By now, most state and federally regulated RIAs have complied with the Gramm-Leach-Bliley Act and sent privacy notices to clients. But even as the notices are being mailed in time for the July 1 deadline to establish a privacy policy, a backlash by consumers is beginning. And who can blame them?
“As a privacy statute, Gramm-Leach-Bliley is narrow and poorly conceived for financial services,” says Joel Reidenberg, a professor of information privacy and Internet law at the Fordham University School of Law in New York. “The statute, through regulations like S-P promulgated by the SEC, imposes cumbersome notice obligations on financial institutions with no real privacy protection.”
G-L-B was passed in November 1999, with its main goal being the dismantling of the Glass-Steagall Act. But G-L-B also included a provision protecting consumers from privacy violations.
This part of G-L-B required seven federal agencies, including the SEC, to promulgate rules enforcing the statute. The SEC put forth Regulation S-P and it became effective in November 2000, but RIAs, brokerages, and other financial institutions have until July 1 to comply with the law.
Most households have likely received by now multiple notices from financial institutions disclosing their privacy policies. Although the notices may protect consumers from totally sleazy practices, the rules leave some gaping loopholes. It makes you wonder who is really being protected.
I know that what I’m about to say isn’t politically correct. After all, why should I be decrying a lack of regulation of the financial industry? In addition, I’ve developed great respect for the people at the SEC over the 15 years that I’ve covered the agency’s actions. In fact, after I wrote a first draft of this story, I slept on it and thought I might soften it because I was being too critical of the law and the SEC rules implementing it. But when I woke up and checked my e-mail, I found this note from Peter Lucier, an advisor in Temecula, California.
Andy:
This whole privacy thing seems to be much ado about nothing for regular advisors. Many of us small fries don’t own banks, loan companies, mortgage companies, partner with mutual funds, or sell insurance. As a result, we tend to not share our clients’ data with anyone. I am not trying to squeeze every penny of profit from each client by cross-selling everything in the world to them, so sharing with affiliates and third parties isn’t an issue. But we had to study this, pay a compliance consultant to help us and maintain the notifications, do mailings, etc.
Very expensive way to make the abusers tow the line. By the way, have you seen these new disclosures? The opt-out stuff is so small and hard to find most people aren’t going to opt out and nothing will have been gained. The big guys won again and we will all pay the price for that.
Lucier nailed it. Wirehouses and financial conglomerates that want to share information about clients among affiliates are the ones who will benefit from this law. Most RIAs and independent reps don’t have affiliated subsidiaries. In other words, independent financial advisors have far less to gain from this lax consumer protection measure than large institutions.
“RIAs will be tarnished by the things that the large investment firms will do,” says Reidenberg. “They don’t have formal affiliations. The large conglomerates will be sharing every bit of information they can with their affiliates.”
“The overarching import of this law is to provide a benefit to financial companies,” says Daniel Solove, a privacy law expert and professor of law at Seton Hall University in Newark, New Jersey. “The law grants freedom to financial companies to do what they want and they need only be very vague in disclosing categories of information they share. This law makes it difficult to be informed fully about what’s happening with your personal information because the notices are very, very vague and the vast majority of consumers will take these notices and throw them out,” says Solove.
Reidenberg says the disclosures will allow financial conglomerates to abuse consumer data. “The typical disclosure simply says that a company shares information with affiliates, but you don’t know who the affiliates are,” he says. “Even if you’re a lawyer and read the notices carefully, there’s almost no way for you to truly know who the entities are that receive the information and what specific uses the entities will make of the information.”
To some degree, independent financial advisors will benefit from the generic disclosures G-L-B imposes. It keeps it easy for you to hire third party companies to help you service clients and market to them. But in addition to being financial advisors, independent advisors are also consumers. And, with all the talk in the profession about protecting the public, it’s only right to recognize when consumers are being abused. So at the risk of sounding like Dennis Miller, I’ll continue my rant about what’s wrong with G-L-B by focusing on where disclosures to clients of independent RIAs might be inadequate.
For independent RIAs, complying with the privacy rule has been pretty easy. The Financial Planning Association provided a tool kit on its Web site (www.fpanet.org) offering sample disclosures you can make to clients; the Investment Counsel Association of America (www.icaa.org) and the SEC Web site (www.sec.gov) also have sample paragraphs an advisor could use.
To summarize the rules very briefly, the privacy notice needs to be made annually. RIAs also need a policy for safeguarding client data. You need to present the policy and disclosures about what you do with client data to clients annually, generally by mail so receipt can be confirmed. In putting RIAs on the hook in writing, the disclosures do establish a minimum standard.
The rules say you must disclose to clients annually your policy on how you treat their nonpublic information. Nonpublic information isn’t just your client account data, by the way. It would include even a simple list of your client account names and addresses.
Practically speaking, independent RIAs are extremely unlikely to share their client list because it is such precious information. But this disclosure requirement does provide protection to clients in the unlikely event that an independent advisor might be inclined to provide client data to a third party for marketing or some other purpose. In addition to the disclosure, an RIA would also have to offer clients the right to “opt out” and not have their nonpublic information released by the RIA. Again, this makes sense and provides some privacy.
But the SEC rules create significant exceptions to making these disclosures. For instance, if you hire a mail house to send clients portfolio reports or newsletters, then you can simply make a vague disclosure that you provide your clients’ names and addresses to certain third party companies.
