Leave a comment

New York Planners: Time Is Running Out for Your Firm to Qualify for The NYDFS Cybersecurity Regulation Limited Exemption

Under the new NYDFS cybersecurity regulation (23 NYCRR Part 500), any individual operating with a license, registration, or similar authorization under New York banking, insurance or financial services is required to assess their security risk profile, design a cyber program that addresses their risks and file an annual certification that confirms they are in compliance with regulations.

September 27, 2017 is the deadline for filing your Notices of Exemption and failure to do so on time will cost your firm thousands if it would have qualified for the Limited Exemption.

You may qualify for a limited exemption if you meet any one of the following (the following information is from the New York Department of Financial services and is available here):

Section 500.19 (a)(1): Have fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity

Section 500.19 (a)(2): Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates

Section 500.19 (a)(3): Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted principles, including assets of all Affiliates

Section 500.19 (b): An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need to develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity

Section 500.19 (c): A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of this Part

Section 500.19 (d): A Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part

To file for an exemption: log into the NYDFS Portal and file. Save the email you receive after filing for evidence.

Key Dates Under New York’s Cybersecurity Regulation (23 NYCRR Part 500)

 Here are other important dates to know when it comes to the new regulation (the following information is from the New York Department of Financial services and is available here):

  • March 1, 2017: 23 NYCRR Part 500 becomes effective.
  • August 28, 2017: 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • September 27, 2017: Initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
  • February 15, 2018: Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018: One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018: Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019: Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

If you need assistance filing for an exemption, Financial Computer is providing complimentary assistance for FPA members. Click here to schedule some time with one of our cybersecurity experts.

Brian E
Brian Edelman is a cybersecurity expert and the CEO of Financial Computer, Inc., a company that provides cybersecurity, integrations and IT support to the financial services community.

 


1 Comment

4 Elements of Social Media Guidelines

If you’re not using social media to promote your firm and content, consider this: 22 percent of the world’s population uses Facebook (not to mention 79 percent of Americans) and nearly 1 in 3 internet users with a college degree are on Twitter.

When financial advisers use social media well, it can boost their overall marketing strategy considerably. When they don’t, it can be an expensive, potentially career-ending disaster.

But don’t let that scare you. Just establish firm rules of engagement in these areas before posting anything.

1. Compliance

Watch out for these potential red flags:

Promissory language: Don’t promise success and don’t say you can get any better results than anyone else.

Testimonials: This one’s also kind of obvious, but it has some finer points. In the SEC’s guidelines, they lay it all out, but it basically boils down to this: keep the testimonials off your Facebook, Twitter, Linkedin or other self-run social media sites, even if the clients post it themselves. But reviews from other people on sites like Yelp, Google Reviews or Angie’s List are OK.

Out-of-context numbers: I made a good number of mistakes in this area when I first entered the financial world because I assumed anything that was acceptable in a blog post was acceptable on social media.

After a few panicked phone calls from clients, I learned this lesson: don’t post any market statistics. They can easily be taken out of context and viewed by someone as promissory.

2. Approval Process

Giving anyone (including yourself) total freedom to post anything on your social media accounts whenever they want is not a great idea. You’ll want to implement an approval process.

At Mineral, we developed a social post template that makes it easy to share social post ideas with your team and track the approval process. (I set up a “View Only” version of our sheet that you can check out for yourself. If you want your own, in the File menu, just click “Make a Copy.” We also have an Excel version.)

But a social post template alone won’t solve all your approval problems. You’ll need an approval workflow that takes your posts from creation to publication.

Here’s ours:

Creating posts should fall to your creative team (if you don’t have one, a more creative or social media-savvy team member will do). But final approval should be reserved for the people who will ultimately be held responsible if a bad post goes up.

Jud and Kim (our CEO and president, respectively) reserve the right to final approval. It’s their necks (and business) on the line.

Don’t have the time or interest to approve every piece of content that goes out the door? That’s okay, just understand that you’re basically handing over the reins of your firm’s public image, so you need a professional you can trust.

