As new technologies emerge and our industry continues to evolve, keeping information safe and secure becomes more and more important. It’s critical to understand cyber security from a basic protection standpoint. But financial advisors should also know what they need to do to stay compliant, too.
Recently, state regulators increased focus on privacy laws. Specifically, they looked at the use, storage, transmission, and handling of client information.
The Compliance Updates Financial Advisors Need to Know
The SEC issued Regulation S-P, and the CTFB (Consumer Financial Protection Bureau) adopted Regulation P. Both of these regulations address the responsibility to provide initial privacy notices to your clients. These notices should outline the handling of their nonpublic, personal information.
And if you’re state-registered, you probably need to create these notices for your clients, too. Most states have some version of a privacy requirement that mirrors the regulations above.
In an increasingly technology-based world, you shouldn’t anticipate any regulatory pull-back on this topic anytime soon. It’s advisable that all firms have an effective cybersecurity program that includes the necessary evaluations and testing of all technology used in the firm’s course of operations.
Much of the rationale behind this need is the compliance surrounding the protection of client information. Not only is there regulatory risk, but reputational risk is substantial. The feeling of personal violation associated with having one's’ privacy compromised can be damaging to client relationships.
Some of the most common pieces of client information that fall under the category of nonpublic and personal include your clients’:
- Social Security Number
- Driver’s license or passport number
- State identification number
- Debit or credit card number
- Account number
And some of the most common ways we fail to secure that information? Accidentally sending client information via email.
How to Protect Client Information via Email
We have all been there. You draft an email, press send, and then immediately notice a mistake. Some email service providers have “recall” feature that allow for an attempt to recall the message, but once you click “send” it’s usually too late to turn back.
If the error you made includes sharing any of the above listed pieces of client information, then you probably violated Regulatory Privacy Requirements... unless you took the necessary steps to encrypt the email before sending it.
Use Email Encryption
There are numerous vendors available that offer services that assist you in encrypting your emails. But if you prefer not to pay for an additional service, there are other alternatives.
One option is to add passwords to your PDF documents when you save them. You can either call the recipient of the document to give them the password over the phone, or let them know in the email that the password is something recognizable to them (i.e. “The password is the last 4 digits of your Social Security Number”).
Obviously, it defeats the purpose to send the password in the same email.
Another viable option is to manually strike out certain items on the personal information. For example, if you send an email in reference to account number 1234-5678, then most regulators would accept a message sent as xxxx-5678 as compliant.
Don’t Fall into the Email Thread Trap
It is easier to remember to encrypt personal data on an email that you draft from scratch. But when you respond to client emails in such a manner that it creates a long email chain, you risk falling into a compliance trap.
That’s because the longer the email chain, the harder it is to make sure that you aren’t disseminating personal information. Remember, even if the client sends the personal information to you via email, if you respond without encrypting it, it can be seen as a violation for your firm.
Track Your Communications
One way to satisfy regulators in the area of securing client information is to maintain a log of each and every violation of client privacy that occurs within your firm. Make sure that your firm has proper supervision and archiving of email communications, and pull a sample of emails every once in awhile to make sure you don’t spot any violations.
Document the review by date and time and if you have the resources, create a separate mailbox only for forwarding the emails that you have reviewed. Your log can be an Excel spreadsheet that documents the date, the time, any violations, who created the violation, and what corrective action was taken.
Accidentally failing to protect client information via emails is a common occurrence. It happens! But with preparation, awareness, and proactiveness, firms can decrease the number of client privacy violations that are committed via email.
About the Author: Scott Gill is the Director of Keeping Us Compliant here at XY Planning Network. Outside of the office, Scott enjoys watching sports, exercising, and operating the charitable organization he created upon his father’s passing. You can connect with him on LinkedIn.