New technology and new demands for document security mean that even small firms must
upgrade their processes.
In 2001, document management within financial
advisory firms was still in its infancy. When Dave Drucker and I began
writing our first book, Virtual Office Tools for a High Margin
Practice, only a small percentage of early adopter firms had already
implemented a document management system at that time, but few firms
stored all of their documents digitally.
Much has changed over the last several years. Today's regulatory, legal and security environments demand a more robust document management solution and advisors who downplay these issues may find themselves doing so at their own risks. These days, advisory firms are not only aware of paperless office technologies, most are incorporating these technologies to some degree within their practices. Unfortunately, some first-generation document management technologies that many advisory firms employ today are already obsolete or they will be soon.
What type of first-generation systems are at risk? The most vulnerable ones are those that allow users to create and store a digital file on a computer's hard drive (or on another storage medium) without tracking operations undertaken on the digital file. Such a system may incorporate built-in search and retrieval functionality, or it might rely on the operating system's search capabilities. In yet other cases, advisory firms rely upon Google Desktop, Copernic Desktop Search or some other third-party program to provide search and retrieval functionality.
Who typically uses such a system and what does it look like? According to George Tamer, director of solutions consulting at TD Ameritrade: "Advisory firms that are managing under $100 million typically do not have a full document management system. They are either storing files directly to the Windows directory, or they are using something like PaperPort."
In other words, at a smaller advisory firm an employee might scan a paper document to a PDF file using Adobe Acrobat's scanning module, or they might scan a document to a TIF file using another application. The file would then be named and filed in a folder that is part of the Windows directory tree (e.g., C:\Documents and Settings\ Joel Bruckenstein\My Documents\ Client Records\Jones Family). Files that originated in digital format such as MS Word and Excel files are stored in a similar manner. Typically, those files would later be backed up to a WORM (write once read many) format.
Small firms might also use an application such as PaperPort, which has many useful tools for scanning, annotating, filing and retrieving files. By default, PaperPort creates a directory within the Windows file structure. Folders become subfolders under the PaperPort folder (e.g., C:\Documents and Settings\Joel Bruckenstein\My Documents\My PaperPort Documents\Client Records\Jones Family). In effect, PaperPort piggybacks on the Windows file structure without interfering with it.
Previously, systems such as the ones described above were a defensible compromise because of the high cost of better alternatives. In addition, the superior search capabilities that even a rudimentary digital system exhibited over a paper one was evidence that some digital document management was better than none. This argument is no longer valid. Let's look at some of the risks related to each of these.
Document management and compliance experts say when it comes to digital records, advisors often focus on narrow issues instead of taking a more comprehensive, holistic approach. Advisors new to digital documents often spend too much time pondering the benefits of competing scanners, file formats, optical character recognition software and backup systems. Less time is spent thinking about how these technologies will complement the overall efficiency, security and compliance culture of their firm.
According to Barry Schwartz, of Advisor Compliance Associates: "Regardless of the system advisors use, they are required to safeguard records and limit access to records. In addition, advisors are required to help ensure that electronic copies of non-electronic originals are true, complete and legible."
Furthermore, says Schwartz, privacy rules require that advisory firms protect against anticipated threats or hazards to security and integrity of records; ensure that senior management understands how the systems work and establish procedures to monitor the safeguards; disclose to clients policies and procedures regarding the use and safekeeping of client records and information; and maintain written policies and procedures to properly dispose of sensitive consumer information.
Thomas D. Giachetti, chair of the securities group at Stark & Stark, and one of the nation's leading authorities on investment-related compliance matters cautions: "Technology is part of the solution, but it cannot serve as a substitute for policies and procedures, which must be specific to the firm and which should be reviewed at least annually."
Lisa Roth, president of ComplianceMAX, notes that some advisory firms may be underestimating the value of outsourcing to unrelated third parties. Such an arrangement with a qualified provider, she says, relieves advisory firms of the ever-changing technology burden while allowing them to concentrate on their core competencies. There's also a perception that records stored with a reputable third party are less prone to tampering.
