For instance, let’s talk about file reviews. Back in the day, your trusty compliance manager would drive to your office and review physical client files, probably stored in some kind of nifty filing cabinet set up.
These days, file reviews are done online. But we essentially still operate in the same way. Your trusty compliance manager downloads (and often prints out) a selection of client files and then reviews the contents.
The issue is, now that we are in the digital age, is it REALLY necessary or even OK for compliance managers to know exactly who all that juicy, intimate, financial information belongs to? Wouldn’t it be better for everyone if files were de-identified?
Maybe this is one of the reasons that people who work in financial services are so rubbish at getting financial advice themselves – the idea that god-knows-who will have access to their private information. It’s certainly given me pause for thought recently. And it definitely makes the case for the independent financial adviser.
Now, back to the issue at hand. I realise that, at the moment, client files can include pages of scribbled notes, voice recordings, hand completed fact finds, and lots more. It’s not so easy to redact all this so that the names of the clients are removed. But it IS possible.
Where else might this be an issue? How about all the online systems that advisers use? Email, for instance. I know there are a number of enterprising advisers who have been building mini-fact finds using forms tech that send the client summary to your email. Quick and effective, yes. Not so good if your email gets hacked.
Or even the old-school approach of sending out a form that is then completed and emailed back prior to the first meeting. Imagine what someone could do if they got hold of all that information.
Ideally, personal client information will never go anywhere near your email. It’s just too much of a risk.
So, what’s the way forward? I think, for a start, you should be asking the following:
- Which systems (paper and digital) contain client data? Who has access to those systems and do they really need it?
- How secure are those systems – what would happen if someone got hold of your username and password?
- How are you managing passwords? Are they shared between staff members? Is access rescinded immediately when a staff member leaves the firm? Are you using a password management systems so that every password is unique?
Talking about this stuff isn’t much fun. But it IS important, especially as the financial planning industry is taking such a beating in the media of late and trust is at an all time low. And sort-out-able (is that even a word?). It just takes a bit of time and effort to set up the appropriate policies and procedures, and then stick to them. Possibly combined with some tough questions for your licensee.
Sarah Penn, managing director, Mayflower Consulting
Here’s a thought. Why not aim for a system of reduced red tape and a reduction in the multiple paperwork and we can go back to the days when we could afford the auditor to come to the office and look at hard copy files. Very much the online audit is the world of large banks trying to drive down costs.
Given that the “dealer Group” system we operate under is in fact the “technical” owner of your business and therefore your client files, its my guess they have all rights to the data, further evidenced by the fact that should you move on , all those clients ypu did work for and charged fees and commissions to need to be held by your old AFSL
Clearly this person has never run and AFSL nor understand the legal requirements of an AFSL to write so much dribble about client file access
James , I don’t know what you are on about . Their is the privacy act in Australia that the client believes they only want to give their personal info to the adviser . They don’t want it on x plan for all to look at nor X plan and other passwords sent overseas like banks paraplanning contractors in Manilla etc . even to compliance people without authority . I don’t want my records going around the world via XPlan Coin etc !!! where is the privacy commissioner on this ???
Read the FSG and talk to ASIC. If ASIC comes to you office wanting to look at files, let’s see you stand up re privacy. Same with your AFSL.
it’s “there” , not “Their”
If you’re using external paraplanners overseas you can limit their access on XPLAN to single clients at a time to avoid providing access to your entire client database. I’d suggest talking to someone at IRESS or your BDM (if you’re with a dealer group) about how to do this.