Data security concerns force the DC industry to cooperate

The recent Government Accountability Office report and even more recent Department of Labor guidance on cybersecurity hammer home the reality that protecting plan and especially participant data has become a fiduciary responsibility.

The defined-contribution industry is at a crossroads. Record keepers, advisers and money managers often compete in winner-takes-all battles, but to serve and protect clients, they must cooperate on cybersecurity and data access. Will that lead to sharing participant data?

The recent Government Accountability Office report and even more recent Department of Labor guidance on cybersecurity hammer home the reality that protecting plan and especially participant data has become a fiduciary responsibility.

The DOL cites the need to protect the $9.3 trillion in assets and 106 million participants in DC plans, as well as the 34 million participants in defined-benefit plans.

Is a DOL regulation to update the antiquated Employee Retirement Income Security Act enacted in 1974 imminent?

“The recent DOL guidance goes right up to the line,” Spark Institute executive director Tim Rouse said. “There’s too much at stake.”

The entire DC industry must come together to protect participant and plan data, although the retail or under-$500-million adviser-sold market lags its institutional brethren. There is also an opportunity to cooperate to create a standard file format for plan data and a road to sharing participant information. Protecting privacy was cited as a key concern by the DOL.

Like retirement, the need to protect data and create industry cybersecurity standards is a bipartisan issue. Similarly, no one argues against a standardized plan data format that record keepers can use to efficiently share information with their distribution and defined-contribution investment-only partners.

But participant data are the third rail and highlight the pending battle between record keepers and advisers that want to cross-sell participants.

Spark has taken the lead on data security, which makes sense given that its record-keeper members are in control of data. Spark’s data security oversight board has more than 40 members, mostly record keepers and institutional consultants. It was created after consultants began asking questions without really understanding the issues.

“Unlike fees and investments, none of the cybersecurity answers [in RFPs] were questioned,” Rouse said. Spark took the more than 1,500 questions its members received and organized them into 16 categories. Auditors analyzed cybersecurity procedures in a way the consultants could understand while protecting record-keeper proprietary practices.

Rouse and Spark members have also been trying to create a data consortium to come up with a standardized plan file format. Others have tried and failed since 2008, with the most recent attempt by the Depository Trust & Clearing Corp., which only delayed the industry attempts because of its complete lack of understanding of the DC industry and the data needs of all constituents.

Access to data and cybersecurity is heady stuff for most retirement plan advisers, who might be asking how it affects them and what they can do about it, both good questions. It reminds me of the early 2000s, with the introduction of investment fiduciary standards and professionals.

RPAs who aren’t part of larger organizations like a DC aggregator or broker-dealer will struggle to analyze whether their record-keeping partners are following industry standards and doing a good job. Unlike investments, cybersecurity is something that most RPAs don’t understand — most clients know more.

And while protecting client data is a fiduciary duty that will come under increasing regulatory and legal scrutiny, more important to the bottom line is access to participant data — the third leg of the financial wellness stool, along with technology and professionally trained financial coaches.

Record keepers have come together to create cybersecurity standards and will likely create a common plan data format. But those that have their own ambitions to monetize participants will be the last ones to share information. That, by the way, includes the top five providers that administer the majority of RPA-sold plans and are gobbling up competitors at an alarming rate.

Can advisers and their organizations come together to force record keepers to share participant data? It starts with having a seat at the table, with the first items on the menu being data security and standardized plan file formats.

Fred Barstein is founder and CEO of The Retirement Advisor University and The Plan Sponsor University. He is also a contributing editor for InvestmentNews’ RPA Convergence newsletter.