Tag Archives: Compliance

FPPad Bits and Bytes for November 11

I’ve been back in Dallas for a week, but I still have yet to review and edit my notes from Schwab IMPACT 2011. Soon I hope to have two or three new updates on my feedback from conference breakout sessions, but consulting, new content development, and family obligations take precedence. Still, I’ve kept my pulse on the wires this week for the best in technology stories for financial advisers.

First, if you have a website, but are wondering what you can do to take it to the next level and convert visitors to clients, read this month’s column on Morningstar Advisor, How Marketing Automation Can Accelerate Client Growth.

All the major media outlets were on site at Schwab IMPACT 2011, so there were a number of stories released this week regarding related announcements. Most of them were good, but in this case, video content did a better job of addressing what the custodian is doing with its technology platform for advisers than print.

Here are two video updates from Schwab IMPACT worth viewing, one from InvestmentNews’s Davis Janowski interviewing Neesha Hathi and a second from James J. Green’s AdvisorOne, also interviewing Neesha Hathi.

Advisor Tested: Arkovi expands and archives a firm’s online footprint from RIABiz.com

[As an adviser in a regulated industry, you can’t tweet, post to Facebook, or interact on LinkedIn if it’s related to your business unless you archive and supervise your records. One tool that facilitates your compliance obligations is Arkovi, and Judy Messina gives a good rundown in this RIABiz Advisor Tested story.] As registered investment advisors flock to Twitter, Facebook and other social-media sites to establish themselves as thought leaders and connect with customers and other investment professionals, storing and keeping track of tweets, posts and other content for compliance purposes can seem like an exercise in herding cats.

And in related news, I think you might care a little bit about what might happen with the future of regulatory examinations for investment advisers.

Let RIAs Foot Their Own Examination Bill, Report Says from FA-Mag.com

[In a report commissioned by TD Ameritrade Institutional, Georgetown University finance professor James J. Angel proposed that RIAs should pay for their own periodic compliance examinations conducted by an outside third party. There’s merit to this idea, as RIAs who take custody of client assets today must subject themselves to (and pay for) a surprise audit by an independent public accountant that is registered with the Public Company Accounting Oversight Board (PCAOB).] Instead of the Securities And Exchange Commission (SEC) or the Financial Industry Regulatory Authority (Finra) examining RIA firms, the firms themselves should foot the bill for their own periodic compliance examination by using an outside body.

 

How to address compliance deficiencies with technology: Part 1

Last week the North American Securities Administrators Association (NASAA) released a statement addressing compliance deficiencies examiners frequently encounter when reviewing investment advisers. For the details of NASAA’s statement, click here to read Coordinated State Exams Identify Top Investment Adviser Deficiencies at nasaa.org.

In addition to citing the top five categories with the greatest number of deficiencies, NASAA recommended a “Best Practices” guide to assist advisers when developing compliance procedures. In today’s post, I’m going to review the first half of NASAA’s Best Practices and share my ideas how each can be addressed through the use of appropriate technology.

My aim is to identify tools, processes, and techniques designed to improve your advisory firm’s compliance practices as well as lower your direct expenses of following regulatory requirements (i.e. increase your profits). Note that not all of the Best Practices are below, since items like “Review and update all contracts” are fairly self-explanatory.

Let’s begin.

Best Practice: Prepare and maintain all required records, including financial records.

Solution: Document Management Software

If your firm has been examined recently, you’re familiar with the lengthy list of documents requested by examiners. They want records ranging from your company’s org chart all the way to your trade blotter for one or two years. While the specific documents requested can vary widely from firm to firm, you need an efficient system that enables you to store, search, and retrieve records. Without question, document management software is the best solution. Don’t only use it for client documents. As NASAA’s best practices say, you need to deliver financial records, too. So when you close your company’s financial books for the year, add in the final records to a company repository in your document management software. Doing so stores it for your later review, but also allows for easy retrieval (by those who have appropriate access rights, e.g. your CCO) during an exam.

Best Practice: Back-up electronic data and protect records.

