Tag Archives: FINRA

FINRA Updates Guidance on Social Networking for Brokers

Today, FINRA released updated guidance on brokers’ use of social media sites, clarifying items surrounding recordkeeping, suitability, supervision and content requirements for such communications.

The latest guidance is Regulatory Notice 11-39 and can be viewed on FINRA’s website.

Click here to view the notice on FINRA.org.

My summary: This notice deals with “personal devices for business communications,” i.e. tweeting with a personal smart phone. To simplify, yes, brokers can use personal smart phones and tablets to post social media updates provided they are:

  • trained on what’s allowed and prohibited according to the firm’s policies and procedures
  • using devices that do not automatically delete content
  • adequately supervised (perhaps by random spot checks) by registered principals

Tweets Cost One Broker $10,000, One-Year Suspension

I caught this article from the New York Times (thank you Pat Allen at AdvisorTweets) detailing one broker who was penalized for sending a series of “misrepresentative and unbalanced” messages on Twitter.

Click here to read Tweets Land Broker in Trouble.

FINRA brought disciplinary action against Jenny Quyen Ta for several violations, including undisclosed outside business activities, undisclosed outside brokerage accounts, and of importance to this post, undisclosed tweets. For violating several rules, Ms. Ta was fined $10,000 and suspended from associating with any FINRA member firm for one year.

Despite just picking this story up today, FINRA actually brought the disciplinary action forward on November 23, 2010. So this information has been around for half a year, but we’re hearing of it only now.

Ms. Ta posted at least 372 tweets from her Twitter account from April to December 2009, 32 of which were about “overwhelmingly positive” mentions of imminent price increases in Advanced Micro Devices stock (NYSE: AMD). One example of Ta’s tweets:

Its going 2 b a good Xmas & 2010! Ck out AMD! Like I have said, it should b @ least a $10B co. which should b @ $ 15/shs. HappyTrading!

Most readers would agree that this type of tweet is a blatant violation of FINRA regulations.

So don’t think FINRA isn’t watching social media activity for questionable content. And if you’re interested in reading the full disciplinary action report, click here.

Bug Affects Dropbox Security: What Advisers Need To Know

Just last week I wrote a post addressing Dropbox and its use by financial advisers. It’s worth reading, but the summary is:

  • If you are regulated by FINRA, don’t use Dropbox (or any web-based service where you place client information) without the approval of your broker-dealer’s compliance department. Even after approval, document what your policies and procedures are to keep client information safe.
  • If you are regulated by the SEC or state as a registered investment adviser, document the steps you take to protect the security and confidentiality of customer information placed on web-based services such as Dropbox. You may optionally apply your own encryption to files saved in Dropbox to better protect them from unauthorized access.

So what happened over the weekend?

During system maintenance on Sunday, June 19, Dropbox introduced a bug into its authentication mechanism. Click here to read Dropbox’s explanation of the issue.

In summary, for a period of about four hours, correct passwords were not needed to log in and access Dropbox accounts. All that was required was a valid email address associated with an active account.

Make no mistake, this is a serious security issue.

Anyone who might have guessed an adviser’s email address (or even look it up on the adviser’s website) which happens to be used for a Dropbox account storing client files would have been able to access, view, download, et. al. those files without needing a valid password.

However, for advisers who encrypt or otherwise protect documents stored on Dropbox with access passwords, unauthorized access to the Dropbox account would not have yielded access to the contents of the files; only the file names would be visible (for password-protected documents).

The security lapse should never have happened, but it did. I said last week that adding an extra layer of security and/or encryption was optional. I feel I must be more specific in my recommendation of Dropbox.

If you choose to use Dropbox to store and share documents with client information, encrypt and/or password protect those documents prior to placing them in Dropbox.

Yes, this extra security makes sharing documents a bit more convoluted, as clients with whom you share files must remember the password required to access documents. But consider the alternative without the use of the extra layer of security in Sunday’s scenario.

And really, you shouldn’t have to apply your own security, but Dropbox isn’t touting their service for the enterprise market or regulated industries like financial services. They’re first and foremost a company providing a product for consumers. Should you choose to use Dropbox for client documents, take the necessary steps to better protect client information from unauthorized access.

Also, consider alternatives to Dropbox such as SugarSync, Carbonite, Egnyte, Wuala, and more. They’re worth investigating and performing your own due diligence.

Dropbox for Financial Advisers: Is it Safe? Secure?

Update 6/21/2011: A bug affected Dropbox’s password authentication mechanism on June 19. Read my follow up post on what advisers need to know about the compromised security.

Financial advisers want to know: is Dropbox, the simple and convenient file storage service, safe and secure? The answer to that question may not be so clear.

Is Dropbox safe and secure?

Can I store and share client documents on Dropbox?

I get asked these questions about Dropbox, a simple and convenient file storage service based in the cloud, quite often at conferences and while consulting with financial advisers.

