Leave a comment

Step Up Cybersecurity

As planners incorporate more technology into their offerings to clients, it’s imperative they stay on top of their cybersecurity measures.

“Cybersecurity is a major issue for financial planners in today’s highly technical, digital world,” writes Ben Lewis, FPA’s public relations team leader on an FPA Connect post calling for participants for a cybersecurity assessment that has since ended.

Anthony Stitch explains in the forthcoming August issue of the Journal of Financial Planning that planners who don’t provide the technology clients want these days may lose those clients to firms they like less but that offer the technology they prefer. This, he writes, is called digital attrition. Members, you’ll get to read the full article when it comes out. And if you’re not yet a member, maybe now is the time. Learn more here.

“As you incorporate more technology into the running of your firm, it’s important that you stay educated on best practices for cybersecurity,” Blane Warren, an industry leader in financial services marketing, compliance, and technology, writes on XY Planning Network’s website.

But planners this move toward providing more technology options means planners need to step up their cybersecurity game in order to keep their clients and themselves safe. Something they’re not currently doing very well, according to a report from External IT titled “Financial Services Firms Face Further Scrutiny of Their Cybersecurity Practices: Is Your Frim Ready?”

InvestmentNews reports that that report found three key areas were lacking in terms of financial cybersecurity: security policy, firms failing to audit their IT security; accountability when moving data, moving data to personal and home devices without tracking measures; and disaster recovery, not having emergency business continuity plans.

This isn’t to say that planners don’t want to address cybersecurity issues, rather they don’t know where to go to get their information, Brian Edelman, chief executive of Financial Computer Services told InvestmentNews.

Edelman recommends using a cybersecurity firm that understands financial services.

In a recent article, ThinkAdvisor recommended planners check out the following resources: National Institute of Standards and Technology (nist.gov) and the Financial Services Information Sharing and Analysis Center (fsisac.com).

AnaHeadshot

 

Ana Trujillo
Associate Editor
Journal of Financial Planning
Denver, Colo.


Leave a comment

Fiduciary Rule for the Modern World

On April 6, the U.S. Department of Labor unveiled the fiduciary rule that has been six years in the making.

Department of Labor Secretary Thomas Perez said that the new rule ensures that financial advisers will act in the best interest of their clients. Gone is the suitability standard and replacing it is a fiduciary standard.

“A consumer’s best interest must now come before the adviser’s financial interest,” Perez said.

The Financial Planning Association will be there for its members throughout the process of compliance, said FPA President Pamela Sandy, CFP®. Firms are required to comply by Jan. 1, 2018.

Sandy said the organization is working with the Financial Planning Coalition—which includes CFP Board and NAPFA—to analyze the rule and figure out exactly what it means for FPA members.

“FPA, as your professional home, will be helping you understand the rule and assisting you in adjusting to the impact the rule will have on your clients and your business,” Sandy writes to FPA members.

Members now have access to the organization’s newest Knowledge Circle on Public Policy and Regulation, which is now available to help members navigate the new law and discuss information with peers. The Knowledge Circle will temporarily be headed by FPA Chair Edward W. Gjertsen, II, CFP®.

Perez said the change in regulation is long overdue.

“The regulatory structure that protects people’s investments has not kept up with the changing landscape,” Perez said at a press conference. The rules that were in place were sufficient for days when pensions dominated the retirement field and Leave it to Beaver was popular on television, he added.

But we live in a Modern Family world now, IRAs and 401(k)s rule the roost, and people are losing $17 billion annually in fees for bad products and advice, according to a 2015 White House report.

Perez said the streamlined rule addresses concerns that many opponents had with the first versions of it, which were proposed in 2010, withdrawn, then re-proposed in 2015. The new rule has some flexibility for firms that sell proprietary products, has extended the deadline for compliance four months, and streamlined the mechanics of the contract, among other things.

“Today’s rule ensures that putting clients first is no longer simply a marketing slogan, it’s now the law,” Perez said.

Proponents of the new rule are expecting a fight from the rule’s opponents, New Jersey Senator Cory Booker (D-N.J.) said at the press conference on April 6.