Solution: IaaS, hosted servers, or online backup

This is not the first time you’ve heard this: you’re an adviser, not an IT person. So why do you continue to switch backup tapes on your server as a part of your morning routine? It’s time to adopt more progressive, cost-effective, and automated solutions to back up and protect your data. If you’re tired of managing your own infrastructure altogether, consider leveraging Infrastructure-as-a-Service (IaaS) platforms where you can “rent” servers, install your custom financial planning or portfolio software, and operate as if the server was located in your office. Services from Rackspace, Amazon, IBM and more give you this flexibility. There are also providers that cater specifically to the needs of advisers like you, including True North Networks that I featured in this Morningstar Advisor column.

If you’re not comfortable with moving your entire infrastructure off-site, then online backup solutions may be a compelling alternative. You can still maintain your servers in-house, but you can back up critical data to online providers. Carbonite, Egnyte, Mozy, and CrashPlan are just a handful of the many providers that support online backup.

But a word of caution: even if you successfully back up all your data to an online solution, you’re not backing up your applications installed on your server. Realistically, you need some kind of mirroring or imaging solution for your primary server so that you can bring up a secondary server on demand that features all the same programs and applications you use. Data backed up online is useless if you don’t have the software program required to open it.

Best Practice: Document all forwarded checks.

Solution: Document Management Software

What do you do with checks sent in by clients? Photocopy them and file paper in a binder? Stop it!

Instead, scan all the checks you receive to an electronic document, then file that document in your document management software, indexed and labeled with appropriate information. May I suggest Document Type =  Client Check? Then you can retrieve all checks you’ve received by clients for any date range with a quick search in your document management software.

Best Practice: Prepare and maintain client profiles.

Solution: CRM

Most advisers know the value of a properly-implemented CRM system. But I suspect NASAA comes across a few firms that still don’t have a CRM, and thus, have a hard time delivering any kind of systematized profile information regarding the clients they serve. With CRM, so much of a client’s characteristics are captured and recorded, making them easy to access every time an exam rolls around.

Best Practice: Prepare a written compliance and supervisory procedures manual relevant to the type of business to include business continuity plan.

Solution: Document Management Software

Still have a paper-based compliance manual that sits in the CCO’s office? And what about your spreadsheets that show when your firm last tested its business continuity plan? On a server somewhere?

Consolidate all of your compliance-related paperwork and workflow into a central repository stored in document management software. Better yet, make sure that you have access to that compliance repository when away from the office and in the event your office loses power. Remember online backup and hosted servers I mentioned earlier? Your business continuity plan won’t do you much good if you can’t get in to your building to read it. Move it into a secure system that gives you the ability to access it remotely and quickly retrieve those documents you created to prove you’ve tested your procedures. Another solution to consider for documenting compliance testing is Compliance11, covered in this Morningstar Advisor column.

More Best Practices in Part 2

That’s the first half of NASAA’s Best Practices. Check back later for Part 2 of this series where I finish the list with additional tools and techniques to simplify your regulatory compliance.

FPPad Bits and Bytes for September 9

Originally I hadn’t planned on posting a Bits and Bytes update today. I was on vacation until today and there were no relevant stories that came across my feeds. Then yesterday afternoon came.

While on my return flight to Dallas, my feeds and screens peppered me with updates from many of the major custodians including Schwab, TD Ameritrade, and Fidelity.

Say Goodbye to Paper-Based Compliance Practices

But first, my September column for Morningstar Advisor covers a technology product aimed at reducing the manual data-gathering process associated with compliance activities, namely trading supervision and pre-clearance approval. Go read it! Say Goodbye to Paper-Based Compliance Practices.

Now on to this week’s stories of interest:

 TD Ameritrade to release customized version of Salesforce from FA-Mag.com

[So if you’re Schwab and announce a partnership with Salesforce in October 2010, then take a year to roll something out to advisers, someone might steal your thunder. That’s just what TD Ameritrade did this week as it announced the rollout of a customized version of Salesforce at about a 40% discount to advisers. I’m going to view the demo this afternoon and hope to report shortly thereafter.] TD Ameritrade Institutional (TDA) is putting final touches on a customized version of Salesforce that it will release in October.

Fidelity Rolls Out ‘Technology Investment Evaluator’ for Advisors from Financial Planning

[Not to be left out, Fidelity is providing its internal consultants with an Excel-based spreadsheet that helps rank the various tools available to advisers by how well the tool might meet advisers’ needs.] Fidelity Investments’ RIA custodian business has announced a new tool, Technology Investment Evaluator, to help advisors run their businesses more efficiently.