3. Personal Profiles

During a speech by Trump in early March, Dan Grilo, a principal at Liberty Advisor Group, posted something stupid about the wife of a fallen soldier and landed himself in some very hot water.

He posted from his own personal account, but people still began associating Liberty with Grilo’s tweet. In the end, he was fired and Liberty issued an apology, InvestmentNews reported.

Set up some suggested guidelines for what employees should avoid talking about, even on private social media channels (the big three are inflammatory political statements, market predictions and offensive language). You could require guidelines or you could just use Mr. Grilo as an example.

People can and do get fired for stuff they post on their personal accounts. It happens all the time. See this Oxygen article on things people have been fired for posting on their social media accounts.

4. Interactions

Social media is a two-way street. And that’s a good thing! If you don’t respond to people tweeting at you or posting on your wall, you could miss out on prospects and end up looking rude.

Make sure engagement notifications are sent to a phone, computer or Slack (using social integrations) so you don’t miss anyone reaching out.

When someone tweets at you or posts on your wall, you have two options: one of the final approval people could handle interactions so engagements move smoothly, or you slow down the engagement process and use the approval workflow.

This could be done easily and quickly in Slack (an app directory site where we have a #social channel to kick ideas around for posts and responses).

Bonus Rule: Keep Records of Everything

As FINRA wisely cautions, you should keep records of everything you do on social media. To do that, you’ll want to use a social posting and archiving service like Social Assurance or Hey Orca that keeps an audit trail.

Social media is fertile ground for adviser prospects. Who knows? Your next $1M-plus client could find you because of a simple retweet. Just make sure you think about these four areas before you post.

zach-mcdonald

 

Zach McDonald
Editorial Director
Mineral Interactive
Omaha, Neb.


Leave a comment

Step Up Cybersecurity

As planners incorporate more technology into their offerings to clients, it’s imperative they stay on top of their cybersecurity measures.

“Cybersecurity is a major issue for financial planners in today’s highly technical, digital world,” writes Ben Lewis, FPA’s public relations team leader on an FPA Connect post calling for participants for a cybersecurity assessment that has since ended.

Anthony Stitch explains in the forthcoming August issue of the Journal of Financial Planning that planners who don’t provide the technology clients want these days may lose those clients to firms they like less but that offer the technology they prefer. This, he writes, is called digital attrition. Members, you’ll get to read the full article when it comes out. And if you’re not yet a member, maybe now is the time. Learn more here.

“As you incorporate more technology into the running of your firm, it’s important that you stay educated on best practices for cybersecurity,” Blane Warren, an industry leader in financial services marketing, compliance, and technology, writes on XY Planning Network’s website.

But planners this move toward providing more technology options means planners need to step up their cybersecurity game in order to keep their clients and themselves safe. Something they’re not currently doing very well, according to a report from External IT titled “Financial Services Firms Face Further Scrutiny of Their Cybersecurity Practices: Is Your Frim Ready?”

InvestmentNews reports that that report found three key areas were lacking in terms of financial cybersecurity: security policy, firms failing to audit their IT security; accountability when moving data, moving data to personal and home devices without tracking measures; and disaster recovery, not having emergency business continuity plans.

This isn’t to say that planners don’t want to address cybersecurity issues, rather they don’t know where to go to get their information, Brian Edelman, chief executive of Financial Computer Services told InvestmentNews.

Edelman recommends using a cybersecurity firm that understands financial services.

In a recent article, ThinkAdvisor recommended planners check out the following resources: National Institute of Standards and Technology (nist.gov) and the Financial Services Information Sharing and Analysis Center (fsisac.com).

AnaHeadshot

 

Ana Trujillo
Associate Editor
Journal of Financial Planning
Denver, Colo.


Leave a comment

Fiduciary Rule for the Modern World

On April 6, the U.S. Department of Labor unveiled the fiduciary rule that has been six years in the making.

