Leave a comment

“Take a Letter” Isn’t What It Used to Be

Dictation and transcription services have been a valuable business tool for many years. These services continue to be important—and they need to be flexible, accessible and fast.

There is a wide array of service providers to choose from, but how you choose is as important as whom you choose. With the advent of big data and the corresponding wave of complex legislation—HIPPA, GLBA, Sarbanes-Oxley, Dodd-Frank, etc.—sanctions for noncompliance can be onerous. Some providers are sophisticated when it comes to security, some less so. You can’t afford to use a provider that cannot clearly demonstrate its understanding and use of data security protocols.

Here are some important considerations:

  • Employee background checks. Are they thorough, including Social Security number verification and address history, as a requirement for employment? Can transcriptionists access data about the client, or is client data kept separately?
  • Remote facilities. Are the equipment and facilities under the provider’s direct control?
    Is work being processed in the U.S. or overseas where U.S. laws don’t apply? Does the company use home-based transcriptionists?
  • Downstream vendors. Is work processed under sole control of the transcription company or is the vendor outsourcing?
  • Shared environments. Are the equipment and facilities shared across multiple purposes or companies? Shared environments include a home-based transcriptionist using a personal laptop or a dictation company sharing server space with other companies.

DIY Tools
Dictation and transcription services were traditionally handled by support personnel and are still often viewed as simple, low-level functions. Financial professionals may “hire” their own personal technologies—tablets, smart phones, cloud applications—to do this work, but this is risky.

Siri and Android’s speech-to-text functions are considered safe, native applications, with data being processed only on the phone. In addition to risk of loss of the device itself, the trouble is the trustworthiness of the application coupled with complex data use agreements that are often dismissed with a touch of the “I accept” button. Rather than holding the content on the device, many speech-to-text applications retain and process the data. Out of your hands and untraceable, the data may be transferred, copied and even sold, creating serious reputational and compliance risks.

Voice-to-text software is not always efficient. It’s highly interpretive and cannot be relied upon for accuracy. It often requires a good bit of editing. Furthermore, licenses for voice-to-text software often require consent to expansive privacy policies, which may not be compliant.

Financial services companies must identify better alternatives that must satisfy these criteria:

  • Available 24/7
  • Accessible from anywhere
  • Easy to use—as easy or better than one’s personal technology
  • Able to understand and interpret industry jargon

If a service fails to meet the bar for ease of use, busy workers juggling multiple projects, deadlines and travel schedules will simply revert to their own equipment (I’ll just store it in my iPhone for now). This leaves the information without backup, encryption or other safety measures, creating risks of compliance issues, hefty fines, reputational damage and other problems.

Finding the Right Provider
A few key questions can help you identify the best vendor are:

  • Does the provider have a solid understanding of the risk and regulatory environment in you operate?
  • Is there a culture of security within the organization?
  • Are employees screened carefully?
  • Are standard protocols for safeguarding data being followed?

Remember, risk can never be entirely eliminated, but the right provider can make a world of difference.

Maree Miscoti

Maree Moscati
CEO, Copytalk


Leave a comment

The New SAS 70

Editor’s Note: The following information was taken from the AICPA website and applies only to Certified Public Accountants.

The American Institute of Certified Public Accountants (AICPA) have long set the standard for Statement on Auditing Standards No. 70, known simply as SAS 70 to many. The auditing standard became the global framework for reporting on controls at service organizations. Now as per their website (www.aicpa.org) SAS 70 is nearing the end of its lifespan after approximately 19 years of service.

Statement on Standards for Attestation Engagements (SSAE) No. 16, known as SSAE 16, has been put forth as the new standard by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Here are some of the key differences:

  •  The SSAE 16, unlike SAS 70, is an “attest” standard, falling under the attestation framework, and not that of the “auditing” framework.
  • The SSAE 16 requires a description of the “system”. The SSAE 16 standard (published in 2010) provides details and illustrations of subject matter that should be included as part of the description of the “system”.
  • SSAE 16 standard requires a written “assertion” by management.

These changes may improve the standards in a couple of ways. First, it may make certification cheaper as it is an assertion model. Second, by management attest to the system, the management will be more liable for any misinformation.

When speaking to your vendors, find out if and when they will be updating to the SSAE 16.

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.


2 Comments

How Are You Assessing Client Risk Tolerance?

In January, the Financial Services Authority, the regulatory authority for the financial services industry in the United Kingdom, released guidance on assessing suitability or risk tolerance for a client. The document is fairly lengthy and good reading—and, it begs the question: Will the United States follow?

I do not know, but I am sure the U.S. is looking at the U.K. model. Irrespective, I feel every adviser should have some internal consistent methodology to access risk. Creating a questionnaire and scoring model I feel is the best way to do that. Additionally, a summary of your findings should be displayed in the Investment Policy Statement.

For those who do not want to build their own questionnaires and scoring models, there are many third-party solutions. One such solution is FinaMetrica. They perform a fairly detailed process to determine a client’s risk tolerance. They do not recommend any type of allocation; that is the responsibility of the adviser.

Others tools I have seen that perform similar functions include ones from Morningstar and Envestnet. Of course, you can build one yourself in Excel.

In all cases, you should have a standard process and review the risk tolerance at least annually. (For a copy of the FSA document, please e-mail me.)

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.

 

 

Editor’s Note: What risk assessment tool or process do you use? Share your experience with your colleagues through the comments function of this blog.