And on Monday, I posted that Schwab revealed its new Intelligent Integration website and formed a new subsidiary called Schwab Intelligent Technologies to support the effort.

For my thoughts on Salesforce, read Is Salesforce the future of adviser CRM?

FINRA Updates Guidance on Social Networking for Brokers

Today, FINRA released updated guidance on brokers’ use of social media sites, clarifying items surrounding recordkeeping, suitability, supervision and content requirements for such communications.

The latest guidance is Regulatory Notice 11-39 and can be viewed on FINRA’s website.

Click here to view the notice on FINRA.org.

My summary: This notice deals with “personal devices for business communications,” i.e. tweeting with a personal smart phone. To simplify, yes, brokers can use personal smart phones and tablets to post social media updates provided they are:

  • trained on what’s allowed and prohibited according to the firm’s policies and procedures
  • using devices that do not automatically delete content
  • adequately supervised (perhaps by random spot checks) by registered principals

Bug Affects Dropbox Security: What Advisers Need To Know

Just last week I wrote a post addressing Dropbox and its use by financial advisers. It’s worth reading, but the summary is:

  • If you are regulated by FINRA, don’t use Dropbox (or any web-based service where you place client information) without the approval of your broker-dealer’s compliance department. Even after approval, document what your policies and procedures are to keep client information safe.
  • If you are regulated by the SEC or state as a registered investment adviser, document the steps you take to protect the security and confidentiality of customer information placed on web-based services such as Dropbox. You may optionally apply your own encryption to files saved in Dropbox to better protect them from unauthorized access.

So what happened over the weekend?

During system maintenance on Sunday, June 19, Dropbox introduced a bug into its authentication mechanism. Click here to read Dropbox’s explanation of the issue.

In summary, for a period of about four hours, correct passwords were not needed to log in and access Dropbox accounts. All that was required was a valid email address associated with an active account.

Make no mistake, this is a serious security issue.

Anyone who might have guessed an adviser’s email address (or even look it up on the adviser’s website) which happens to be used for a Dropbox account storing client files would have been able to access, view, download, et. al. those files without needing a valid password.

However, for advisers who encrypt or otherwise protect documents stored on Dropbox with access passwords, unauthorized access to the Dropbox account would not have yielded access to the contents of the files; only the file names would be visible (for password-protected documents).

The security lapse should never have happened, but it did. I said last week that adding an extra layer of security and/or encryption was optional. I feel I must be more specific in my recommendation of Dropbox.

If you choose to use Dropbox to store and share documents with client information, encrypt and/or password protect those documents prior to placing them in Dropbox.

Yes, this extra security makes sharing documents a bit more convoluted, as clients with whom you share files must remember the password required to access documents. But consider the alternative without the use of the extra layer of security in Sunday’s scenario.

And really, you shouldn’t have to apply your own security, but Dropbox isn’t touting their service for the enterprise market or regulated industries like financial services. They’re first and foremost a company providing a product for consumers. Should you choose to use Dropbox for client documents, take the necessary steps to better protect client information from unauthorized access.

Also, consider alternatives to Dropbox such as SugarSync, Carbonite, Egnyte, Wuala, and more. They’re worth investigating and performing your own due diligence.

Dropbox for Financial Advisers: Is it Safe? Secure?

Update 6/21/2011: A bug affected Dropbox’s password authentication mechanism on June 19. Read my follow up post on what advisers need to know about the compromised security.

Financial advisers want to know: is Dropbox, the simple and convenient file storage service, safe and secure? The answer to that question may not be so clear.

Is Dropbox safe and secure?

Can I store and share client documents on Dropbox?

I get asked these questions about Dropbox, a simple and convenient file storage service based in the cloud, quite often at conferences and while consulting with financial advisers.

I’ve discussed Dropbox several times on FPPad (see The iPad for Financial Advisers and Wealth Managers, A Real Life Example of Productivity Tips in Action, and Dropbox Featured in Forbes; Tools Should “Just Work”), but have not specifically addressed security characteristics of the service as they apply to financial advisers and registered representatives.

Frankly, Dropbox’s security attributes of have been a moving target as of late. That’s not necessarily a bad thing for the wildly-popular service, used by more than 25 million people, but it is important that advisers take a close look at how Dropbox communicates regarding its security.

Is It Secure?

I won’t rehash the details of recent controversy over Dropbox’s changes to its statements on security here, but I do want to direct you to a resource that I feel fairly addresses the situation.