But Senator Elizabeth Warren (D-Mass.) said, “We are not going back. This rule is too important for seniors, it is too critical for workers, and it is one more step to making sure our economy can grow from the middle out, not from the top down.”

Join the discussion on FPA Connect, and see below for a list of helpful links to help you arm yourself with the most current information.

 

AnaHeadshot

Ana Trujillo
Associate Editor
Journal of Financial Planning
Denver, Colo.

 

Helpful Links for More Information


Leave a comment

“Take a Letter” Isn’t What It Used to Be

Dictation and transcription services have been a valuable business tool for many years. These services continue to be important—and they need to be flexible, accessible and fast.

There is a wide array of service providers to choose from, but how you choose is as important as whom you choose. With the advent of big data and the corresponding wave of complex legislation—HIPPA, GLBA, Sarbanes-Oxley, Dodd-Frank, etc.—sanctions for noncompliance can be onerous. Some providers are sophisticated when it comes to security, some less so. You can’t afford to use a provider that cannot clearly demonstrate its understanding and use of data security protocols.

Here are some important considerations:

  • Employee background checks. Are they thorough, including Social Security number verification and address history, as a requirement for employment? Can transcriptionists access data about the client, or is client data kept separately?
  • Remote facilities. Are the equipment and facilities under the provider’s direct control?
    Is work being processed in the U.S. or overseas where U.S. laws don’t apply? Does the company use home-based transcriptionists?
  • Downstream vendors. Is work processed under sole control of the transcription company or is the vendor outsourcing?
  • Shared environments. Are the equipment and facilities shared across multiple purposes or companies? Shared environments include a home-based transcriptionist using a personal laptop or a dictation company sharing server space with other companies.

DIY Tools
Dictation and transcription services were traditionally handled by support personnel and are still often viewed as simple, low-level functions. Financial professionals may “hire” their own personal technologies—tablets, smart phones, cloud applications—to do this work, but this is risky.

Siri and Android’s speech-to-text functions are considered safe, native applications, with data being processed only on the phone. In addition to risk of loss of the device itself, the trouble is the trustworthiness of the application coupled with complex data use agreements that are often dismissed with a touch of the “I accept” button. Rather than holding the content on the device, many speech-to-text applications retain and process the data. Out of your hands and untraceable, the data may be transferred, copied and even sold, creating serious reputational and compliance risks.

Voice-to-text software is not always efficient. It’s highly interpretive and cannot be relied upon for accuracy. It often requires a good bit of editing. Furthermore, licenses for voice-to-text software often require consent to expansive privacy policies, which may not be compliant.

Financial services companies must identify better alternatives that must satisfy these criteria:

  • Available 24/7
  • Accessible from anywhere
  • Easy to use—as easy or better than one’s personal technology
  • Able to understand and interpret industry jargon

If a service fails to meet the bar for ease of use, busy workers juggling multiple projects, deadlines and travel schedules will simply revert to their own equipment (I’ll just store it in my iPhone for now). This leaves the information without backup, encryption or other safety measures, creating risks of compliance issues, hefty fines, reputational damage and other problems.

Finding the Right Provider
A few key questions can help you identify the best vendor are:

  • Does the provider have a solid understanding of the risk and regulatory environment in you operate?
  • Is there a culture of security within the organization?
  • Are employees screened carefully?
  • Are standard protocols for safeguarding data being followed?

Remember, risk can never be entirely eliminated, but the right provider can make a world of difference.

Maree Miscoti

Maree Moscati
CEO, Copytalk


Leave a comment

The New SAS 70

Editor’s Note: The following information was taken from the AICPA website and applies only to Certified Public Accountants.

The American Institute of Certified Public Accountants (AICPA) have long set the standard for Statement on Auditing Standards No. 70, known simply as SAS 70 to many. The auditing standard became the global framework for reporting on controls at service organizations. Now as per their website (www.aicpa.org) SAS 70 is nearing the end of its lifespan after approximately 19 years of service.

Statement on Standards for Attestation Engagements (SSAE) No. 16, known as SSAE 16, has been put forth as the new standard by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Here are some of the key differences:

  •  The SSAE 16, unlike SAS 70, is an “attest” standard, falling under the attestation framework, and not that of the “auditing” framework.
  • The SSAE 16 requires a description of the “system”. The SSAE 16 standard (published in 2010) provides details and illustrations of subject matter that should be included as part of the description of the “system”.
  • SSAE 16 standard requires a written “assertion” by management.

