Are advisers doing enough to keep client data secure?

financial client dataNearly six months on from the introduction of strict GDPR rules, IFA firms are under increasing pressure to prevent costly security breaches

Experts are questioning whether advisers are doing enough to safeguard client information as the market approaches the six-month anniversary of GDPR.

While the financial advice sector has seen advances, particularly in platform and back-office technology, in recent years, potential issues remain over how financial planners communicate with their clients and collect and store that data, particularly in light of the new EU directive enforcing stricter rules on information security.

A report from consultancy Platforum earlier this year shows that relatively few advice firms offer digital services to clients.

More than a third of firms still do not offer a client portal to their platform. Secure messaging is only employed by 43 per cent. The study shows 38 per cent have an online fact-find form, 26 per cent have a digital upload service for documents and just 13 per cent offer an e-signature service.

This contrasts with a high client take-up. Nearly 90 per cent of firms say clients have used a platform portal when offered and around three quarters of clients took up the opportunity to use digital document drop-offs, online fact-finds, secure messaging and e-signing. Will this situation hold up in a post-GDPR world?

Fighting the fraudsters

Speaking at an Altus platform event in September, Nucleus chief executive David Ferguson said that when advisers use non-secure messaging such as email, there is a potential for scammers to try to target them and their clients.

He says: “In Nucleus’s history there have been [around] four successful fraud attempts, each of which occurred because the IFA’s email was hacked in order to create an instruction, and the IFA put an instruction on the platform that they essentially shouldn’t have because their systems or processes were compromised.

“When you think about what platforms can do to help with that, you can strongly encourage advisers not to take instructions over email because it is an insecure mode of communication and it is ultimately completely unacceptable that advisers think email is a forum for instruction handling. Platforms can offer other messaging capabilities to limit that threat. Whether platforms are start-ups or from institutions, they tend to be more institutionally minded on things like security than an IFA practice will be.

“Somewhere, advisers have got to recognise that the widest open door to these threats is in their processes, and platforms can play a role in closing that down.”

Money Marketing has heard from a number of sources that they are aware of some advisers still sending paperwork such as attitude-to-risk questionnaires to clients by post, receiving what could potentially be sensitive financial information in the same way, which might easily be intercepted or falsified.

In the wake of GDPR, advisers are increasingly looking to third-party providers such as back-office systems for help on how to handle valuable client information.

Adviser view

Chris Daems
Director, Cervello Financial Planning

Here is what I would suggest for an IFA firm looking to improve data security:

1. Become as paperless as possible. Build processes into your business which mean that information comes in, gets scanned and uploaded to the cloud. It saves time, money and allows far more control over data.
2. Invest in a portal for your clients and use secure messaging as and when possible using it.
3. Have a three-stage authentication process for client requests, especially transactions. When a client emails us making a transaction-related request, we follow this process: Email from a client confirming request; call back to the client confirming the request came from them (we do not process a transaction until we speak to the individual who will then give us verbal confirmation of the email); secure email goes via the portal – if the client uses this – to confirm transaction.

At the recent Money Marketing Interactive Harrogate conference, advisers challenged technology providers speaking on a panel, including Intelliflo, over how secure their systems are, with the firm fighting back with details on its crisis testing, where it employs specialists to try to break down its defences in mock attacks.

Evestor chief executive Anthony Morrow says while only the biggest advice firms would be able to create their own secure data transfer or messaging systems, he would expect advisers to partner with third parties to ensure customer security.

He adds: “Most advisers are embracing technology, certainly around back offices, and those guys are championing paperless, secure client portals. Customers are going to be increasingly expecting this type of stuff. Secure messaging, secure data transfer; there’s a whole number of those things available for advisers to use. Even if traditional email channels are as secure as they could be, which is probably true, encryption is available.”

Powering the platforms: Whose technology is the best?

At Evestor, the security protocols in use apply both to the app and desktop versions of the company’s service, and run to levels of encryption that are industry standard for banks and other financial institutions.

Morrow says: “We sort of knew GDPR was coming. We had the good fortune of designing our process with that in mind, without retrofitting anything. I imagine more established businesses are now having to go back and redo some of their processes.”

How Tenet does data security
At Tenet, all of our advisers handle clients’ personal data that needs to be collected, stored and used securely.
To ensure our network meets these obligations we utilise our Tenet Advantage technology platform for our appointed representatives and a file share system with our directly authorised clients.
Tenet Advantage’s client management system allows advisers to upload client information securely and gives Tenet access without having to transfer sensitive data less securely, such as via email or post.
The file share system works in a similar way but restricts Tenet’s access to only those client files that require compliance services but without compromising the directly authorised firm’s internal system and its personal data.
Our advisers are handling large volumes of client data, but by using our technology platform and the file share system, the risks are significantly reduced, providing comfort to our advisers and also strengthening the trust between them and their clients.
Caroline Bradley is Tenet Group risk and regulatory director

Smart solutions

While the FCA rowed back on plans to introduce a requirement to record all telephone calls that were relevant to transactions under Mifid II rules, advisers still have to make some form of note of these discussions, prompting many to discuss technological solutions to storing vast quantities of meeting notes. New services have sprung up in an attempt to offer an easy solution where data can be held confidentially but also include searchable points, providing an additional boon for compliance and audit trails.

