New technology and new demands for document security mean that even small firms must
upgrade their processes.
In 2001, document management within financial
advisory firms was still in its infancy. When Dave Drucker and I began
writing our first book, Virtual Office Tools for a High Margin
Practice, only a small percentage of early adopter firms had already
implemented a document management system at that time, but few firms
stored all of their documents digitally.
Much has changed over the last several years.
Today's regulatory, legal and security environments demand a more
robust document management solution and advisors who downplay these
issues may find themselves doing so at their own risks. These days,
advisory firms are not only aware of paperless office technologies,
most are incorporating these technologies to some degree within their
practices. Unfortunately, some first-generation document management
technologies that many advisory firms employ today are already obsolete
or they will be soon.
What type of first-generation systems are at risk?
The most vulnerable ones are those that allow users to create and store
a digital file on a computer's hard drive (or on another storage
medium) without tracking operations undertaken on the digital file.
Such a system may incorporate built-in search and retrieval
functionality, or it might rely on the operating system's search
capabilities. In yet other cases, advisory firms rely upon Google
Desktop, Copernic Desktop Search or some other third-party program to
provide search and retrieval functionality.
Who typically uses such a system and what does it
look like? According to George Tamer, director of solutions consulting
at TD Ameritrade: "Advisory firms that are managing under $100 million
typically do not have a full document management system. They are
either storing files directly to the Windows directory, or they are
using something like PaperPort."
In other words, at a smaller advisory firm an
employee might scan a paper document to a PDF file using Adobe
Acrobat's scanning module, or they might scan a document to a TIF file
using another application. The file would then be named and filed in a
folder that is part of the Windows directory tree (e.g., C:\Documents
and Settings\ Joel Bruckenstein\My Documents\ Client Records\Jones
Family). Files that originated in digital format such as MS Word and
Excel files are stored in a similar manner. Typically, those files
would later be backed up to a WORM (write once read many) format.
Small firms might also use an application such as
PaperPort, which has many useful tools for scanning, annotating, filing
and retrieving files. By default, PaperPort creates a directory within
the Windows file structure. Folders become subfolders under the
PaperPort folder (e.g., C:\Documents and Settings\Joel Bruckenstein\My
Documents\My PaperPort Documents\Client Records\Jones Family). In
effect, PaperPort piggybacks on the Windows file structure without
interfering with it.
Previously, systems such as the ones described above
were a defensible compromise because of the high cost of better
alternatives. In addition, the superior search capabilities that even a
rudimentary digital system exhibited over a paper one was evidence that
some digital document management was better than none. This argument is
no longer valid. Let's look at some of the risks related to each of
these.
Regulatory
Document management and compliance experts say when
it comes to digital records, advisors often focus on narrow issues
instead of taking a more comprehensive, holistic approach. Advisors new
to digital documents often spend too much time pondering the benefits
of competing scanners, file formats, optical character recognition
software and backup systems. Less time is spent thinking about how
these technologies will complement the overall efficiency, security and
compliance culture of their firm.
According to Barry Schwartz, of Advisor Compliance
Associates: "Regardless of the system advisors use, they are required
to safeguard records and limit access to records. In addition, advisors
are required to help ensure that electronic copies of non-electronic
originals are true, complete and legible."
Furthermore, says Schwartz, privacy rules require
that advisory firms protect against anticipated threats or hazards to
security and integrity of records; ensure that senior management
understands how the systems work and establish procedures to monitor
the safeguards; disclose to clients policies and procedures regarding
the use and safekeeping of client records and information; and maintain
written policies and procedures to properly dispose of sensitive
consumer information.
Thomas D. Giachetti, chair of the securities group
at Stark & Stark, and one of the nation's leading authorities on
investment-related compliance matters cautions: "Technology is part of
the solution, but it cannot serve as a substitute for policies and
procedures, which must be specific to the firm and which should be
reviewed at least annually."
Lisa Roth, president of ComplianceMAX, notes that
some advisory firms may be underestimating the value of outsourcing to
unrelated third parties. Such an arrangement with a qualified provider,
she says, relieves advisory firms of the ever-changing technology
burden while allowing them to concentrate on their core competencies.
