—and then carefully evaluate whether or not you want to work with this vendor.
Talk to Your Clients Clients are hearing about—and even experiencing—the perils of cybercrime, data breaches, and invasions of privacy. One thing is universally true: They are all concerned.
Telling your clients how you protect their data is not only important, it can help build trust and enhance your client relationships—and there's a good chance it will differentiate your firm from others who aren't raising this issue.
Explain to your clients the steps you are taking to protect their data—and be honest about the limitations of your ability to shield them from issues at outside firms. Walk them through your guidelines and thought process, especially if you are working with companies that say they may share client information.
They will sleep better at night knowing that their advisor is taking all the steps possible to keep their data safe—within your office, with custodians, and with vendors. And you'll be doing a better job looking out for your clients.
The opinions expressed here are the author’s. Morningstar values diversity of thought and publishes a broad range of viewpoints.