Legal risks, like the risk of potential civil litigation against an advisor, are less well understood that regulatory risks, but they are potentially far more damaging. Many advisors mistakenly believe that if their firm complies with SEC and NASD regulations regarding document storage and retention that the likelihood of those records being challenged in court is remote. Nothing could be farther from the truth. Courts are increasingly questioning the validity of firms' digital records.
In 2003, Vee Vinhnee, a California resident, filed for Chapter 7 bankruptcy in the U.S. Bankruptcy Court in the Central District of California. He owed American Express more than $40,000 on his two credit cards. One was an American Express Gold card issued in 1989; the other was an American Express Platinum card issued in February of 2003. American Express sued Vinhnee to get him to pay the balances owed on the cards. In Vinhnee vs. American Express Travel Related Services Company Inc.,Vinhnee won his case without legal representation and without even attending the trial.
The plaintiff's case rested on its own internal computer records, the electronic monthly statements issued by American Express, as evidence of Vinhnee's debt. The court refused to admit the electronic records as evidence because the firm could not offer proof to authenticate the records. Amex appealed and lost.
Why is this case important? Because it indicates that firms may be required to authenticate their digital records if they want them admitted in federal court, or any court for that matter. This is one signal that the bar for entering digital records into evidence could be higher than that of SEC regulations as they are currently interpreted by many RIA firms.
A more recent opinion in the case of Lorraine vs. Markel American Insurance Company dated May 4, 2007, contains a detailed discussion of issues surrounding the admissibility of digital records. In this suit, which dealt with lightning damage to a yacht owned by Jack Lorraine and Beverly Mack and insured by Markel, both sides offered e-mail as evidence to support their respective claims. Although neither side challenged the validity of the other's e-mail, Chief U.S. Magistrate Judge Paul W. Grimm rejected all offered e-mail submissions on the grounds that they failed to meet the standard for admission under the Federal Rules of Evidence. As part of his ruling, Judge Grimm stated, "If it is critical to the success of your case to admit into evidence computer-stored records, it would be prudent to plan to authenticate the records by the most rigorous standards that may be applied." Do the records of all RIA and B-D reps meet "the most rigorous standards" test today? Clearly, they do not.
Grimm's opinion comes as no surprise to David McClellan, vice president and general manager at ProofSpace. "Enron, WorldCom and the mutual fund scandals have eroded trust in business on the part of the public, the regulators and the judiciary. As a result, the burden of proof is now on a business to prove that their records have not been tampered with," he says.
Most advisors are aware of the need for "security," but security from what? According to David Drab, a principal of information content security services at Xerox Global Services and a recognized authority on helping Fortune 1000 companies manage critical information assets: "Most organizations rely on a tactical, technical approach to security. They allocate their security dollars and resources primarily to keep intruders (hackers, phishers, etc.) out of the network."
While network security should not be overlooked, it is only one aspect of keeping a firm's data safe. "Over 80% of security incidents today are caused by insiders, not always knowingly or maliciously, but they are damaging just the same," says Drab. Before joining Xerox, Drab served as a special agent for the FBI. In that capacity, he investigated organized crime, foreign intelligence and terrorism.
Internal security threats to data can take many forms. It could be a rogue employee who makes unauthorized copies of client financial data for illegal purposes; it could be a non-employee like a janitor who copies digital or paper records. It might be an employee who inadvertently e-mails the wrong document, unencrypted, to the wrong counterparty.
Securing data within the office is challenging, but it doesn't end there.
A mobile workforce adds to the security challenge. The average knowledge worker today spends seven to eight years at a job. When the worker moves on, asks Drab, "How do you make sure that the company knowledge base does not move on too?" If a breach is discovered after the worker leaves, the damage is already done. Even if a crime has been committed, there is no guarantee that the perpetrator will pay. If a former employee takes a job in India and takes critical records overseas, the damage to your firm can be the same as if the worker took a domestic job; however, the firm's recourse against the former employee may be limited.