Department of Labor Secretary Thomas Perez said that the new rule ensures that financial advisers will act in the best interest of their clients. Gone is the suitability standard and replacing it is a fiduciary standard.

“A consumer’s best interest must now come before the adviser’s financial interest,” Perez said.

The Financial Planning Association will be there for its members throughout the process of compliance, said FPA President Pamela Sandy, CFP®. Firms are required to comply by Jan. 1, 2018.

Sandy said the organization is working with the Financial Planning Coalition—which includes CFP Board and NAPFA—to analyze the rule and figure out exactly what it means for FPA members.

“FPA, as your professional home, will be helping you understand the rule and assisting you in adjusting to the impact the rule will have on your clients and your business,” Sandy writes to FPA members.

Members now have access to the organization’s newest Knowledge Circle on Public Policy and Regulation, which is now available to help members navigate the new law and discuss information with peers. The Knowledge Circle will temporarily be headed by FPA Chair Edward W. Gjertsen, II, CFP®.

Perez said the change in regulation is long overdue.

“The regulatory structure that protects people’s investments has not kept up with the changing landscape,” Perez said at a press conference. The rules that were in place were sufficient for days when pensions dominated the retirement field and Leave it to Beaver was popular on television, he added.

But we live in a Modern Family world now, IRAs and 401(k)s rule the roost, and people are losing $17 billion annually in fees for bad products and advice, according to a 2015 White House report.

Perez said the streamlined rule addresses concerns that many opponents had with the first versions of it, which were proposed in 2010, withdrawn, then re-proposed in 2015. The new rule has some flexibility for firms that sell proprietary products, has extended the deadline for compliance four months, and streamlined the mechanics of the contract, among other things.

“Today’s rule ensures that putting clients first is no longer simply a marketing slogan, it’s now the law,” Perez said.

Proponents of the new rule are expecting a fight from the rule’s opponents, New Jersey Senator Cory Booker (D-N.J.) said at the press conference on April 6.

But Senator Elizabeth Warren (D-Mass.) said, “We are not going back. This rule is too important for seniors, it is too critical for workers, and it is one more step to making sure our economy can grow from the middle out, not from the top down.”

Join the discussion on FPA Connect, and see below for a list of helpful links to help you arm yourself with the most current information.

 

AnaHeadshot

Ana Trujillo
Associate Editor
Journal of Financial Planning
Denver, Colo.

 

Helpful Links for More Information


Leave a comment

“Take a Letter” Isn’t What It Used to Be

Dictation and transcription services have been a valuable business tool for many years. These services continue to be important—and they need to be flexible, accessible and fast.

There is a wide array of service providers to choose from, but how you choose is as important as whom you choose. With the advent of big data and the corresponding wave of complex legislation—HIPPA, GLBA, Sarbanes-Oxley, Dodd-Frank, etc.—sanctions for noncompliance can be onerous. Some providers are sophisticated when it comes to security, some less so. You can’t afford to use a provider that cannot clearly demonstrate its understanding and use of data security protocols.

Here are some important considerations:

  • Employee background checks. Are they thorough, including Social Security number verification and address history, as a requirement for employment? Can transcriptionists access data about the client, or is client data kept separately?
  • Remote facilities. Are the equipment and facilities under the provider’s direct control?
    Is work being processed in the U.S. or overseas where U.S. laws don’t apply? Does the company use home-based transcriptionists?
  • Downstream vendors. Is work processed under sole control of the transcription company or is the vendor outsourcing?
  • Shared environments. Are the equipment and facilities shared across multiple purposes or companies? Shared environments include a home-based transcriptionist using a personal laptop or a dictation company sharing server space with other companies.

DIY Tools
Dictation and transcription services were traditionally handled by support personnel and are still often viewed as simple, low-level functions. Financial professionals may “hire” their own personal technologies—tablets, smart phones, cloud applications—to do this work, but this is risky.

