Broker-dealers may need to re-evaluate policies regarding third-party adviser technology following a recent action by Massachusetts Secretary of the Commonwealth William Galvin.
Mr. Galvin's securities division fined Summit Equities, a New Jersey-based broker-dealer, $100,000 on Dec. 27, for failing to supervise registered representatives who mishandled information of Massachusetts clients held within third-party customer relations management software.
According to a consent order, Summit allowed advisers affiliated with the firm to select their own third-party CRM system. Four advisers opted to use Redtail CRM to store clients' private information, including names, addresses, phone numbers, dates of birth, social security numbers, account details, communication histories and adviser notes.
Summit had no access to or control over the data that advisers put into Redtail and the firm was unable to monitor the data and who had access to it. After the advisers terminated their relationship to Summit, they were still able to access the client data through their CRM.
Though Summit has a policy to wipe all client personal data from a departing rep's devices, the policy was not in place for third-party technologies like Redtail. Mr. Galvin's office decided this violated the Massachusetts law requiring firms to protect investors' private information.
"The security of personal information is a very serious issue for me and my office," Mr. Galvin said. "It is more important than ever that companies gathering personal information keep that information as secure as possible."
Summit Equities did not respond to a request for comment.
Terry Lister, a legal consultant and former Waddell & Reed chief regulatory officer, believes this is the first enforcement action of its kind, and is a "shot across the bow" to IBDs to re-evaluate how policies regarding client data are being applied to third-party technologies.
Most IBDs allow for, and even encourage, advisers to select their own CRM systems, Mr. Lister said. But the technology is ultimately owned by the adviser and not the firm. As a result, there is no oversight in place for what data goes into the technology and no plan for an adviser leaving firm.
"In the current environment we work in, the reps are going to have to recognize the fact that they can't just automatically assume that they can take that CRM data with them," Mr. Lister said.
Mr. Lister recommends firms take time to inventory every third-party technology used by advisers, what data those platforms store, and whether or not the data will need to be retrieved if an adviser leaves the firm. Part of the reason Summit was fined was the firm simply wasn't following its own rules, he said.
If this is the first case of its kind, Mr. Lister wonders if it'll slow technology adoption in the IBD space.
"Instead of having a plethora of different CRM systems … rethink that business model and think more about providing a CRM system for the firm that all reps will use and the firm will control," Mr. Lister said.
For Paul Ewing, CEO of Prosperity Advisory Group, the case raises questions about who ultimately has sovereignty over client data.
"In the IBD space, it's a long held tradition that it's owned by the adviser," Mr. Ewing said.
The CRM has more than just identifying information, he said. It also contains meeting notes, financial planning information and records of client interactions, so how can the broker-dealer demand that information gets deleted, Mr. Ewing asked.
"Advisers have to ask the question: what are the rules at my firm?" Mr. Ewing said. "What does Cetera require? What does LPL require? Could we be in violation of the same rule?"
But what's most interesting to Mr. Ewing is that the broker-dealer has authority over information on a technology paid for and owned by the adviser, not the firm. What does this mean for third-party technologies like Redtail and how it works with IBD advisers going forward?
Redtail said it doesn't comment on client engagements.
Mr. Lister said he expects this is only the first case of regulators looking at how firms are governing advisers' third-party technologies.
"You're going to see more of this. Advisers either don't know or chose not to pay attention," Mr. Lister added. "Firms need to make sure that their advisers understand what the policies are in these areas and how it applied in all situations."