Hello. My name is Ash Bhatnagar, CFP®, and I’m president of RIA Independence Company in Princeton, N.J.—happy to be posting my first contribution on FPA’s Practice Management Center blog. I volunteer as an expert on the Practice Management Center, covering issues related to technology and compliance, as my company handles these and other issues for financial advisers around the country.
When it comes to client privacy, advisers are held to a very high standard, mainly because they hold a tremendous amount of information on a client. Although the regulations related to privacy seem reasonable, with the inception of the Internet, the regulations are overwhelming. For instance, a technology vendor that services an adviser would typically not need to register with any regulatory body, and therefore a regulation like Reg S-P would not apply. Yet with the technology vendor having extreme amounts of data, the risk is greater, and the adviser is held responsible for the vendor.
The Massachusetts rule on client privacy makes everyone with client data responsible. This is great news for the independent adviser. This regulation applies to advisers and their vendors. Additionally there is a lot more direction in this regulation than usual. [Even if you are not an adviser in MA, similar rules are being considered in other states—making this a good chance to prepare for what’s ahead!]
Starting with the basics:
1. Ensure the security and confidentiality of information in a manner consistent with industry standards.
Unfortunately there is no standard for the financial industry. Obviously the independent adviser cannot be compared to a wirehouse, but there are a lot of tools in the industry to help the independent. Every office is different so there are no standard solutions. Additionally, security is more about process control than actual security. (See my article on Data Security in the upcoming November/December issue of Practice Management Solutions magazine.) When it comes to the technical part of security, your tech person can help you. But business owners should be responsible for controlling their internal process. I would suggest you plan out the process before talking to your tech person, otherwise you will spend double the budget.
2. Protect against anticipated threats or hazards to the security or integrity of such information.
Unless you are spending most of your time reading tech journals, leave this to your tech person. Make certain you are on the update list for all your server and security software products. The majority of this function should have been managed in step 1.
3. Protect against unauthorized access to or use of such information.
Controlling a person’s access when inside the office is easy, but many firms have VPN connections into their servers. Ensure you have very clear policies for this connection. I am guessing that the regulators are talking about hackers breaking into a system. Luckily, the hackers are mostly after the big banks and not the independents. Independents are more likely to have problems internally, such as an employee taking information with them or an adviser losing his/her PDA that does not have a password. Many of these situations can be managed with a good policy and process.
The regulations go on to talk about computer systems. I was very glad to see some guidance as most regulations leave too much to interpretation.
- Secure user authentication protocols including user IDs, passwords, biometrics, user tokens, etc.
- Block access to user after multiple unsuccessful attempts.
- Restricts access to user that needs such information.
- Encrypt all transmitted records and files.
- Encrypt all information stored on laptops or any portable devices.
The first three should already be implemented. The last two need more clarification. Having files encrypted outside your firm is great in theory, but implementing the process is a very large project. The encryption process requires two keys, one to encrypt and one to decrypt. This will mean that you will need to distribute the software and decryption key to everyone, including clients, who receive any records and files. I cannot see clients going through this process.
Therefore advisers need to be careful about what they send via the internet. For instance, an adviser wanted his clients to send scanned copies of their driver’s licenses for Anti-Money Laundering purposes via the internet. This scenario is perfect for the hackers. They have robot sniffers looking for this type of information across the Internet. Always have a second look at your request before asking for any information. Ask yourself, “Can hackers get to this information?” As I had mentioned, encryption is a great idea, but I cannot see clients going through the above process without a lot of hand holding. But I think it is reasonable to ask your vendors to create a secure process.
Ash Bhatnagar, CFP®
RIA Independence Co.