View more on these topics

Ian McKenna: Advisers need to ramp up their data security


One of the stark differences between adviser conferences in the UK and the US is the amount of content on data security. No US event is complete without several sessions on it but here such discussions are conspicuous by their absence.

I expect this to change significantly this year. By 25 May 2018, all businesses in the UK need to comply with the EU’s General Data Protection Regulation. This will not change as a result of our forthcoming exit from the union.

GDPR considerably increases firms’ obligations and responsibilities. Under the new rules, far more data will be seen as sensitive, meaning advisers will need to substantially extend the list of items they treat with care. The rules about obtaining clear, specific consent to use data will also be far more demanding.

Firms that handle a significant level of consumer data (for example, any adviser operating in the workplace pensions or auto-enrolment markets) will be required to appoint a data protection officer.

Firms will also need to produce a privacy impact assessment in the event of a breach. The regulations also introduce an obligation to report any data breaches within 72 hours of being discovered. Such issues will need to be considered at the commencement of any data project.

This column is not intended as a full summary of the issues advisers need to consider in order to be GDPR compliant (that would take many articles) but hopefully it serves to highlight the fact firms must be thinking about it now.

Unnecessary risk

Meanwhile, there is another, perhaps more pressing, area in the context of data security. That is the way in which firms should protect any data being exchanged with clients and “insurers” via email.

It is approaching nine years since the then-FSA published its Data Security in Financial Services paper. This can still be found on its website at and is well worth another read. It highlights the view shared by both it and the Information Commissioner’s Office that laptops containing client data should not be taken outside the office unless the hard drives are encrypted.

It also states the use of web-based email as putting client data at unnecessary risk. At the time, the FSA identified 65 per cent of a sample of small firms as indulging in such poor practices. Based on my experience, I would estimate such breaches are still going on at around one in four adviser firms.

While email has become the standard method of communication between businesses and consumers, few people understand quite how vulnerable it is as a method of communication. It is the digital equivalent of putting your customer’s sensitive information on a postcard and sending it through the mail. This is true not just of webmail but all unencrypted email.

We need to find an industrywide answer to the question of secure email communications. The last attempt at doing so – Unipass Secure Mail – can politely be described as having had only limited success.

Searching for an adviser solution

I believe there are several reasons for this and important lessons to learn.

To be fit for purpose, an industry email solution must be capable of working through the complete supply chain; something advisers can use with those from life offices, platforms, asset managers and master trusts, as well as with their clients.

Such a solution should always leave a decrypted message with any recipient as a permanent record. It must be capable of operating in conjunction with the email software within any adviser client management systems, front office systems and client portals.

It should also be able to work with leading office software like Outlook 365 and Google Docs, as well as securing instant message accounts – another tool that is nowhere near as secure as people perceive.

Law firms are suffering massive losses on a regular basis due to poor email practices. It is a miracle we do not have a similar problem with advice firms.

This problem should have been resolved when the FSA prompted the industry nine years ago. Let’s find an answer soon before the FCA revisits the subject and starts imposing fines for failure to address the clear regulatory guidance.

Ian McKenna is director of the Finance & Technology Research Centre



Ian McKenna: Lessons from the US on advice, regulation and tech

Last week saw yet another link-up between international regulators, with the Monetary Authority of Singapore and the Swiss Financial Market Supervisory Authority signing a cooperation agreement to foster greater collaboration on financial technology. The FCA has signed similar deals with MAS and the Australian Securities & Investment Commission, which in turn has probably been the […]


Ian McKenna: The next wave of tech to hit the advice market

Finovate is well established as a must see event for anyone who wants to keep up with the latest developments in financial technology. Across four shows – Europe in February, West Coast US in May, New York in September and now in Asia in November – it presents valuable insight into the technology that will […]


News and expert analysis straight to your inbox

Sign up


There are 4 comments at the moment, we would love to hear your opinion too.

  1. Couldn’t agree more Ian McKenna, we should expect to hear much more on data security in 2017 in light of GDPR

  2. Alistair Cunningham 26th January 2017 at 12:08 pm

    I find it totally baffling that after 30+ years of internet security email exists in its current form at all.

  3. The trick is not to use email. Encryption at least resolves the issues of “transit” but not either end of the chain. All too often, and financial services in not alone on this, both local and network security is poorly understood and enforced. The answer is to control the experience for both the adviser and the client, providing a safe haven where security can be guaranteed and rigorously monitored.

  4. Great article – something we’re constantly discussing with our customers who we’re helping remove paper from their businesses; maybe worth downloading our whitepaper about EDM and integrated portal.

Leave a comment


Why register with Money Marketing ?

Providing trusted insight for professional advisers. Since 1985 Money Marketing has helped promote and analyse the financial adviser community in the UK and continues to be the trusted industry brand for independent insight and advice.

News & analysis delivered directly to your inbox
Register today to receive our range of news alerts including daily and weekly briefings

Money Marketing Events
Be the first to hear about our industry leading conferences, awards, roundtables and more.

Research and insight
Take part in and see the results of Money Marketing's flagship investigations into industry trends.

Have your say
Only registered users can post comments. As the voice of the adviser community, our content generates robust debate. Sign up today and make your voice heard.

Register now

Having problems?

Contact us on +44 (0)20 7292 3712

Lines are open Monday to Friday 9:00am -5.00pm