Nearly six months on from the introduction of strict GDPR rules, IFA firms are under increasing pressure to prevent costly security breaches
Experts are questioning whether advisers are doing enough to safeguard client information as the market approaches the six-month anniversary of GDPR.
While the financial advice sector has seen advances, particularly in platform and back-office technology, in recent years, potential issues remain over how financial planners communicate with their clients and collect and store that data, particularly in light of the new EU directive enforcing stricter rules on information security.
A report from consultancy Platforum earlier this year shows that relatively few advice firms offer digital services to clients.
More than a third of firms still do not offer a client portal to their platform. Secure messaging is only employed by 43 per cent. The study shows 38 per cent have an online fact-find form, 26 per cent have a digital upload service for documents and just 13 per cent offer an e-signature service.
This contrasts with a high client take-up. Nearly 90 per cent of firms say clients have used a platform portal when offered and around three quarters of clients took up the opportunity to use digital document drop-offs, online fact-finds, secure messaging and e-signing. Will this situation hold up in a post-GDPR world?
Fighting the fraudsters
Speaking at an Altus platform event in September, Nucleus chief executive David Ferguson said that when advisers use non-secure messaging such as email, there is a potential for scammers to try to target them and their clients.
He says: “In Nucleus’s history there have been [around] four successful fraud attempts, each of which occurred because the IFA’s email was hacked in order to create an instruction, and the IFA put an instruction on the platform that they essentially shouldn’t have because their systems or processes were compromised.
“When you think about what platforms can do to help with that, you can strongly encourage advisers not to take instructions over email because it is an insecure mode of communication and it is ultimately completely unacceptable that advisers think email is a forum for instruction handling. Platforms can offer other messaging capabilities to limit that threat. Whether platforms are start-ups or from institutions, they tend to be more institutionally minded on things like security than an IFA practice will be.
“Somewhere, advisers have got to recognise that the widest open door to these threats is in their processes, and platforms can play a role in closing that down.”
Money Marketing has heard from a number of sources that they are aware of some advisers still sending paperwork such as attitude-to-risk questionnaires to clients by post, receiving what could potentially be sensitive financial information in the same way, which might easily be intercepted or falsified.
In the wake of GDPR, advisers are increasingly looking to third-party providers such as back-office systems for help on how to handle valuable client information.
Director, Cervello Financial Planning
Here is what I would suggest for an IFA firm looking to improve data security:
1. Become as paperless as possible. Build processes into your business which mean that information comes in, gets scanned and uploaded to the cloud. It saves time, money and allows far more control over data.
2. Invest in a portal for your clients and use secure messaging as and when possible using it.
3. Have a three-stage authentication process for client requests, especially transactions. When a client emails us making a transaction-related request, we follow this process: Email from a client confirming request; call back to the client confirming the request came from them (we do not process a transaction until we speak to the individual who will then give us verbal confirmation of the email); secure email goes via the portal – if the client uses this – to confirm transaction.
At the recent Money Marketing Interactive Harrogate conference, advisers challenged technology providers speaking on a panel, including Intelliflo, over how secure their systems are, with the firm fighting back with details on its crisis testing, where it employs specialists to try to break down its defences in mock attacks.
Evestor chief executive Anthony Morrow says while only the biggest advice firms would be able to create their own secure data transfer or messaging systems, he would expect advisers to partner with third parties to ensure customer security.
He adds: “Most advisers are embracing technology, certainly around back offices, and those guys are championing paperless, secure client portals. Customers are going to be increasingly expecting this type of stuff. Secure messaging, secure data transfer; there’s a whole number of those things available for advisers to use. Even if traditional email channels are as secure as they could be, which is probably true, encryption is available.”
At Evestor, the security protocols in use apply both to the app and desktop versions of the company’s service, and run to levels of encryption that are industry standard for banks and other financial institutions.
Morrow says: “We sort of knew GDPR was coming. We had the good fortune of designing our process with that in mind, without retrofitting anything. I imagine more established businesses are now having to go back and redo some of their processes.”
While the FCA rowed back on plans to introduce a requirement to record all telephone calls that were relevant to transactions under Mifid II rules, advisers still have to make some form of note of these discussions, prompting many to discuss technological solutions to storing vast quantities of meeting notes. New services have sprung up in an attempt to offer an easy solution where data can be held confidentially but also include searchable points, providing an additional boon for compliance and audit trails.
In the latest round of applications to the FCA’s Regulatory Sandbox, where innovative businesses can test new ideas, a number of financial technology firms will be demonstrating fresh ways to look at client verification and authentication.
With “data security, resilience and outsourcing” placed as one of the overarching priorities in the FCA’s business plan for 2018/19, financial planners are being urged to stay abreast of all the developments that could keep their clients’ information, and financial lives, secure.
Advisers need to get their data under control
The reality is all the back-office systems do a fantastic job but they are built for the wrong business model. They are not a customer relationship management system automated around the client.
Advisers have had to set up their own survey and marketing platforms, so information and client data are spread across lots of systems. Post-RDR, with businesses not about product sales, firms have a challenge to get a comprehensive look at outputs so use Excel spreadsheets, meaning control of data is hard and delivering service efficiently is really difficult.
It’s about recognising the need to keep data in a standard way, with a CRM that is utmost about client process, supporting the way you work. Big firms I know like St James’s Place, Mattioli Woods and Old Mill use proper enterprise CRM systems. They are bomb-proof bunkers. Firms sitting on older systems that capture data via paper or on a local server need to recognise the importance of data and make sure it is looked after appropriately.
GDPR has changed everything. No business is immune from the impact. Unless firms really understand the consequences of getting it wrong, and therefore take steps to get it right, the industry is in danger. It’s an existential threat to the industry, period.
Roland Rawicz-Szczerbo is director of Time4Advice