2 Comments

A Policy Manual for Data Security

I recently got a mortgage and it was surprising how much information a total stranger was asking for—and I had to give them this information. I, of course, checked out the firm with various associations to ensure it was legitimate. But through this experience I realized how clients must feel about advisers having so much personal information on their family. Additionally, expectations that an adviser will keep that information secure is assumed to be perfect. With this level of expectation, documenting will go a long way to managing security. Much like other policies and procedures manuals and checklists, security should follow the same pattern.  Unfortunately there is no one single format that works for all firms, but here are some items to consider when creating such a document.

  • Risk analysis
  • Staff member roles
  • Physical security
  • Electronic communication (email/Smart phones)
  • Blogs and personal websites
  • Facility design, construction and operations
  • Media and documentation
  • Data and software security
  • Network security
  • Internet and IT contingency planning
  • Outsourced services
  • Employee termination procedures (IDs, passwords, expense accounts, remote access, etc.)
  • Incident reporting procedures
  • Access control guidelines
  • Security compliance checklists

It seems like a lot, but addressing each one of these items will help in building a manual that will grow over time. Additionally, sharing this level of information with clients about how you are keeping their information safe can differentiate your practice.

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.


Leave a comment

The Conundrum of Compliant Employee Trading

I have written about this subject a few times only because it is a hard subject to manage. I ran into a couple of interesting situations that may be compliance headaches without a good solution, but may be good candidates for addition to your Code of Ethics.

In one scenario, the firm invested client assets in various money managers. Each account was separate so access to individual security information was easily attainable. Some employees were mimicking the money manager’s portfolio in their own accounts. You would think this is illegal, but as far as I know it is not. Since the employee trades are being executed after the client, employees are not front-running the client. As a compliance officer it is very hard to discover this scenario and I am not sure it is worth it. It may be worth putting in your Code of Ethics that employees may not use any information attained in a portfolio, including position information, for personal gain.

In another scenario, an adviser was utilizing position level information from mutual fund companies to manage client portfolios and his personal portfolio. Typically, mutual fund companies do not report their top holdings until three to six months after the fact. As a fiduciary, this is a long time to keep the portfolio on hold before making a decision, and could lead to heavy losses. A compliance officer should ensure that all advisers have their methodology for portfolio management clear, and perform periodic tests.

Employee trading is a tough subject because it requires a clear and concise method of gathering data and managing data. There will always be instances of “gray,” like in the above examples, but continuously trying to understand how employees perform their function is a great way to catch gaps.

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.


Leave a comment

Dealing with Compliance Demands with Reform in the Air

With regulatory reform underway, a lot of focus is on what the future holds from a regulatory/compliance standpoint. But compliance needs don’t disappear during this transition and advisers have many demands on their time—so implementing an effective compliance process now will pay dividends in the long run.

 

Today—the first day of FPA Denver 2010 (the annual conference for the financial planning profession)—FPA released the third report in the FPA-ActiFi Adviser Technology Series, which focuses on compliance solutions. The report offers suggestions and questions that will help you assess and enhance your compliance systems for each of your needs. It also reviews compliance technology vendors who address practice management activities and workflows, and provides suggestions and questions to ask about the rest of your compliance needs and where other tools and solutions may fit.

 

As a starting point, ask yourself these questions:

1.       Is my practice operating compliantly or are there gaps? If I’m not sure, do I need someone to help me make sure?

2.       What opportunities do I have to bring a compliance need together with everything else I do, such as prospecting or service processes?

3.       Do people in my office who perform each process understand their roles and responsibilities?

4.       Do my systems enable me to respond to an audit or other compliance situation?

5.       Are we performing a process effectively and efficiently?

6.       When I step back and look, do my people, processes and tools make sense for how I can best operate?

 

Then go to www.FPAnet.org/AdviserTechnologySeries and download the compliance report. Be sure to check out the section on maximizing your benefits to pinpoint ideas you can implement to help you achieve your business goals.

 

Rebecca King

Manager, FPA Research Center

Financial Planning Association

Denver, Colo.


Leave a comment

Advisers’ Role With New IRS Regulations to Report Supplemental Information

The Emergency Economic Stabilization Act of 2008 contains new requirements for brokerage firms and mutual fund companies regarding customer statements and Internal Revenue Service reporting. Traditionally, firms provide information on gains and losses as supplemental information to investors on the 1099-B, but did not report this supplemental information to the IRS. Under the new regulations, custodians will be required to report adjusted cost basis as well as gross proceeds to the IRS, and whether the holding period of the disposed security was short-term or long-term.

What does this mean for the average adviser? Hopefully not much, but I do feel there are many unanswered questions operationally. This will certainly increase your customer-service burden during tax season:

Account Transfers – Have always been difficult, but now as a client transitions his or her account you may need to get involved in transferring cost basis and making sure they are done correctly. The consequence of not doing this means you will scramble at the end of the year trying to get the information, or at minimum, the custodian will be asking you to get the information.

Corporate Actions – are another mess. Sure, the custodians are able to keep up with splits, but who is going to figure out the mess that happened with GM?

Accountant/Client/Custodian – Who is responsible for cost basis information? The accountant will tell you the client, client will depend on the custodian, but can the custodian take complete responsibility? I do not think so. They will probably need to rely on information from the client.

Correcting Statements – This is the biggest issue I see. Since this information will be “officially” reported to the IRS, it will probably be a good idea to scan through your clients’ cost basis information before year end. I have never had a good time trying to get these forms corrected once the reports are issued. The time you spend on helping the client getting this information corrected will surely be much greater than scanning through the information.

Overall the rule is a good one to keep everyone honest, but in my opinion there are many operational questions that will need to be resolved over time.

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.

Follow

Get every new post delivered to your Inbox.

Join 166 other followers