Vendors need to be held to a higher standard on privacy

Advisory firms should perform due diligence on how all their providers safeguard clients' personal information, including custodians, software and back-office services

Jul 25, 2019 @ 5:02 pm

By Sheryl Rowling

Not that long ago, keeping clients' data secure was easy. It merely required a lock and key. Now, with third-party providers, remote access and the use of internet platforms, keeping clients' personally identifiable information private is much more complicated — and vulnerable.

As cyber breaches occur on a regular basis (for example, Equifax, Yahoo, Marriott and Redtail), the risk to client data is increasing.

(More: Redtail isn't the only firm with cybersecurity issues)

Beyond data theft, we must determine how personal and financial data is used by third-party vendors. Are those third parties sharing information with their affiliated companies or profiting by selling it to others?

As advisers, we must be informed about the policies, procedures and culture of every person and entity that has access to client data. In fact, I believe it is our fiduciary duty.

A recent New York Times series on privacy noted that "platforms are under no obligation to protect user privacy. They are free to directly monetize the information they gather by selling it to the highest bidder."

(More: Ask these cybersecurity questions)

Data privacy is described in vendors' privacy policies. Yet how many of us actually read them? Some are very straightforward, while others are not. Envestnet Tamarac, one of the industry's leading providers, will not only share aggregated data with outside companies, it will also share your contact information and sell client results through its aggregator entity to others.

Here's an example: Envestnet Tamarac "collects information about you ... information included on your Client Profile and related forms — such as name, address, Social Security number, date of birth, assets and income — along with personal information about your account activity, including your transactions, balances, positions and history. For financial professionals utilizing our technology platform, [the firm] may make available your business contact information and information regarding the use of their investment strategies to third-party investment managers and exchange-traded funds, mutual funds, and similar investment vehicles."

So is your client data truly private and secure? Does it matter to you? To your clients? At what point will you discontinue doing business with a provider? Is sharing information with affiliated companies for marketing purposes OK? How about for joint marketing with non-related financial companies? Is it OK for your provider to distribute or sell "aggregated data?"

I believe advisers need to update internal policies about what we consider to be permissible use of our clients' data. For me, the line stops at anything beyond sharing information with corporate affiliates for marketing purposes. It is up to us to collectively take a stand to bring the changes our clients and our businesses deserve.

(More: 10 trends in cybersecurity you need to know)

We should perform due diligence on all providers, including custodians, software and back-office services. I suggest utilizing a checklist addressing business continuity plans, compliance documentation, privacy policies, cybersecurity protections, background checks on employees and more.

Finally, clients are hearing about — and experiencing — cybercrime, data breaches and invasions of privacy. One thing is universally true: Clients are concerned. Telling your clients how you protect their data is not only important, it can help build trust and enhance client relationships So please take this approach — you'll be glad you did.

(More: 4 top surprises from the new tax law)

Sheryl Rowling is head of rebalancing solutions at Morningstar Inc. and principal at Rowling & Associates.


What do you think?

View comments

Recommended next

Upcoming event

Oct 22


San Francisco Women Adviser Summit

The InvestmentNews Women Adviser Summit, a one-day workshop now held in six cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print