What the Apple-FBI feud means for financial advisers and privacy rights

Apple’s standoff with the FBI, which is trying to force the technology giant to provide access to a locked iPhone at the heart of the mass shooting probe in California, has prompted a discussion in the financial services industry over how far regulators can go to force advisers to give up data and in what ways advisers can ensure their mobile devices are being used appropriately.

There are many issues at stake in the Apple-FBI feud for advisers: It could mean self-regulators will get stricter with investigations, forcing advisers to concede personal devices or online accounts, or potentially face barring if they don’t cooperate, said Bill Singer, an attorney who specializes in the financial services industry.

The case also will push firms to question what role personal phones, laptops and tablets play in conducting business. Experts say, as far as privacy goes, Apple’s technology sheds a light on the necessity of encryption.

“It’s a ticking time bomb,” Mr. Singer said. “Apple will loom large for Wall Street.”

The use of personal devices already is tricky for financial services firms. Software providers have smartphone and tablet applications that advisers can use, and their emails are easily accessible on mobile devices. Some firms have policies in place that ban the use of personal email accounts, though they aren’t always followed. Mobile devices have become a mainstay in businesses across the industry.

Unlike with the government, the fifth amendment doesn’t always work with a self-regulator, such as the Financial Industry Regulatory Authority. When a self-regulator conducts an investigation, an adviser can plea the fifth, but it does not have to be accepted because the self-regulator is not a court of law. This was seen in the 1975 case U.S. v. Solomon, where an individual refused to answer questions the New York Stock Exchange asked. One reason an individual may plea the fifth is to protect himself from self-incrimination.

Finra did not respond to a request for comment, but the use of personal email accounts can be seen in numerous Finra cases.

CLIENT PRIVACY

For example, in 2014 an adviser refused to provide emails from his Gmail account, which was used for business and personal purposes, a Finra case showed. He was barred.

In 2013, a broker with Transamerica Financial Advisors was discharged because he had solicited an unauthorized investment opportunity and used a personal email for business without the firm’s approval. A similar situation occured in 2011 when Finra found a firm failed to comply with its recordkeeping and supervisory obligations because an adviser continuously disregarded a firm’s policy against using personal emails and the same happened in 2010.

Mr. Singer questioned if regulators will try harder to get advisers to comply with their investigations, demanding advisers come to an office and unlock their phones with a password, a fingerprint or the like.

Chris Chen, an adviser with Insight Financial Strategists in Waltham, Mass., said from the registered investment adviser’s standpoint, with a background in the information security industry, it is imperative Apple holds its ground in the case for the security of clients’ privacy.

He said all the information a regulator may need in an arbitration case can be found without handing over the device.

“There is no need to restrict the flow of information from the phone because it is available on the other side,” Mr. Chen said. “If I text you something, you have a copy of that text and so you can bring the copy of the text.”

CHANGING SECURITY

In Apple’s case, the FBI wants it to provide a so-called backdoor to a locked iPhone used by Syed Rizwan Farook during a mass shooting in San Bernardino, Calif. in December, where 14 people were killed and 22 were injured. The government, which stated Apple’s help would uncover clues about the terrorist attack, cannot access the contents of the phone, which would be erased after 10 incorrect password attempts. Apple has provided documents, but said it does not have a backdoor to break the phone’s security measures and does not want to create one because it will put future users at risk for a breach.

Sam Attias, chief executive of External IT, a cybersecurity and compliance company, said this case is bringing to light the details that go into safeguarding technology.

“Everyone in the technology world will look into the details of the level of security that Apple has on their devices and what the government is going to be allowed to access,” Mr. Attias said. “Software providers that have sensitive information will say we need to change security as a result of what they learned.”

Commonwealth, an independent broker-dealer firm based in Waltham, Mass., requires encryption on all portable devices, said Darren Tedesco, managing principal of innovation and strategy at Commonwealth Financial Network. He said the core lesson from the Apple case is the value of encryption on mobile devices. Apple is the only company that provides these devices natively encrypted, whereas other brands allow encryption but must be implemented by the owner.

“If there is any lesson gleaned, if you are not using an Apple product, you absolutely have to make sure you take the steps to make sure it is encrypted,” Mr. Tedesco said. “They should be encrypted in the future, and frankly, they should be encrypted now.”

Industry watchers say firms will need to find the delicate balance between allowing advisers to use their personal devices and monitoring them.

“Big institutions can no longer put their heads in the sand and ignore what employees may or may not be doing,” said Mike Byrnes, president of Byrnes Consulting. “If I were a big firm I would hesitate to come up with rules to no longer use electronic devices that [advisers] have grown addicted to … rather than prohibit these devices they have to get better at monitoring what is being done, just like any other communication tool.”

John Michel, chief executive of CircleBlack, a wealth management platform, said it is a matter of doing a better job of capturing electronic records of activities and communications.

“People are no longer tied to a desk and they don’t want to be tied to a desk,” Mr. Michel said. “In a mobile digital world, I think firms are recognizing that more and more … as firms we have to meet customers’ needs to want to use mobile devices but in a way that is secure and allows regulators to get what they need.”