I’ve discussed Dropbox several times on FPPad (see The iPad for Financial Advisers and Wealth Managers, A Real Life Example of Productivity Tips in Action, and Dropbox Featured in Forbes; Tools Should “Just Work”), but have not specifically addressed security characteristics of the service as they apply to financial advisers and registered representatives.

Frankly, Dropbox’s security attributes of have been a moving target as of late. That’s not necessarily a bad thing for the wildly-popular service, used by more than 25 million people, but it is important that advisers take a close look at how Dropbox communicates regarding its security.

Is It Secure?

I won’t rehash the details of recent controversy over Dropbox’s changes to its statements on security here, but I do want to direct you to a resource that I feel fairly addresses the situation.

Over at TechRepublic, IT consultant Michael Kassner posted an interview with ChenLi Wang of Dropbox’s Business Operations. Read Kassner’s post to gain perspective on Dropbox’s changes to its security statements and how they apply to its users. Click the link below to read it first, then come back and continue reading this post.

TechRepublic: Dropbox: Convenient? Absolutely, but is it secure?

Security Discussion

Flickr: Grey Wind

Now that you have some background on the issue, let’s address security from the financial adviser’s perspective.

Without question, financial advisers collect and maintain personally identifiable information (PII) on clients in order to deliver financial advisory services. Both FINRA and the SEC have requirements in place that FINRA member firms and registered advisers must follow. SEC Regulation S-P, Privacy of Consumer Financial Information, is the primary rule by which advisers must abide to address the protection of client information and records.

With respect to Dropbox, what must advisers do to abide by the requirements?

If you operate under FINRA, you must first ask your broker-dealer’s compliance department what your options are when considering the use of cloud-based applications, including Dropbox. It’s likely your broker-dealer has performed due diligence on a select number of providers which likely include vendors of cloud-based CRM, portfolio management software, financial planning, and document management applications.

Empirically, some broker-dealers have approved the use of services like Dropbox for their registered representatives, while others prohibit its use. So I cannot provide specific guidance for those of you affiliated with a broker-dealer; check with them first.

If you are an SEC or state-registered investment adviser, you must have written policies and procedures in place that address the steps you follow to protect client information. If you elect to use Dropbox, document the steps you take that are designed to (taken directly from Reg S-P):

(i) insure the security and confidentiality of customer records and information;

(ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

(iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

From Kassner’s post highlighted earlier, Dropbox acknowledges that, in “rare circumstances,” a “small number of employees” are able to access user data according to the provisions in Dropbox’s privacy policy (e.g., when legally required to do so). Aside from the rare circumstances, Dropbox’s Wang went on to say:

We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

So let me challenge you, the adviser, with this question: What steps do you have in place to insure the security of client information stored on other web-based services? Have you performed similar due diligence on your CRM provider, online financial planning software, or even your online e-newsletter service? If you feel those services adequately protect the security of client information, how does that align with your confidence in Dropbox’s ability to provide similar protection?


Before concluding this post, let’s briefly address the option of using additional encryption. To better protect client information, records can be encrypted using third-party applications before they’re transferred to web-based services like Dropbox (though I know of no methods advisers can use to encrypt client data stored in, say, web-based CRM. Does that make it more vulnerable?).

Remember, Dropbox stated, “all files stored on Dropbox servers are encrypted (AES 256).” Is it necessary to add yet another layer of encryption to files stored on Dropbox? Perhaps. If additional encryption is applied to documents stored on Dropbox, even if the “small number” of Dropbox employees access files legally under “rare circumstances,” all they will see are encrypted files with no meaningful data.

So, yes, the use of third-party encryption such as TrueCrypt, SecretSync, and others mentioned in Kassner’s post, does add an additional layer of obfuscation to protect against information access by Dropbox employees. But does that mean it is required to comply with regulatory requirements?

I believe the answer is no.

Files are already stored encrypted on Dropbox. There’s a reasonable expectation that the files will remain protected from unauthorized access. Assuming select Dropbox employees do access stored files, citing the legal requirement to do so, that access is likely to be authorized, as it is in response to a request from law enforcement. If this were to happen to you, you probably would have more to be concerned about than Dropbox decrypting your files and providing them to law enforcement.

Best Practices

Let me close with what I believe to be best practices for the use of cloud-based storage services, including Dropbox.

If you’re a FINRA member, check with your broker-dealer’s compliance department before using any web-based service. Obtain approval before storing any client information on such services. Also, document your policies and procedures regarding the steps you take to protect client data when using web-based applications.

If you’re an independent registered investment adviser, document the policies and procedures you employ to protect client data when using any web-based service. For added protection, you may optionally apply third-party encryption where applicable, but I believe it is not a requirement to comply with SEC Regulation S-P rules.