In the latest round of applications to the FCA’s Regulatory Sandbox, where innovative businesses can test new ideas, a number of financial technology firms will be demonstrating fresh ways to look at client verification and authentication.

With “data security, resilience and outsourcing” placed as one of the overarching priorities in the FCA’s business plan for 2018/19, financial planners are being urged to stay abreast of all the developments that could keep their clients’ information, and financial lives, secure.

Expert View

Roland Rawicz-Szczerbo
Advisers need to get their data under control

The reality is all the back-office systems do a fantastic job but they are built for the wrong business model. They are not a customer relationship management system automated around the client.

Advisers have had to set up their own survey and marketing platforms, so information and client data are spread across lots of systems. Post-RDR, with businesses not about product sales, firms have a challenge to get a comprehensive look at outputs so use Excel spreadsheets, meaning control of data is hard and delivering service efficiently is really difficult.

It’s about recognising the need to keep data in a standard way, with a CRM that is utmost about client process, supporting the way you work. Big firms I know like St James’s Place, Mattioli Woods and Old Mill use proper enterprise CRM systems. They are bomb-proof bunkers. Firms sitting on older systems that capture data via paper or on a local server need to recognise the importance of data and make sure it is looked after appropriately.

GDPR has changed everything. No business is immune from the impact. Unless firms really understand the consequences of getting it wrong, and therefore take steps to get it right, the industry is in danger. It’s an existential threat to the industry, period.

Roland Rawicz-Szczerbo is director of Time4Advice


Financial education cover.jpg

Quilter to offer Level 6 qualification through adviser school

Quilter Financial Adviser School will now offer the Level 6 Advanced Diploma of Financial Planning as part of new offerings announced as it rebrands. Formerly called the Financial Adviser School, QFAS will offer the Level 6 qualification to the whole of market. The first cohort for the Level 6 programme began last week and includes […]

Jeremy Corbyn

Labour pledges to keep state pension triple-lock

Jeremy Corbyn says a Labour government will keep the triple-lock on the state pension. In his speech today at the Labour party conference in Liverpool, Corbyn committed to ensure the state pension would rise in line with the highest of earnings, inflation or 2.5 per cent. He also says a Labour government would protect the […]

The real impact of DFMs on the adviser world

Rathbones uncovers difference third-party investment managers can make to financial planning We are all well aware of how the world of discretionary fund management has boomed over the past decade, but very little is known about the value or impact the outsourced model has had on advisers themselves. This is something the first Rathbones Value […]


Fixing the FSCS: Experts weigh in

PFS chief executive Keith Richards, Threesixty managing director Russell Facer and financial planner Susan Hill sit down with Money Marketing editor Justin Cash to discuss what’s wrong with the FSCS, and how it can be reformed.

Who cares?

By Tracey Dickson, marketing consultant There are almost 7 million carers in the UK – that’s around 10 per cent of the population who provide unpaid care for a disabled, seriously ill or older loved one.1 But according to a report from the charity Carers UK, 20 per cent of people providing 50 hours or more of care […]


News and expert analysis straight to your inbox

Sign up


There are 2 comments at the moment, we would love to hear your opinion too.

  1. There is so much rubbish talked about data security. No one system is the answer. Security has to be multi layered, and embedded in processes and systems. Whether on or offline, if you trust systems you are going to get hacked horribly at some point.

    Always be suspicious, always keep systems under review, and treat all single solutions promoted as providing the answer as just another part of the problem.

    Emails can be secure and often are, using the same secure protocols as the portals that providers and platforms are touting rely upon. The highest risk factor is complacency, or lack of knowledge.

    IT & IT security is not a peripheral activity that can have expertise outsourced. Firms need to have that expertise and the responsibility for implementing security in house, even if not the actual implementation, and if they don’t then they are taking on risk that they do not understand.

    Much of our job as investment advisers is ensuring clients understand the risks they are taking – well this is an area where we need to understand the risks we are taking. Much like investment there is no such thing as risk free – but to some extent at least we can choose the risks we take.

  2. This a bit rich coming from platforms, for who the majority of them only use “two-factor” authentication.
    In a previous Money Marketing article it was reported that statistics from the Investment Management Association in May 2014 that showed the amount of money lost by clients through platform fraud had more than trebled the previous year to a record £1.8m. So it is the platforms that need to get their house in order before criticising adviser firms.

Leave a comment


Why register with Money Marketing ?

Providing trusted insight for professional advisers.  Since 1985 Money Marketing has helped promote and analyse the financial adviser community in the UK and continues to be the trusted industry brand for independent insight and advice.

News & analysis delivered directly to your inbox
Register today to receive our range of news alerts including daily and weekly briefings

Money Marketing Events
Be the first to hear about our industry leading conferences, awards, roundtables and more.

Research and insight
Take part in and see the results of Money Marketing's flagship investigations into industry trends.

Have your say
Only registered users can post comments. As the voice of the adviser community, our content generates robust debate. Sign up today and make your voice heard.

Register now

Having problems?

Contact us on +44 (0)20 7292 3712

Lines are open Monday to Friday 9:00am -5.00pm