Taking steps to protect your client data on platforms
How responsive is your platform to online security issues? Alistair Wilson, head of Retail Platform Strategy, Zurich, looks at adviser business security
Keeping data safe is vital for protecting client money and your reputation. Adviser businesses that don’t have rigorous safety measures in place expose everyone in the communication chain to additional financial risk.
Ensuring the basics are covered just makes good business sense. Having a robust policy around the use of passwords, their strength and their general availability in the office is a simple step. And yet evidence suggests there is more that can be done.
SplashData announced earlier this year that the password 123456 joins the top ten of the worst ever passwords, alongside “password”, “qwerty”, and “football”. They also claim longer keyboard patterns are becoming common passwords, and they are still not secure.
Understanding who has access in your business to client data and who is authorised to transact business on their behalf is a first step. With more adviser firms transacting business online, have you considered who has access in your firm? Having the authority and knowledge to carry out specific transactions on behalf of clients and who has online access are two very different questions, but equally important.
With the likes of bulk switching, rebalancing and withdrawing money now carried out online on behalf of clients, firms are exposed to the movement of thousands of pounds every day, so having a robust set of business rules seems eminently sensible.
A number of platforms recognise the importance of this and provide different levels of security, placing this at this the very start of their online process. Through a hierarchal authorisation process, individual rights can be granted to different users. Firms can maintain strong controls around areas of higher risk, say, only permitting certain individuals to maintain and alter model portfolios or implement bulk switches. Not having such security increases the business risk if everyone in the firm can transact whatever and whenever they like. And increasingly, this can all be done outside of the office.
Of course, some platforms don’t operate this level of security and firms may not appreciate every user has full online permissions enabling top ups, switches and much more to be actioned on behalf of its clients. This carries significant risk and it is the firm that is responsible for any ‘unauthorised’ transactions carried out by its staff.
The risk can materialise in a number of ways: disgruntled staff, new members to the team, insufficient training and the like. There may be an urgent need to alter someone’s permissions and having the ability to complete this online, quickly and easily could be invaluable, rather than having to wait on the platform provider changing permissions on behalf of the firm.
It makes sense to understand the security available from your platform and having a number of security based questions is a good place to start when carrying out regular due diligence.
Online security is an increasing concern for everyone. Keeping clients informed of the firm’s security policy is important. Stating who has access to make changes to their online account can provide added peace of mind and reinforces that the firm takes the security of client information seriously.
Operating a business with the level of controls offered through some platforms provides control and reduces the risk to the business and the client. After all if you outsourced to an investment adviser and you discovered everyone and anyone in their business has the opportunity to amend your client portfolios online, would you be concerned?
Remember to ask questions of your existing and future platforms about the security available to you.