Do data-privacy rules make cross-selling more difficult?

Data privacy rules are causing concern that cross-selling retail products and services to 401(k) plan participants may not always be kosher.

Brokerage executives attending InvestmentNews‘ recent Retirement Plan Adviser Broker-Dealer Think Tank in New York said data security questions that have emerged in the wake of state legislation and scandals from large corporations like Facebook are changing the dynamic over the ownership of participant data.

It’s unclear whether financial advisers and other parties like record-keepers can use 401(k) participants’ individual information, such as investment choice and proximity to retirement, to sell them a product like insurance that’s outside the scope of a workplace retirement plan, executives said. It may also be a thorny issue for managed-account providers, since account aggregation may run afoul of the rules, as well as some financial wellness services, they said.

“Ultimately what I think all the regulations are saying is the participant owns their own data,” said Jon Anderson, head of retirement plan solutions at Cetera Financial Group.

“We want to provide holistic advice and what’s in the best interest of the individual. Sometimes that requires ancillary products,” Mr. Anderson said. “But the data environment is almost not allowing those conversations.”

There appear to be a number of new — and emerging — ways advisers and broker-dealers could be ensnared.

For example, the California Consumer Privacy Act, which gives consumers new rights regarding collection of their personal data, takes effect in January 2020. The law, passed in 2018, generally applies to large companies interacting with California residents, said Kevin Walsh, principal at Groom Law Group. Its ultimate impact on broker-dealers and the broader retirement industry is unclear, since some parties, such as the state’s attorney general, are still hashing out final details.

Nevada also signed a data privacy bill into law this year, though it differs from the California rule in that it only applies to operators of internet websites and online services. However, it signals growing interest among states for such data rules. Currently, New York, Texas and Washington are among the states seriously considering legislation, and there’s a bipartisan group working on draft legislation at the federal level, Mr. Walsh said.

The issue around investors’ 401(k) information plays into broader discussions playing out globally about how technology companies, such as Facebook, collect and leverage user data. The European Union has clamped down on data protection with its General Data Protection Regulation.

An open question in the retirement-plan industry is to what extent there already is federal law on the books, namely the Employee Retirement Income Security Act of 1974, which has jurisdiction in the realm of data security. Lawsuits have begun to address this issue, which examines whether data is considered a “plan asset.”

In one recent lawsuit settlement, Vanderbilt University agreed to tell Fidelity Investments, the record-keeper for the school’s retirement plan, to refrain from using participants’ information to cross-sell unrelated products and services unless participants request it. Lawyers said it was the first time they’d seen such a settlement provision in a retirement plan lawsuit.

Better products, services

However, not all parties believe the fuzzy legal environment will necessarily preclude brokerage firms and advisers from developing better products and services for 401(k) participants.

Christina Marschinke, senior vice president, retirement partners, at LPL Financial, said firms should focus on offering financial wellness services without needing access to all participant data.

“I think it’s very possible. We’re working on that,” she said. “You don’t need to have everybody’s balances to have a good wellness program.”

And although the data issue is more broadly visible, firms should be able to address whatever data laws are passed, said David Levine, principal at Groom Law Group.

“It’s not clear who owns what data and what the constraints are,” he said. “I think it’s definitely on people’s minds. But I wouldn’t say it’s stopped this entire cross-selling discussion at this point.”