The evolution of distribution is what makes securing information difficult. Once information is out of the secure office environment, it can be distributed almost instantaneously over the Web, through wireless networks and even by instant messaging. Think about how quickly videos, music and celebrity photos are circulated on the Web, whether legally or not!
Warns Drab: "If there is not a procedure in place to identify what is critical, it won't be nailed down. If it is not nailed down, it is going to be taken. If you do not have it nailed down, shame on you."
Document Management 2.0
If basic document management is no longer sufficient, what should firms be doing to mitigate the risks outlined above? The answer will vary from firm to firm. However, almost any modern solution will have some common elements.
The first step begins with a comprehensive evaluation of the risks. Based on the unique nature of the firm, what regulatory, legal and security challenges are you most worried about? In all cases, firms must meet the requirements placed on them by regulators, but often, exceeding the minimum requirements may make sense. For example, a small firm with one or two employees might be able to meet the e-mail retention requirement by backing up MS Outlook .PST files daily, weekly or even monthly in-house, but for a modest fee, that same firm can outsource the job to a firm that specializes in e-mail retention for advisors. If a regulator wishes to inspect the firm's stored e-mail, in which method do you think the regulator will have a higher degree of confidence?
The same train of thought can be applied to the legal risks. If the worst were to happen and your firm had to produce digital records as evidence, would you be comfortable going to court claiming that your digital files met all regulatory requirements? Or would you prefer, as Judge Grimm suggested, "to authenticate the records by the most rigorous standards that may be applied," or at least something approaching that standard?
As for security risks, securing the network is not enough. According to Dan Skiles, vice president of Schwab Institutional Technology: "Firms often overlook the physical risks." If paper documents, computers, external hard drives and the like are not physically secured, they are vulnerable to theft.
Jo Day of Trumpet Inc. sees risks in the common industry practice of hiring temps: "When firms go paperless, they often hire temps to scan their historic files. We think this is a bad idea due to the confidential nature of the information being scanned. We'd much prefer to see relatives of the principals or their employees doing the scanning."
When thinking about safeguarding digital documents, says Ed Chase, standards engineer for Adobe Systems Inc., advisors need to be aware of two distinct tools: rights management tools and electronic signature or authentication tools. Rights management tools are designed to protect documents. They control who can get access to a document, what they can do with it (read, edit, copy and/or print) and for how long. They generally include audit features as well. Authentication tools are not designed to prevent someone from accessing a document. Rather, they can help prove who did what when, or in the case of some tools, such as ProofMark from ProofSpace, they can prove what wasn't done, meaning they can prove that an electronic file was not tampered with.
The next step, according to Giachetti, is to begin compiling "a comprehensive set of policies and procedure to address all issues that have been identified." Drab cautions that procedures must take human nature into account. "That closes the gap between policy and the real-world work environment," he says. The written policies and procedures will be organic documents. They should be created in digital format so they can be updated and distributed quickly and easily.
Once you have your policies and procedures refined, it is time to start looking at implementation. As indicated earlier, there is no one solution that will fit all firms, but one thing is clear: Saving files to a Windows directory without any rights management or audit trail is no longer acceptable.
For a small firm with two or three principals and no support staff, or an office with a couple of principals and one assistant, rights management may not be necessary because all firm members will have access to all records. But in the future, even small firms will be required to demonstrate who did what to a document, as well as when they did it. That means that all firms will require some sort of document management application, one that contains audit capabilities. They also may wish to deploy software with versioning capabilities. Versioning software allows firms to store multiple versions of a document, so it is possible to view the evolution of a document. For example, if a firm regularly reviews and updates its compliance manual, they might want to have not only an audit trail, showing when the document was changed and by whom. They also might want to have a full copy of each version of the document as it changed over time. Larger firms should consider some form of rights management, at least for critical data and perhaps systemwide. Automated workflow management and programmable retention policies are other desirable features for larger installations.