There's also a perception that records stored with a reputable third
party are less prone to tampering.
Legal Risks
Legal risks, like the risk of potential civil
litigation against an advisor, are less well understood that regulatory
risks, but they are potentially far more damaging. Many advisors
mistakenly believe that if their firm complies with SEC and NASD
regulations regarding document storage and retention that the
likelihood of those records being challenged in court is remote.
Nothing could be farther from the truth. Courts are increasingly
questioning the validity of firms' digital records.
In 2003, Vee Vinhnee, a California resident, filed
for Chapter 7 bankruptcy in the U.S. Bankruptcy Court in the Central
District of California. He owed American Express more than $40,000 on
his two credit cards. One was an American Express Gold card issued in
1989; the other was an American Express Platinum card issued in
February of 2003. American Express sued Vinhnee to get him to pay the
balances owed on the cards. In Vinhnee vs. American Express Travel
Related Services Company Inc.,Vinhnee won his case without legal
representation and without even attending the trial.
The plaintiff's case rested on its own internal
computer records, the electronic monthly statements issued by American
Express, as evidence of Vinhnee's debt. The court refused to admit the
electronic records as evidence because the firm could not offer proof
to authenticate the records. Amex appealed and lost.
Why is this case important? Because it indicates
that firms may be required to authenticate their digital records if
they want them admitted in federal court, or any court for that matter.
This is one signal that the bar for entering digital records into
evidence could be higher than that of SEC regulations as they are
currently interpreted by many RIA firms.
A more recent opinion in the case of Lorraine vs.
Markel American Insurance Company dated May 4, 2007, contains a
detailed discussion of issues surrounding the admissibility of digital
records. In this suit, which dealt with lightning damage to a yacht
owned by Jack Lorraine and Beverly Mack and insured by Markel, both
sides offered e-mail as evidence to support their respective claims.
Although neither side challenged the validity of the other's e-mail,
Chief U.S. Magistrate Judge Paul W. Grimm rejected all offered e-mail
submissions on the grounds that they failed to meet the standard for
admission under the Federal Rules of Evidence. As part of his ruling,
Judge Grimm stated, "If it is critical to the success of your case to
admit into evidence computer-stored records, it would be prudent to
plan to authenticate the records by the most rigorous standards that
may be applied." Do the records of all RIA and B-D reps meet "the most
rigorous standards" test today? Clearly, they do not.
Grimm's opinion comes as no surprise to David
McClellan, vice president and general manager at ProofSpace. "Enron,
WorldCom and the mutual fund scandals have eroded trust in business on
the part of the public, the regulators and the judiciary. As a result,
the burden of proof is now on a business to prove that their records
have not been tampered with," he says.
Security
Most advisors are aware of the need for "security,"
but security from what? According to David Drab, a principal of
information content security services at Xerox Global Services and a
recognized authority on helping Fortune 1000 companies manage critical
information assets: "Most organizations rely on a tactical, technical
approach to security. They allocate their security dollars and
resources primarily to keep intruders (hackers, phishers, etc.) out of
the network."
While network security should not be overlooked, it
is only one aspect of keeping a firm's data safe. "Over 80% of security
incidents today are caused by insiders, not always knowingly or
maliciously, but they are damaging just the same," says Drab. Before
joining Xerox, Drab served as a special agent for the FBI. In that
capacity, he investigated organized crime, foreign intelligence and
terrorism.
Internal security threats to data can take many
forms. It could be a rogue employee who makes unauthorized copies of
client financial data for illegal purposes; it could be a non-employee
like a janitor who copies digital or paper records. It might be an
employee who inadvertently e-mails the wrong document, unencrypted, to
the wrong counterparty.
Securing data within the office is challenging, but it doesn't end there.
A mobile workforce adds to the security challenge.
The average knowledge worker today spends seven to eight years at a
job. When the worker moves on, asks Drab, "How do you make sure that
the company knowledge base does not move on too?" If a breach is
discovered after the worker leaves, the damage is already done. Even if
a crime has been committed, there is no guarantee that the perpetrator
will pay. If a former employee takes a job in India and takes critical
records overseas, the damage to your firm can be the same as if the
worker took a domestic job; however, the firm's recourse against the
former employee may be limited.
