In the wake of a recent high-profile fine based on gaps in confidential CRM-based client data, there’s been a resurgence in chatter among independent broker-dealer firms on whether it’s prudent to have “do-it-yourself” (DIY)-friendly policies for financial advisors who want to choose their own third-party tech solutions.
Much of this conversation will prove moot, unless independent firms substantially reduce the human error and lack of control that emerges from the DIY tech model. Otherwise, the risks of DIY becoming DOA will escalate across the industry.
First, some more context: Towards the end of last year, the state of Massachusetts fined Summit Equities $100,000 over gaps in due diligence. Summit allowed advisors to select their own CRM, with a number of advisors who chose Redtail deciding to store sensitive client data on the platform without the broker-dealer’s oversight.
Unfortunately, this approach enabled advisors to continue to access sensitive client data on the Redtail platform even after ending their affiliation with Summit, despite the broker-dealer’s policy of removing such client data from the devices of exiting advisors—which did not extend to third-party software.
This isn’t really about the CRM system so much as it is about Massachusetts regulators taking a tougher stance than Summit expected. The case also raises difficult questions about how firms can build better risk controls within budget that meet regulatory standards, while satisfying the technology needs of DIY independent advisors.
Indeed, the case echoes broader cybersecurity issues captured by the Facebook-Cambridge Analytica scandal and GDPR regulations imposed in Europe. CEO Mark Zuckerberg ultimately apologized last March for Facebook sharing sensitive data with Cambridge Analytica without the consent of millions of users. And since the General Data Protection Regulation took effect in the European Union in May, regulators in Austria, Germany, France and Portugal have penalized businesses for mishandling personal data.
Three Cardinal Rules For ‘DIY’ Advisors
Given this backdrop, here are three cardinal rules for independent broker-dealer firms that allow advisors to choose their own devices and software:
1. Monitor all activity involving sensitive data in use by representatives of the firm.
Whenever employees, advisors or workers at third-party vendors access confidential data on firm-related individuals or the firm itself, the firm ought to track activity regarding that data and prevent misuse of that information. This includes personally identifiable data such as names, birthdays, addresses, phone numbers, driver’s licenses and passports, Social Security numbers, website logins and passwords, as well as account information about financial and medical institutions.
Firms should keep all such information secured on cloud-based computer systems, know in real-time when anyone accesses this information on their systems, which individuals access the information, which software and devices they are using to do so and where the devices are located during those sessions. Furthermore, if inappropriate activity is detected—like from an unknown user or an unapproved device—the firm should be able to end that session remotely.
2. Don’t assume regulators recognize advisor “ownership” of client data.
In the independent broker-dealer space, it has been customary to view the advisor as owning client data. But as the recent Massachusetts fine against Summit makes clear, that’s no longer a certainty insofar as regulators are concerned.
Whether they like it or not, independent broker-dealer and RIA firms should be prepared to take a harder stance with exiting advisors over sensitive client data, by blocking access to any confidential information left on the firm’s system past the advisor’s date of departure.
When anyone materially linked to the firm exits, their access to any confidential information that regulators deem within the purview of the firm also should end. With DIY advisors using their own software and hardware, the firm still has to determine which data it has regulatory responsibility for protecting.
3. Keep clear records for the regulators. It’s one thing to track and restrict access to confidential data, and an entirely different thing to document those efforts in a meaningful way for regulators.
Firms should keep detailed and clear audit logs of activity on their systems. If data breaches occur, the firm also should document remediation steps that decision-makers take to prevent future lapses.
This way, if an SEC or FINRA audit occurs, examiners will have comfort that the firm followed its own compliance guidelines in addition to regulations on data safety. It may save the firm from costly fines, reputational damage and legal entanglements.
Adhering to these three cardinal rules with DIY advisors might require firms to revamp their data oversight by automating much of the process with a single cybersecurity solution that is comprehensive, and seamlessly integrates data protections for home office and third-party platforms.
As long as DIY-minded independent financial advisors can select their own software and hardware—and there are many sound reasons for allowing them to do so—independent broker-dealer and RIA firms can leave precious little to chance.
Sid Yenamandra is the co-founder and CEO of Entreda, the leading provider of comprehensive cybersecurity solutions for independent retail financial advice firms and their affiliated advisors.