Your client data – who has access?
Who has access to your clients’ data? I ask, because it’s occurred to me that really, only the adviser and their support people need to see identifying information. No one else.
For instance, let’s talk about file reviews. Back in the day, your trusty compliance manager would drive to your office and review physical client files, probably stored in some kind of nifty filing cabinet set up.
These days, file reviews are done online. But we essentially still operate in the same way. Your trusty compliance manager downloads (and often prints out) a selection of client files and then reviews the contents.
The issue is, now that we are in the digital age, is it REALLY necessary or even OK for compliance managers to know exactly who all that juicy, intimate, financial information belongs to? Wouldn’t it be better for everyone if files were de-identified?
Maybe this is one of the reasons that people who work in financial services are so rubbish at getting financial advice themselves – the idea that god-knows-who will have access to their private information. It’s certainly given me pause for thought recently. And it definitely makes the case for the independent financial adviser.
Now, back to the issue at hand. I realise that, at the moment, client files can include pages of scribbled notes, voice recordings, hand completed fact finds, and lots more. It’s not so easy to redact all this so that the names of the clients are removed. But it IS possible.
Where else might this be an issue? How about all the online systems that advisers use? Email, for instance. I know there are a number of enterprising advisers who have been building mini-fact finds using forms tech that send the client summary to your email. Quick and effective, yes. Not so good if your email gets hacked.
Or even the old-school approach of sending out a form that is then completed and emailed back prior to the first meeting. Imagine what someone could do if they got hold of all that information.
Ideally, personal client information will never go anywhere near your email. It’s just too much of a risk.
So, what’s the way forward? I think, for a start, you should be asking the following:
- Which systems (paper and digital) contain client data? Who has access to those systems and do they really need it?
- How secure are those systems – what would happen if someone got hold of your username and password?
- How are you managing passwords? Are they shared between staff members? Is access rescinded immediately when a staff member leaves the firm? Are you using a password management systems so that every password is unique?
Talking about this stuff isn’t much fun. But it IS important, especially as the financial planning industry is taking such a beating in the media of late and trust is at an all time low. And sort-out-able (is that even a word?). It just takes a bit of time and effort to set up the appropriate policies and procedures, and then stick to them. Possibly combined with some tough questions for your licensee.
Sarah Penn, managing director, Mayflower Consulting
ASIC auditing general/personal advice divide
ASIC is deliberating on how to treat advice in its new role as the primary condu...
BetaShares launches India ETF to market
Fund manager BetaShares has launched a new ETF that will give investors access t...
Annuities added to HUB24 platform
Advisers will be able to access a new set of annuities through the HUB24 platfor...