Do you have practical information with respect to these best practices? Perhaps your broker-dealer has raised issues on web-based services that are not included here. Please leave comments and feedback below to help clarify what advisers need to do to protect client data stored in cloud-based services.


Full Disclosure: I use Dropbox every day; it significantly simplifies my life. I store both personal and company files on the service. However, I am neither SEC or state-registered nor am I a FINRA member.

For those files that contain private or sensitive information, like social security numbers and bank account numbers, I add individual file password protection. All of these files are in PDF format, so I use Adobe Acrobat to encrypt all document contents with 256-bit AES and require a password to open the document.

Even Adobe PDF document passwords are not a 100% guarantee against unauthorized access. No password-based security system is. But with a combination of mixed case, numbers, and punctuation, the time required to apply a brute-force attack to crack the password may deter unauthorized users from an attempt, and instead seek out more vulnerable targets for an attack. I feel that this level of protection is adequate for my personal situation and acknowledge that the benefits of using web-based services like Dropbox are compelling enough to accept the risk trade-off. Your situation may dictate different considerations.


BrightScope Launches Advisor Pages™, Aggregates SEC/FINRA Sources to Improve Adviser Search

BrightScopeOne innovative company is attempting to change the way consumers search for financial advisers.

BrightScope, the San Diego, Calif.-based provider of independent investment research and financial data, today announced the release of BrightScope Advisor Pages™.

Click here to read the press release at MarketWire.com

Changing Search

In the past, consumers searching for financial advisers faced an uphill battle of gathering information from multiple disparate sources, including information publicly available from the Securities and Exchange Commission and the Financial Industry Regulatory Authority.

Often, consumers likely turned to search engines like Google and Bing to enter queries for advisers in their city, but the results offered no way to compare the basic information of one adviser to another.

Enter BrightScope Advisor Pages, where much of the public data is aggregated into one searchable database that supports filters to narrow search results. Adviser profiles include firm affiliation, contact information, registration type (Registered Representative of a Broker-Dealer, Registered Investment Adviser, or dually registered), and assets under management in addition to other information.

Adviser Search Legacy

Websites to search for financial advisers are not new. Roughly two years ago, a trio of sites were launched that provided a searchable database of financial professionals, including EvaluateMyAdvisor.com, FABeetle, and financeanswers.com. None of these sites are active today (hence the absence of hyperlinks). While we do not know the specifics of these sites’ reasons to shut down, we suspect that the controversial feature of allowing visitors to post ratings and reviews of advisers led to tricky compliance issues.

As many advisers subscribe to our blog, we recommend that you visit Advisor Pages and search for your own profile. If any data is incorrect, use the “Claim Your Profile” link to create a free account and contact BrightScope staff to correct the discrepancies.


FPPad Bits and Bytes for April 22

We spent the week finalizing details on several new speaking engagements and attended Redtail University in Dallas on Tuesday to get a better look at Redtail’s Project Leapfrog CRM (a name we’re fond of as Bill once wrote software for LeapFrog Toys).

See our speaking page to view details on new engagements added for FPA chapters and NAPFA conferences later this year.

Without further ado, here are this week’s stories of interest:

Commonwealth Finds Compliant Solution to Interactive Social Media from FA-Mag.com (additional coverage from AdvisorOne.com)

FPPad readers know about Commonwealth Financial Network’s relationship with Erado from our Bits and Bytes coverage on April 8. In June, Commonwealth will be the first broker-dealer to roll out what it considers to be a FINRA-compliant social media solution to its reps. What remains to be seen, though, is exactly who is responsible for creating and maintaining social media policies and procedures: Commonwealth’s compliance department, individual reps, or both?

Trust Company of America adds inexpensive Black Diamond technology — in its own way from RIABiz.com (and press release coverage from FA-Mag.com)

With an eye toward creating a slick package of integrated, easy-to-use software for breakaway brokers, Trust Company of America reported today that it became the latest asset custodian to make Black Diamond Performance Reporting part of its arsenal.

Make sure all your data are safe from InvestmentNews.com

Keeping client data safe has become even more important in light of all the sensitive information that is now being stored on portable devices.

Read the final part of an interview AdvisorWebsites.com conducted with Bill on financial adviser technology:Bill Winterberg Talks Technology: Part 4 (be sure to read Part 1,Part 2 and Part 3).

FPPad Bits and Bytes for February 18

We’re attending the T3 Conference as you read this (follow the Twitter backchannel under #T32011), but through the magic of the Internet we’re able to post our week in review of all things tech in financial planning.

