The industry has focused almost exclusively on cybersecurity controls over the past few years, instead of understanding what their core obligations and fiduciary responsibilities are for client data.
Being a fiduciary and acting in your clients’ best interest has become such a frequently repeated mantra in wealth management, it often elicits eye rolls and impatience. All financial advisors should have a fiduciary mindset when serving their clients because it’s the right thing to do. The issue is that while everyone is aware of their responsibilities when recommending and implementing investment solutions, advisors and their firms are woefully deficient about client data. Every minute of every day, even the most staunchly self-declared fiduciaries in the wealth management space are breaching their fiduciary obligations when it comes to protecting client data.
Being a true fiduciary in this digital age is increasingly more of a constant continuum of self-vigilance and activities as opposed to a one-and-done goal to be achieved.
While even a single data security breach can crush an advisor’s reputation and business, they can’t be expected to solve their client data privacy issue on their own. Wealth management firms need to be working on this issue to support their advisors. But is the industry currently structured to meet the escalating data security challenge? So far, the answer is an unfortunate no.
SAFEGUARDS RULE NOT GETTING THE ATTENTION IT SHOULD
The Securities and Exchange Commission is well aware of the sorry state of data security in the industry and adopted Rule 30(a) of Regulation S-P — commonly referred to as the Safeguards Rule — to ensure that protecting client data was front and center. This rule requires registered broker-dealers, investment companies and investment advisors to have written policies and procedures intended to:
- Ensure the confidentiality of customer records and information.
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information.
The SEC has taken enforcement actions against firms stemming from violations of the Safeguards Rule. In fact, more firms have gotten in trouble for data issues than cyber. This is going to get expensive quickly if changes aren’t made fast.
Whether they realize it or not, broker-dealers, RIAs and investment advisors are fiduciaries of their clients’ data. These wealth management firms must:
- Understand what their data obligations are to the regulatory bodies, which may vary by jurisdiction.
- Notify their clients about the opportunity and methods to opt out of the sharing of nonpublic personal information with nonaffiliated third parties.
- Abide by the Safeguards Rule and the SEC’s guidance surrounding it and at minimum have:
- Policies around how they safeguard client data
- Knowledge of where all of their client data is — something many firms don’t have a handle on.
- An understanding of who within their organizations has access to their client data.
- Controls in place to make sure that they anonymize data to protect it with security controls.
Firms are acquiring data at an exponential rate and have been fixing issues as they arise in a patchwork fashion. This is untenable. The industry has also put the cart before the horse by focusing almost exclusively on cybersecurity controls over the past few years, instead of understanding what their core obligations and fiduciary responsibilities are for client data.
Looking at cybersecurity and trying to stop bad actors are commendable efforts, but firms haven’t paid nearly enough attention to data integrity and ownership. Many have been hesitant to focus too much on data for fear of being seen as some sort of “Big Brother,” watching their clients’ every move. With the SEC Safeguards Rule, ignoring data issues is no longer an option. But what to do about it?
ECOSYSTEM OF INNOVATIVE SOLUTIONS NEEDED
The industry needs new data security tools and services to protect clients and themselves from SEC enforcement. Having policies and procedures somewhere in a binder is great, but firms need the right kind of third-party innovation to turn written procedure into action. They can’t build these in-house — they don’t have the time or the expertise. Meanwhile there are a number of product innovations out there servicing horizontal markets. To bring those innovations to the wealth management industry is no simple task.
What the industry needs is to support a new kind of innovation platform, where startup companies are created by digital innovators who have a strong understanding of how the industry works and a deep-rooted connections to the data problem. We must foster an ecosystem of innovation made up of entrepreneurs, not just capital, because just throwing money at the problem won’t make it go away.
This is an urgent problem, and there’s no time to wait for solutions to be developed, tested and brought to market sequentially. We are so behind as an industry that development must happen in parallel. This will enable multiple innovators to focus on their respective lanes to solve various facets of the client data issue.
Sid Yenamandra is founder and CEO of Surge Ventures, a new SaaS venture studio initially targeting the financial services and wealth management industry.
Original Article: https://www.investmentnews.com/beware-of-breaching-your-fiduciary-obligations-related-to-client-data-232828