Siri and Android’s speech-to-text functions are considered safe, native applications, with data being processed only on the phone. In addition to risk of loss of the device itself, the trouble is the trustworthiness of the application coupled with complex data use agreements that are often dismissed with a touch of the “I accept” button. Rather than holding the content on the device, many speech-to-text applications retain and process the data. Out of your hands and untraceable, the data may be transferred, copied and even sold, creating serious reputational and compliance risks.

Voice-to-text software is not always efficient. It’s highly interpretive and cannot be relied upon for accuracy. It often requires a good bit of editing. Furthermore, licenses for voice-to-text software often require consent to expansive privacy policies, which may not be compliant.

Financial services companies must identify better alternatives that must satisfy these criteria:

  • Available 24/7
  • Accessible from anywhere
  • Easy to use—as easy or better than one’s personal technology
  • Able to understand and interpret industry jargon

If a service fails to meet the bar for ease of use, busy workers juggling multiple projects, deadlines and travel schedules will simply revert to their own equipment (I’ll just store it in my iPhone for now). This leaves the information without backup, encryption or other safety measures, creating risks of compliance issues, hefty fines, reputational damage and other problems.

Finding the Right Provider
A few key questions can help you identify the best vendor are:

  • Does the provider have a solid understanding of the risk and regulatory environment in you operate?
  • Is there a culture of security within the organization?
  • Are employees screened carefully?
  • Are standard protocols for safeguarding data being followed?

Remember, risk can never be entirely eliminated, but the right provider can make a world of difference.

Maree Miscoti

Maree Moscati
CEO, Copytalk


Leave a comment

The New SAS 70

Editor’s Note: The following information was taken from the AICPA website and applies only to Certified Public Accountants.

The American Institute of Certified Public Accountants (AICPA) have long set the standard for Statement on Auditing Standards No. 70, known simply as SAS 70 to many. The auditing standard became the global framework for reporting on controls at service organizations. Now as per their website (www.aicpa.org) SAS 70 is nearing the end of its lifespan after approximately 19 years of service.

Statement on Standards for Attestation Engagements (SSAE) No. 16, known as SSAE 16, has been put forth as the new standard by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Here are some of the key differences:

  •  The SSAE 16, unlike SAS 70, is an “attest” standard, falling under the attestation framework, and not that of the “auditing” framework.
  • The SSAE 16 requires a description of the “system”. The SSAE 16 standard (published in 2010) provides details and illustrations of subject matter that should be included as part of the description of the “system”.
  • SSAE 16 standard requires a written “assertion” by management.

These changes may improve the standards in a couple of ways. First, it may make certification cheaper as it is an assertion model. Second, by management attest to the system, the management will be more liable for any misinformation.

When speaking to your vendors, find out if and when they will be updating to the SSAE 16.

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.


2 Comments

How Are You Assessing Client Risk Tolerance?

In January, the Financial Services Authority, the regulatory authority for the financial services industry in the United Kingdom, released guidance on assessing suitability or risk tolerance for a client. The document is fairly lengthy and good reading—and, it begs the question: Will the United States follow?

I do not know, but I am sure the U.S. is looking at the U.K. model. Irrespective, I feel every adviser should have some internal consistent methodology to access risk. Creating a questionnaire and scoring model I feel is the best way to do that. Additionally, a summary of your findings should be displayed in the Investment Policy Statement.

For those who do not want to build their own questionnaires and scoring models, there are many third-party solutions. One such solution is FinaMetrica. They perform a fairly detailed process to determine a client’s risk tolerance. They do not recommend any type of allocation; that is the responsibility of the adviser.

Others tools I have seen that perform similar functions include ones from Morningstar and Envestnet. Of course, you can build one yourself in Excel.

In all cases, you should have a standard process and review the risk tolerance at least annually. (For a copy of the FSA document, please e-mail me.)

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.

 

 

Editor’s Note: What risk assessment tool or process do you use? Share your experience with your colleagues through the comments function of this blog.