Many document management systems offer rights management and/or
work-flow capabilities, either as part of the base product or as an
add-on. Other applications advisors are already using may also support
rights management. Junxure, a leading CRM application for advisors,
currently offers limited audit capabilities. Junxure 7.0, scheduled for
release in the fourth quarter of this year, will offer extensive rights
management and audit capabilities. PortfolioCenter, a popular portfolio
management and reporting package from Schwab Performance Technologies,
offers a rights management module as an option for a modest additional
Numerous document management vendors offer products targeting the financial service industry. You can spend as little as $299 for a single user document management system with acceptable audit capabilities or one can easily spend tens or even hundreds of thousands of dollars for a system with all the bells and whistles for a large enterprise. Some of the better-known vendors include: Cabinet NG, CEO Image Systems, DocuXplorer, Laserfiche and Trumpet Inc. (a firm that offers solutions featuring Worldox) and Xerox. For enterprise rights management, Adobe, Microsoft and Xerox are among the providers.
Firms concerned primarily with validating the integrity of documents should keep an eye on ProofSpace. CEO Paul Doyle draws an analogy between the Tylenol tampering scandal of the 1980s and recent document tampering allegations. The Tylenol case profoundly changed the packaging industry. It led to the wide adoption of tamper-proof packaging. Actually, "tamper-proof" is a bit of a misnomer. What the packaging actually provides, says Doyle, is a tamper indicator. The indicator can't guarantee that the contents of the package are safe; what it tells you is that the contents haven't been tampered with. Doyle thinks that his firm's technology, ProofMark, can be the tamper indicator of choice for the financial service industry. ProofMark puts a "virtual tamper proof seal" on each document that is in the form of a miniature time stamp. If even one byte of data within the files is altered, the "seal" is invalid. ProofSpace hopes that ProofMark will soon be incorporated into products and services that advisors currently use.
Firms should also consider how they will deliver electronic content to their clients. With e-mail, sensitive documents should be password-protected and encrypted. Adobe Acrobat offers one option for securing individual e-mail attachments. AttachPlus from Trumpet Inc. offers a competing solution for securing attachments. Some e-mail providers now offer turnkey integrated e-mail on an enterprise basis. USA.NET and Network Solutions are two firms offering solutions that integrate with MS Outlook.
Another, and many argue a better, method of sharing documents securely with clients is through an "online vault." Generally speaking, documents are uploaded to a secure Web site, where credentialed clients can go to download them. Online vaults can be configured in various ways. Some providers only allow advisors to upload documents for retrieval; others allow both advisors and their clients the ability to store documents online. Web site providers such as AdvisorSites and LightPort offer online vaults. This functionality is also built into some versions of Xerox DocuShare.
This discussion has focused primarily on digital documents, but it really applies to all client information. Many of the concerns surrounding digital documents also apply to any photos, video and audio files that firms store. Firms also may need to track scanner usage (who scans what, to where and when) and printer usage. In addition, ProofSpace, Xerox and other firms have developed technologies that authenticate and "tamper proofing" paper documents too. As these technologies become more widely available, they may find wide applicability in the financial service sector.
The uses and abuses of digital records have evolved significantly over the last six or seven years, and advisors cannot afford to fall behind the curve. The basic digital document management system you purchased a few years ago may no longer be sufficient to meet your regulatory, legal and security needs. If you are still relying primarily on a paper system, your risks are likely even higher.
This article has outlined some of the risk confronting advisors, as well as some discussion of methods for addressing these risks, but it is by no means comprehensive or exhaustive. Giachetti cautions that firms "should undertake their own regularly scheduled reviews to determine whether their systems can respond to the ever-increasing demands placed upon them."
If a firm does not have the in-house expertise necessary to perform
this task, they should hire a consultant. Not sure if your system is
good enough? David McClellan suggests trying this simple test: "Ask
yourself, if you had to, how you would go about proving the
authenticity of your business records to a regulator or a judge?" If
you don't have a completely satisfactory answer, you might want to
re-evaluate your current system.