Over at TechRepublic, IT consultant Michael Kassner posted an interview with ChenLi Wang of Dropbox’s Business Operations. Read Kassner’s post to gain perspective on Dropbox’s changes to its security statements and how they apply to its users. Click the link below to read it first, then come back and continue reading this post.

TechRepublic: Dropbox: Convenient? Absolutely, but is it secure?

Security Discussion

Flickr: Grey Wind

Now that you have some background on the issue, let’s address security from the financial adviser’s perspective.

Without question, financial advisers collect and maintain personally identifiable information (PII) on clients in order to deliver financial advisory services. Both FINRA and the SEC have requirements in place that FINRA member firms and registered advisers must follow. SEC Regulation S-P, Privacy of Consumer Financial Information, is the primary rule by which advisers must abide to address the protection of client information and records.

With respect to Dropbox, what must advisers do to abide by the requirements?

If you operate under FINRA, you must first ask your broker-dealer’s compliance department what your options are when considering the use of cloud-based applications, including Dropbox. It’s likely your broker-dealer has performed due diligence on a select number of providers which likely include vendors of cloud-based CRM, portfolio management software, financial planning, and document management applications.

Empirically, some broker-dealers have approved the use of services like Dropbox for their registered representatives, while others prohibit its use. So I cannot provide specific guidance for those of you affiliated with a broker-dealer; check with them first.

If you are an SEC or state-registered investment adviser, you must have written policies and procedures in place that address the steps you follow to protect client information. If you elect to use Dropbox, document the steps you take that are designed to (taken directly from Reg S-P):

(i) insure the security and confidentiality of customer records and information;

(ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

(iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

From Kassner’s post highlighted earlier, Dropbox acknowledges that, in “rare circumstances,” a “small number of employees” are able to access user data according to the provisions in Dropbox’s privacy policy (e.g., when legally required to do so). Aside from the rare circumstances, Dropbox’s Wang went on to say:

We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

So let me challenge you, the adviser, with this question: What steps do you have in place to insure the security of client information stored on other web-based services? Have you performed similar due diligence on your CRM provider, online financial planning software, or even your online e-newsletter service? If you feel those services adequately protect the security of client information, how does that align with your confidence in Dropbox’s ability to provide similar protection?

Encryption

Before concluding this post, let’s briefly address the option of using additional encryption. To better protect client information, records can be encrypted using third-party applications before they’re transferred to web-based services like Dropbox (though I know of no methods advisers can use to encrypt client data stored in, say, web-based CRM. Does that make it more vulnerable?).

Remember, Dropbox stated, “all files stored on Dropbox servers are encrypted (AES 256).” Is it necessary to add yet another layer of encryption to files stored on Dropbox? Perhaps. If additional encryption is applied to documents stored on Dropbox, even if the “small number” of Dropbox employees access files legally under “rare circumstances,” all they will see are encrypted files with no meaningful data.

So, yes, the use of third-party encryption such as TrueCrypt, SecretSync, and others mentioned in Kassner’s post, does add an additional layer of obfuscation to protect against information access by Dropbox employees. But does that mean it is required to comply with regulatory requirements?

I believe the answer is no.

Files are already stored encrypted on Dropbox. There’s a reasonable expectation that the files will remain protected from unauthorized access. Assuming select Dropbox employees do access stored files, citing the legal requirement to do so, that access is likely to be authorized, as it is in response to a request from law enforcement. If this were to happen to you, you probably would have more to be concerned about than Dropbox decrypting your files and providing them to law enforcement.

Best Practices

Let me close with what I believe to be best practices for the use of cloud-based storage services, including Dropbox.

If you’re a FINRA member, check with your broker-dealer’s compliance department before using any web-based service. Obtain approval before storing any client information on such services. Also, document your policies and procedures regarding the steps you take to protect client data when using web-based applications.

If you’re an independent registered investment adviser, document the policies and procedures you employ to protect client data when using any web-based service. For added protection, you may optionally apply third-party encryption where applicable, but I believe it is not a requirement to comply with SEC Regulation S-P rules.

Do you have practical information with respect to these best practices? Perhaps your broker-dealer has raised issues on web-based services that are not included here. Please leave comments and feedback below to help clarify what advisers need to do to protect client data stored in cloud-based services.