These changes may improve the standards in a couple of ways. First, it may make certification cheaper as it is an assertion model. Second, by management attest to the system, the management will be more liable for any misinformation.

When speaking to your vendors, find out if and when they will be updating to the SSAE 16.

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.


2 Comments

How Are You Assessing Client Risk Tolerance?

In January, the Financial Services Authority, the regulatory authority for the financial services industry in the United Kingdom, released guidance on assessing suitability or risk tolerance for a client. The document is fairly lengthy and good reading—and, it begs the question: Will the United States follow?

I do not know, but I am sure the U.S. is looking at the U.K. model. Irrespective, I feel every adviser should have some internal consistent methodology to access risk. Creating a questionnaire and scoring model I feel is the best way to do that. Additionally, a summary of your findings should be displayed in the Investment Policy Statement.

For those who do not want to build their own questionnaires and scoring models, there are many third-party solutions. One such solution is FinaMetrica. They perform a fairly detailed process to determine a client’s risk tolerance. They do not recommend any type of allocation; that is the responsibility of the adviser.

Others tools I have seen that perform similar functions include ones from Morningstar and Envestnet. Of course, you can build one yourself in Excel.

In all cases, you should have a standard process and review the risk tolerance at least annually. (For a copy of the FSA document, please e-mail me.)

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.

 

 

Editor’s Note: What risk assessment tool or process do you use? Share your experience with your colleagues through the comments function of this blog.


2 Comments

A Policy Manual for Data Security

I recently got a mortgage and it was surprising how much information a total stranger was asking for—and I had to give them this information. I, of course, checked out the firm with various associations to ensure it was legitimate. But through this experience I realized how clients must feel about advisers having so much personal information on their family. Additionally, expectations that an adviser will keep that information secure is assumed to be perfect. With this level of expectation, documenting will go a long way to managing security. Much like other policies and procedures manuals and checklists, security should follow the same pattern.  Unfortunately there is no one single format that works for all firms, but here are some items to consider when creating such a document.

  • Risk analysis
  • Staff member roles
  • Physical security
  • Electronic communication (email/Smart phones)
  • Blogs and personal websites
  • Facility design, construction and operations
  • Media and documentation
  • Data and software security
  • Network security
  • Internet and IT contingency planning
  • Outsourced services
  • Employee termination procedures (IDs, passwords, expense accounts, remote access, etc.)
  • Incident reporting procedures
  • Access control guidelines
  • Security compliance checklists

It seems like a lot, but addressing each one of these items will help in building a manual that will grow over time. Additionally, sharing this level of information with clients about how you are keeping their information safe can differentiate your practice.

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.


Leave a comment

The Conundrum of Compliant Employee Trading

I have written about this subject a few times only because it is a hard subject to manage. I ran into a couple of interesting situations that may be compliance headaches without a good solution, but may be good candidates for addition to your Code of Ethics.

In one scenario, the firm invested client assets in various money managers. Each account was separate so access to individual security information was easily attainable. Some employees were mimicking the money manager’s portfolio in their own accounts. You would think this is illegal, but as far as I know it is not. Since the employee trades are being executed after the client, employees are not front-running the client. As a compliance officer it is very hard to discover this scenario and I am not sure it is worth it. It may be worth putting in your Code of Ethics that employees may not use any information attained in a portfolio, including position information, for personal gain.

In another scenario, an adviser was utilizing position level information from mutual fund companies to manage client portfolios and his personal portfolio. Typically, mutual fund companies do not report their top holdings until three to six months after the fact. As a fiduciary, this is a long time to keep the portfolio on hold before making a decision, and could lead to heavy losses. A compliance officer should ensure that all advisers have their methodology for portfolio management clear, and perform periodic tests.

Employee trading is a tough subject because it requires a clear and concise method of gathering data and managing data. There will always be instances of “gray,” like in the above examples, but continuously trying to understand how employees perform their function is a great way to catch gaps.

Ash Bhatnagar, CFP®
President
RIA Independence Co.
Princeton, N.J.