This week’s stories of interest start out with the recent request by the SEC to review advisers’ use of social media:

SEC Wants To Follow You On Twitter, Facebook, LinkedIn, YouTube… at Forbes.com

(Bill’s comment: Reporter Halah Touryalai raises the fair point that the SEC might have better issues to tackle than to babysit advisers’ social media profiles. But such is the consequence of the regulatory enviroment to which advisers are subject. All it takes are a few tweets from fraudulent advisers to ruin it for everyone. Can you imagine “RT @bernardmadoff: Just one week left to enroll in our 8% monthly guarantee fund. Accredited investors only please!“)

File this one under: “There Are Better Things The SEC Can Be Doing.” Financial advisors’ online activity on social media websites is being scrutinized by the SEC, according to a compliance consulting firm and a report in Investment News.

FINRA to Look at Social Media–Again at Financial Advisor Magazine

The issue of how to deal with social media isn’t going away for regulators of the securities industry.

CRM systems for the big guys from InvestmentNews.com

For larger advisory firms, choosing the right CRM system is like selecting the right marriage partner.

TradeWarrior and AssetBook Announce Integration Partnership at Marketwire.com

TradeWarrior and AssetBook are pleased to announce an integration between their software programs. The integration partnership between the two companies will provide AssetBook users access to TradeWarrior’s powerful rebalancing and trading capabilities. This integration marks the first 3rd party rebalancing integration available to AssetBook users.

FPPad Bits and Bytes for January 28

Again, we’re busy behind the scenes working with new clients, preparing new presentations for upcoming conferences, and writing new content for columns and articles. Blog posts are sporadic, but we still reserve the best tech related stories for Friday’s Bits and Bytes update.

Here are this week’s stories of interest:

New Portfolio Management Software For Advisors; AdvisorEdge Looks Good from advisors4advisors.com

AdvisorEdge is a new portfolio management software (PMS) app that is being launched as a result of a patnership between Mike Kelly of Back Office Support Service, and Matt Abar of FinFolio.

Making sense of document storage confusion from InvestmentNews.com

A good document storage system can offer convenience by allowing advisers and clients to share documents securely over the Internet, no matter where they are.

Take Digital Notes, Discreetly from MorningstarAdvisor.com

When attending conferences, advisors may find the process of using a laptop to take notes too obtrusive. Here’s one alternative that makes the process much more inconspicuous.

How a big Atlanta RIA kept sledding with technology after snow paralyzed the city from RIABiz.com

While most Atlantans spent the week ensconced at home, Balentine employees continued with business as usual with the help of laptops, iPads, iPhones, and NetX360.

One Year Later: Revisiting FINRA’s Social Media Usage Guidelines from CMSWire.com

A year ago FINRA, the regulator that oversees brokers and other financial advisors, released guidelines for social media usage. Since then, financial advisors have carefully tip-toed into the social media landscape, thanks to financial networking sites like LinkedFA.com and Smarsh.

FPPad Bits and Bytes for December 31

This is it, the final Bits and Bytes post of 2010. Bits and Bytes has drawn consistent traffic week after week, so we will continue our efforts to publish what we think are the best tech-related stories for financial advisers from around the web.

Here are this week’s stories of interest, and have a Happy New Year:

Custodians taking closer look at adviser compliance from InvestmentNews.com

Custodial firms have been raising the compliance bar for registered investment advisers, in some cases making it tougher for them to find a home.

Why B-Ds Should Embrace Social Media Now from Financial-Planning.com

Social media is the elephant in the room even if broker-dealer firms refuse to acknowledge its presence. Worse, continuing to do so could cost these firms their top talent as advisors migrate to platforms that help them be more productive.

Small Companies Look to Cloud for Savings in 2011 from WSJ.com

A growing number of small-business owners are expected to try cloud computing services next year, hoping to trim costs and stay up and running if disaster strikes.

Rock Point Advisors Leverages Advent’s Moxy(R) as a Standalone Solution from TradingMarkets.com

Advent Software, Inc., a leading provider of software and services for the global investment management industry, today announced that investment management firm, Rock Point Advisors, is enjoying the benefits of Moxy(R) as a standalone solution. Rock Point is one of the first advisory firms to use Moxy(R) in conjunction with PortfolioCenter(R), Schwab Performance Technologies’ portfolio management solution.

Independent Broker/Dealers Warming Up To Social Media

Like it or not, social media in financial services has been a recurring topic in the industry this year. The big question for FINRA-regulated registered representatives and SEC-regulated investment advisers is how to engage in social media activities without violating compliance rules (even after FINRA released its guidance on using social networking websites).

In the first significant step in the broker/dealer environment, Cambridge Investment Research announced that it plans to support their representatives’ use of social media by adopting compliance and monitoring software from Socialware.

Click here to read the announcement from Financial Planning Magazine online.

FPPad subscribers have read about Austin, Tx. based Socialware before and their tools that help advisers and representatives satisfy compliance requirements when using social media websites.

The fact that Cambridge is stepping up to the plate and giving the tentative green light to its reps means more and more financial professionals will be able to manage social media profiles to engage in conversations with clients and prospects.