The evolution of distribution is what makes securing
information difficult. Once information is out of the secure office
environment, it can be distributed almost instantaneously over the Web,
through wireless networks and even by instant messaging. Think about
how quickly videos, music and celebrity photos are circulated on the
Web, whether legally or not!
Warns Drab: "If there is not a procedure in place to
identify what is critical, it won't be nailed down. If it is not nailed
down, it is going to be taken. If you do not have it nailed down, shame
on you."
Document Management 2.0
If basic document management is no longer
sufficient, what should firms be doing to mitigate the risks outlined
above? The answer will vary from firm to firm. However, almost any
modern solution will have some common elements.
The first step begins with a comprehensive
evaluation of the risks. Based on the unique nature of the firm, what
regulatory, legal and security challenges are you most worried about?
In all cases, firms must meet the requirements placed on them by
regulators, but often, exceeding the minimum requirements may make
sense. For example, a small firm with one or two employees might be
able to meet the e-mail retention requirement by backing up MS Outlook
.PST files daily, weekly or even monthly in-house, but for a modest
fee, that same firm can outsource the job to a firm that specializes in
e-mail retention for advisors. If a regulator wishes to inspect the
firm's stored e-mail, in which method do you think the regulator will
have a higher degree of confidence?
The same train of thought can be applied to the
legal risks. If the worst were to happen and your firm had to produce
digital records as evidence, would you be comfortable going to court
claiming that your digital files met all regulatory requirements? Or
would you prefer, as Judge Grimm suggested, "to authenticate the
records by the most rigorous standards that may be applied," or at
least something approaching that standard?
As for security risks, securing the network is not
enough. According to Dan Skiles, vice president of Schwab Institutional
Technology: "Firms often overlook the physical risks." If paper
documents, computers, external hard drives and the like are not
physically secured, they are vulnerable to theft.
Jo Day of Trumpet Inc. sees risks in the common
industry practice of hiring temps: "When firms go paperless, they often
hire temps to scan their historic files. We think this is a bad idea
due to the confidential nature of the information being scanned. We'd
much prefer to see relatives of the principals or their employees doing
the scanning."
When thinking about safeguarding digital documents,
says Ed Chase, standards engineer for Adobe Systems Inc., advisors need
to be aware of two distinct tools: rights management tools and
electronic signature or authentication tools. Rights management tools
are designed to protect documents. They control who can get access to a
document, what they can do with it (read, edit, copy and/or print) and
for how long. They generally include audit features as well.
Authentication tools are not designed to prevent someone from accessing
a document. Rather, they can help prove who did what when, or in the
case of some tools, such as ProofMark from ProofSpace, they can prove
what wasn't done, meaning they can prove that an electronic file was
not tampered with.
The next step, according to Giachetti, is to begin
compiling "a comprehensive set of policies and procedure to address all
issues that have been identified." Drab cautions that procedures must
take human nature into account. "That closes the gap between policy and
the real-world work environment," he says. The written policies and
procedures will be organic documents. They should be created in digital
format so they can be updated and distributed quickly and easily.
Once you have your policies and procedures refined,
it is time to start looking at implementation. As indicated earlier,
there is no one solution that will fit all firms, but one thing is
clear: Saving files to a Windows directory without any rights
management or audit trail is no longer acceptable.
For a small firm with two or three principals and no
support staff, or an office with a couple of principals and one
assistant, rights management may not be necessary because all firm
members will have access to all records. But in the future, even small
firms will be required to demonstrate who did what to a document, as
well as when they did it. That means that all firms will require some
sort of document management application, one that contains audit
capabilities. They also may wish to deploy software with versioning
capabilities. Versioning software allows firms to store multiple
versions of a document, so it is possible to view the evolution of a
document. For example, if a firm regularly reviews and updates its
compliance manual, they might want to have not only an audit trail,
showing when the document was changed and by whom. They also might want
to have a full copy of each version of the document as it changed over
time. Larger firms should consider some form of rights management, at
least for critical data and perhaps systemwide. Automated workflow
management and programmable retention policies are other desirable
features for larger installations.
