In the wake of a recent high-profile fine based on gaps in confidential CRM-based client data, there’s been a resurgence in chatter among independent broker-dealer firms on whether it’s prudent to have “do-it-yourself” (DIY)-friendly policies for financial advisors who want to choose their own third-party tech solutions.
Much of this conversation will prove moot, unless independent firms substantially reduce the human error and lack of control that emerges from the DIY tech model. Otherwise, the risks of DIY becoming DOA will escalate across the industry.
Tougher Regulations
First, some more context: Towards the end of last year, the state of Massachusetts fined Summit Equities $100,000 over gaps in due diligence. Summit allowed advisors to select their own CRM, with a number of advisors who chose Redtail deciding to store sensitive client data on the platform without the broker-dealer’s oversight.
Unfortunately, this approach enabled advisors to continue to access sensitive client data on the Redtail platform even after ending their affiliation with Summit, despite the broker-dealer’s policy of removing such client data from the devices of exiting advisors—which did not extend to third-party software.
This isn’t really about the CRM system so much as it is about Massachusetts regulators taking a tougher stance than Summit expected. The case also raises difficult questions about how firms can build better risk controls within budget that meet regulatory standards, while satisfying the technology needs of DIY independent advisors.
Indeed, the case echoes broader cybersecurity issues captured by the Facebook-Cambridge Analytica scandal and GDPR regulations imposed in Europe. CEO Mark Zuckerberg ultimately apologized last March for Facebook sharing sensitive data with Cambridge Analytica without the consent of millions of users. And since the General Data Protection Regulation took effect in the European Union in May, regulators in Austria, Germany, France and Portugal have penalized businesses for mishandling personal data.
Three Cardinal Rules For ‘DIY’ Advisors
Given this backdrop, here are three cardinal rules for independent broker-dealer firms that allow advisors to choose their own devices and software:
1. Monitor all activity involving sensitive data in use by representatives of the firm. Whenever employees, advisors or workers at third-party vendors access confidential data on firm-related individuals or the firm itself, the firm ought to track activity regarding that data and prevent misuse of that information. This includes personally identifiable data such as names, birthdays, addresses, phone numbers, driver’s licenses and passports, Social Security numbers, website logins and passwords, as well as account information about financial and medical institutions.