Moreover, because a portfolio report is part of servicing the client account, you would not be required to offer an opt-out. Similarly, if you use a service bureau to prepare your client reports or if you upload your client reports to your Web site using a third-party vendor, a generic disclosure about this is all that’s needed to satisfy your obligation.
You won’t have to provide an opt-out because an RIA is permitted to disclose data to a third party vendor and not offer an opt-out if the vendor is performing a service that helps RIAs process and service transactions and products.
To qualify for this exception on the release of nonpublic data about a client, the RIA must disclose that the information is released to third parties in its privacy policy and the RIA must also enter into a contract with the vendor prohibiting the vendor from using the data for any purpose other than the one for which the vendor is hired. RIAs have until June 30 to insert clauses in their contracts prohibiting misuse of the data by their third-party vendors, and contracts already in effect are grandfathered through June 30, 2002.
What concerns me is that your clients’ portfolio data–how much they are worth, where their assets are located–is extremely sensitive. Indeed, some clients may be concerned about having their personal data on the Internet or being handled by a unregulated third-party vendor. Yet RIAs can hand off portfolio data with little more than a generic disclosure and not offer an opt-out.
Under the current rules, you can put your client portfolio reports online using a third party vendor, hand off your client list to a newsletter publisher, or use a service bureau to perform portfolio reporting. And it’s likely that your clients won’t ever know exactly what you’re doing with their data. Furthermore, in the case of vendors helping service products and transactions, you don’t have to give clients the right to opt out of the information sharing.
Sharing client data with a regulated entity such as a brokerage or insurance company to service an account is one thing. But sharing data about clients with tiny companies is something else.
“We are operating in a world where we are experiencing the growing pains of moving into the Information Age,” says Internet law expert Solove. “Entire databases can be hacked into and data on millions of people can be stolen, transferred, sent around the globe, and broadcast to the entire world. The potential dangers are vast and we are woefully unprepared to figure out how to keep it all secure,” says Solove.
Solove says that instead of requiring consumers to opt out of sharing their personal data, financial service companies should be required to make opt-in offers. “This would foster greater accountability,” says Solove.
Paul Schott Stevens, an attorney at the Washington office of the Dechert law firm, and a former general counsel of the Investment Company Institute, points out that it would be difficult for financial services companies with tens of thousands of clients to service their accounts if they have to offer an opt-out when an individual client doesn’t want his information disclosed to a third-party vendor. “For a B/D with hundreds of thousands of accounts, what would they do?” asks Stevens. “They can’t customize a solution for everyone.”
Stevens has a good point. But so does Solove. So what’s the answer? Certainly the disclosures about who a financial institution shares data with should be more specific. In addition, it’s hard to imagine why financial institutions should not be required to offer consumers an opt-out for all third-party providers. Independent RIAs, who generally have hundreds and not thousands of clients, can tailor such requests to individual clients who want to opt out. In fact, some clients may prefer to do business only with an independent RIA because they may be the only ones that can properly respect their privacy concerns.
There are no easy answers. But advisors should confront the issue. “We have privacy practices that are appropriate for an age of paper records and haven’t adapted very well yet to an age where information can be downloaded at the click of a mouse,” says Solove.
I’ve long been a proponent for financial advisors acting as information sources for clients. You want to be the central source–on the Web and off–for clients to come to for financial news and ideas. You want to become their financial information gatekeeper. But part of the job means guarding the gates. With G-L-B, the gate’s under attack.
Keeping in Touch
TechFi adds a contact manager to its already impressive suite of offerings for advisors
For years, the one big wish I’ve heard from advisors is for a way to key in client information into just one database and have all the applications they use each day work from that database. Portfolio management, contact management, trading, and financial planning would all work in one integrated application.
It sounds like such a simple thing, but none of the companies serving small independent financial advisors do it all.
Centerpiece is close, but it works on two different databases. So you have to synchronize the databases to make them all work right. Centerpiece says it will migrate to Microsoft Sequel Server technology, but has not yet set a date to do so.
Advent Office can do it all. Axys is a great portfolio management system, Qube is an excellent contact manager, and Advent’s trading module, Moxy, works just fine. But advisors complain bitterly about the cost of Advent products, and they don’t like the fact that Advent runs off a proprietary database, so you can’t easily export data into other products. Then there’s the arrogant attitude that advisors often mention that they get from Advent’s support personnel.
But don’t despair. Those new guys from Denver, TechFi, are on the case. And it appears that the silver bullet that independent advisors have always searched for is a little closer to reality: TechFi has added contact management to its suite of products. I’d bet that this tiny, three-year-old company is going to be the first to come up with a totally integrated package.
TechFi’s Office Suite, which includes portfolio management, contact management, and trading, is bundled at $4,500 for a single user license; each additional user license is $1,000. Annual support is $1,500 plus $333 for each additional user.
TechFi’s pricing plan discourages unbundling the three applications. If you buy the portfolio management system with just one other module, it will cost $6,000 for a single user license instead of $4,500 for all three modules.
Adding a contact manager means that TechFi is closer than its major rivals to delivering that silver bullet. That’s because TechFi’s products all draw off a single open architecture database, Microsoft Sequel Server. Matt Abar, the president of TechFi, says a financial planning module could be added to the suite within a year.