Many document management systems offer rights management and/or
work-flow capabilities, either as part of the base product or as an
add-on. Other applications advisors are already using may also support
rights management. Junxure, a leading CRM application for advisors,
currently offers limited audit capabilities. Junxure 7.0, scheduled for
release in the fourth quarter of this year, will offer extensive rights
management and audit capabilities. PortfolioCenter, a popular portfolio
management and reporting package from Schwab Performance Technologies,
offers a rights management module as an option for a modest additional
charge.
Numerous document management vendors offer products targeting the
financial service industry. You can spend as little as $299 for a
single user document management system with acceptable audit
capabilities or one can easily spend tens or even hundreds of thousands
of dollars for a system with all the bells and whistles for a large
enterprise. Some of the better-known vendors include: Cabinet NG, CEO
Image Systems, DocuXplorer, Laserfiche and Trumpet Inc. (a firm that
offers solutions featuring Worldox) and Xerox. For enterprise rights
management, Adobe, Microsoft and Xerox are among the providers.
Firms concerned primarily with validating the integrity of documents
should keep an eye on ProofSpace. CEO Paul Doyle draws an analogy
between the Tylenol tampering scandal of the 1980s and recent document
tampering allegations. The Tylenol case profoundly changed the
packaging industry. It led to the wide adoption of tamper-proof
packaging. Actually, "tamper-proof" is a bit of a misnomer. What the
packaging actually provides, says Doyle, is a tamper indicator. The
indicator can't guarantee that the contents of the package are safe;
what it tells you is that the contents haven't been tampered with.
Doyle thinks that his firm's technology, ProofMark, can be the tamper
indicator of choice for the financial service industry. ProofMark puts
a "virtual tamper proof seal" on each document that is in the form of a
miniature time stamp. If even one byte of data within the files is
altered, the "seal" is invalid. ProofSpace hopes that ProofMark will
soon be incorporated into products and services that advisors currently
use.
Firms should also consider how they will deliver electronic content to
their clients. With e-mail, sensitive documents should be
password-protected and encrypted. Adobe Acrobat offers one option for
securing individual e-mail attachments. AttachPlus from Trumpet Inc.
offers a competing solution for securing attachments. Some e-mail
providers now offer turnkey integrated e-mail on an enterprise basis.
USA.NET and Network Solutions are two firms offering solutions that
integrate with MS Outlook.
Another, and many argue a better, method of sharing documents securely
with clients is through an "online vault." Generally speaking,
documents are uploaded to a secure Web site, where credentialed clients
can go to download them. Online vaults can be configured in various
ways. Some providers only allow advisors to upload documents for
retrieval; others allow both advisors and their clients the ability to
store documents online. Web site providers such as AdvisorSites and
LightPort offer online vaults. This functionality is also built into
some versions of Xerox DocuShare.
Other Considerations
This discussion has focused primarily on digital documents, but it really applies to all client information. Many of the concerns surrounding digital documents also apply to any photos, video and audio files that firms store. Firms also may need to track scanner usage (who scans what, to where and when) and printer usage. In addition, ProofSpace, Xerox and other firms have developed technologies that authenticate and "tamper proofing" paper documents too. As these technologies become more widely available, they may find wide applicability in the financial service sector.
In Conclusion
The uses and abuses of digital records have evolved significantly over the last six or seven years, and advisors cannot afford to fall behind the curve. The basic digital document management system you purchased a few years ago may no longer be sufficient to meet your regulatory, legal and security needs. If you are still relying primarily on a paper system, your risks are likely even higher.
This article has outlined some of the risk confronting advisors, as well as some discussion of methods for addressing these risks, but it is by no means comprehensive or exhaustive. Giachetti cautions that firms "should undertake their own regularly scheduled reviews to determine whether their systems can respond to the ever-increasing demands placed upon them."
If a firm does not have the in-house expertise necessary to perform
this task, they should hire a consultant. Not sure if your system is
good enough? David McClellan suggests trying this simple test: "Ask
yourself, if you had to, how you would go about proving the
authenticity of your business records to a regulator or a judge?" If
you don't have a completely satisfactory answer, you might want to
re-evaluate your current system.