 

Full Disclosure: I use Dropbox every day; it significantly simplifies my life. I store both personal and company files on the service. However, I am neither SEC or state-registered nor am I a FINRA member.

For those files that contain private or sensitive information, like social security numbers and bank account numbers, I add individual file password protection. All of these files are in PDF format, so I use Adobe Acrobat to encrypt all document contents with 256-bit AES and require a password to open the document.

Even Adobe PDF document passwords are not a 100% guarantee against unauthorized access. No password-based security system is. But with a combination of mixed case, numbers, and punctuation, the time required to apply a brute-force attack to crack the password may deter unauthorized users from an attempt, and instead seek out more vulnerable targets for an attack. I feel that this level of protection is adequate for my personal situation and acknowledge that the benefits of using web-based services like Dropbox are compelling enough to accept the risk trade-off. Your situation may dictate different considerations.

 

FPPad Bits and Bytes for May 27

This week’s Bits and Bytes is a big one! There are a few stories carried over from the previous week, as updating this page when traveling exclusively with an iPad is not the easiest thing to do, but a lot of great stories entered the wires this week, too.

And a reminder, Bill will be attending FPA NorCal next week in San Francisco, presenting Cultivating Clients in a Connected World on Wednesday afternoon. If you’ll be there, stop by and introduce yourself!

Here are this week’s stories of interest:

Choosing Software That Works for Your Advisory Firm—Part 6: Ensuring New Technology Meets Your Business Goals from AdvisorOne.com

The sixth update in a series by Spenser Segal of ActiFi designed to present best practices to advisors on how to choose, implement and monitor new technology for an advisory firm.

Compliance and Connectivity from Financial-Planning.com

Well, well, it seems that Bill’s presentation Cultivating Clients in a Connected World has persuaded Bob Veres to consider adopting social media for purposes other than marketing and search engine optimization. See what he has to say about advisers considering this new communication medium (and follow @bobveres on Twitter).

Smarsh Report Identifies Electronic Communications Compliance Gaps at Smarsh.com

Smarsh, the email and social media archiving solution provider, released results from a survey of compliance professionals regarding the use of electronic communications including social media. In summary, it confirms what you already know: compliance professionals aren’t up to speed on supervising and archiving electronic communication, specifically social media.

Tweet on the Street from NYTimes.com

Morgan Stanley is ready to unleash its 17,800 brokers into popular social media service Twitter (their archive and monitoring solution is Socialware). But nothing they post will be unscripted. Good luck with that, we say.

IPS AdvisorPro® and Redtail Integrate Technology Systems from IPSAdvisorPro.com

IPS AdvisorPro® and Redtail Technology announced the availability of a new data integration between their industry leading technology platforms for financial advisors. The new integration will streamline the preparation of Investment Policy Statements (IPS) by automatically populating IPS AdvisorPro® fields with client information contained in Redtail’s CRM solution.

After tortoise-like beginnings, AssetBook is now on-the-hop in portfolio management software from RIABiz.com

One smaller but fast-emerging portfolio management software firm is AssetBook. Based in McHenry, Md., it has burst onto the portfolio management software scene thanks to a recent marketing push and now has 150 firms using its services.

 

Arkovi and MarketeRIA® Partner to Facilitate Adviser Use of Social Media

Arkovi, a social media archiving provider, today announced a partnership with TripleStop, LLC, a marketing agency that offers a social media and web marketing solution to advisers called MarketeRIA®. The partnership will allow advisers to consolidate their website, content management, and social networking activities into one web-based dashboard that features archiving to satisfy regulatory requirements.

Click here to view the press release. (opens at Arkovi.com)

Regular FPPad readers will recognize Arkovi from our regular mentions of companies that provide social media archiving solutions to financial advisers.

Back in January of this year, we introduced TripleStop and its marketing platform in this post, MarketeRIA® Offers Advisors Social Media and Web Marketing Solution.

Adviser adoption rates of social media continue to rise, but one of the challenges advisers face is maintaining profiles spread across multiple networks and managing a consistent message and presence. Add to that the regulatory burden of capturing and archiving messages sent out through various networks, from short 140 character tweets on Twitter to ten minute videos posted to YouTube.

While we have yet to review the Arkovi-MarketeRIA integration, we are hopeful that it will provide a streamlined, consolidated platform advisers can use to efficiently manage their content and better connect with clients and prospects.