RegTech Insights

Beware of breaching your fiduciary obligations related to client data

November 6, 2024
6
min read
About

Sid Yenamandra

Sid Yenamandra is the Founder and CEO of Surge Ventures, an esteemed entrepreneur and executive with a remarkable track record in the cybersecurity and technology sectors. With successful exits from three startups, Sid has left a lasting impact on the industry. Notably, he founded and led Entreda, a top provider of cybersecurity compliance software for financial services firms, which was acquired by K1 Capital and RegTech Unicorn Smarsh. Sid's leadership also included the acquisition of Privva, a leading provider of third-party vendor risk management software. His expertise in driving growth and innovation is further exemplified by his key roles at Plato Networks and PacketFX, both of which were acquired by prominent companies in the tech industry. With dual B.S. degrees in Electrical Engineering and Computer Science from UC Berkeley and a wealth of experience, Sid is widely recognized for his authoritative knowledge and ability to develop groundbreaking solutions in the cybersecurity landscape.

The industry has focused almost exclusively on cybersecurity controls over the past few years, instead of understanding what their core obligations and fiduciary responsibilities are for client data.

Being a fiduciary and acting in your clients’ best interest has become such a frequently repeated mantra in wealth management, it often elicits eye rolls and impatience. All financial advisors should have a fiduciary mindset when serving their clients because it’s the right thing to do. The issue is that while everyone is aware of their responsibilities when recommending and implementing investment solutions, advisors and their firms are woefully deficient about client data. Every minute of every day, even the most staunchly self-declared fiduciaries in the wealth management space are breaching their fiduciary obligations when it comes to protecting client data.

Being a true fiduciary in this digital age is increasingly more of a constant continuum of self-vigilance and activities as opposed to a one-and-done goal to be achieved.

While even a single data security breach can crush an advisor’s reputation and business, they can’t be expected to solve their client data privacy issue on their own. Wealth management firms need to be working on this issue to support their advisors. But is the industry currently structured to meet the escalating data security challenge? So far, the answer is an unfortunate no.

SAFEGUARDS RULE NOT GETTING THE ATTENTION IT SHOULD

The Securities and Exchange Commission is well aware of the sorry state of data security in the industry and adopted Rule 30(a) of Regulation S-P — commonly referred to as the Safeguards Rule — to ensure that protecting client data was front and center. This rule requires registered broker-dealers, investment companies and investment advisors to have written policies and procedures intended to:

  • Ensure the confidentiality of customer records and information.
  • Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
  • Protect against any anticipated threats or hazards to the security or integrity of customer records and information.

The SEC has taken enforcement actions against firms stemming from violations of the Safeguards Rule. In fact, more firms have gotten in trouble for data issues than cyber. This is going to get expensive quickly if changes aren’t made fast.

Whether they realize it or not, broker-dealers, RIAs and investment advisors are fiduciaries of their clients’ data. These wealth management firms must:

  • Understand what their data obligations are to the regulatory bodies, which may vary by jurisdiction.
  • Notify their clients about the opportunity and methods to opt out of the sharing of nonpublic personal information with nonaffiliated third parties.
  • Abide by the Safeguards Rule and the SEC’s guidance surrounding it and at minimum have:
  • Policies around how they safeguard client data
  • Knowledge of where all of their client data is — something many firms don’t have a handle on.
  • An understanding of who within their organizations has access to their client data.
  • Controls in place to make sure that they anonymize data to protect it with security controls.

Firms are acquiring data at an exponential rate and have been fixing issues as they arise in a patchwork fashion. This is untenable. The industry has also put the cart before the horse by focusing almost exclusively on cybersecurity controls over the past few years, instead of understanding what their core obligations and fiduciary responsibilities are for client data.

Looking at cybersecurity and trying to stop bad actors are commendable efforts, but firms haven’t paid nearly enough attention to data integrity and ownership. Many have been hesitant to focus too much on data for fear of being seen as some sort of “Big Brother,” watching their clients’ every move. With the SEC Safeguards Rule, ignoring data issues is no longer an option. But what to do about it?

ECOSYSTEM OF INNOVATIVE SOLUTIONS NEEDED

The industry needs new data security tools and services to protect clients and themselves from SEC enforcement. Having policies and procedures somewhere in a binder is great, but firms need the right kind of third-party innovation to turn written procedure into action. They can’t build these in-house — they don’t have the time or the expertise. Meanwhile there are a number of product innovations out there servicing horizontal markets. To bring those innovations to the wealth management industry is no simple task.

What the industry needs is to support a new kind of innovation platform, where startup companies are created by digital innovators who have a strong understanding of how the industry works and a deep-rooted connections to the data problem. We must foster an ecosystem of innovation made up of entrepreneurs, not just capital, because just throwing money at the problem won’t make it go away.

This is an urgent problem, and there’s no time to wait for solutions to be developed, tested and brought to market sequentially. We are so behind as an industry that development must happen in parallel. This will enable multiple innovators to focus on their respective lanes to solve various facets of the client data issue.

Sid Yenamandra is founder and CEO of Surge Ventures, a new SaaS venture studio initially targeting the financial services and wealth management industry.

Original Article: https://www.investmentnews.com/beware-of-breaching-your-fiduciary-obligations-related-to-client-data-232828

Take the next step

Let’s build something incredible together. Share your company details and connect with a Surge Ventures Expert to get started.