The biggest compliance issue facing advisors isn’t Reg BI. It’s cybersecurity. Protecting clients’ and firms’ confidential information from a nightmare breach is critical — and urgent, says attorney and compliance expert Beth Haddock in an interview with ThinkAdvisor.
A 20-year-plus veteran of running big firms’ compliance departments, she has helmed her own compliance consultancy, Warburton Advisers, in New York City since 2014.
Haddock’s fresh views breathe life into the essentially juiceless area of financial services compliance: For instance, the frequent industry speaker argues that by delivering a return on the firm’s investment, a compliance department can change from being a cost center to something of a profit center.
In the interview, Haddock, whose clients include fintech companies, BDs and financial advisors, discusses, among other issues, her take on Reg BI and Warburton’s Hollywood-produced training that employs virtual reality to teach compliance regs.
ThinkAdvisor recently interviewed Haddock, on the phone from New York. The author of “Triple Bottom-Line Compliance” (Advantage Media Group 2018), she was chief compliance officer at AXA, Brown Brothers Harriman and Guggenheim Investments. In our conversation, the attorney stresses why advisors need to become more involved with the crucial issue of cybersecurity.
Here are highlights of our interview:
THINKADVISOR: What’s the biggest compliance issue facing financial advisors and firms today?
BETH HADDOCK: Data security, and data ethics and governance: How you collect data, how you use and store it, the parade of regulatory requirements. It’s everything from privacy, the security of advisors’ business information and investor information to using the information you collect in order to grow your business.
What differentiates data security from the concept of data ethics and governance?
Data security is chiefly about the nuts and bolts from an IT perspective. Data ethics and governance is about making a good business judgement as to, for example, how much in the way of resources you’re going to put toward [the tech and data security].
What’s part of that decision?
Will you have a personal server? Are you going to trust the cloud? These are the issues advisors have to decide about. It’s: How much risk do you want to take, and how much do you want to protect your clients, your reputation and your brand — because if you have a breach, it’s pretty disruptive to your business.
This is a whole additional area that RIAs and FAs have to worry about beyond being an advisor to their clients, isn’t it?
Yes — because it’s new and because it’s technical. If you’re an experienced advisor, you didn’t grow up having to think about this for your practice.
What’s the solution?
RIAs have to be educated on the technology rather than outsourcing it 100% and not really thinking about it. They need to be aware and make sure it’s on their radar. Second, they have to consider multiple sources for getting help. One of those would be having an IT person on retainer or, when they’re hiring a COO, making sure that person has a tech background. That will [provide] in-house expertise.
So is that all there is to it?
No. This isn’t a one-and-done. You have to look at data governance the same way you [tend] the investments in an investment portfolio.
What’s a big obstacle to acquiring technology and data security?
If, for example, you’re an independent RIA, you may not have the wherewithal to acquire excellent smart technology when it comes to cybersecurity or IT expertise. It’s really hard for advisors to be at the same level as big financial institutions.
But they need to make some sort of commitment. What should they do?
There are lots of vendors out there. It’s a matter of getting smart and figuring out what makes sense from a resource perspective. And it’s doing due diligence so you know that the tech vendor [you decide on] will protect your information from a breach and isn’t going to share it. You need to know that the whole infrastructure is safe.
About the SEC’s Reg BI: What’s your initial reaction?
We have to digest those 1,800 pages! I expect there’ll be a lot of interpretation over the next months and additional guidance coming out. But I do think it’s an opportunity for advisors — including dual registrants — to differentiate themselves from broker-dealer [advisors]. With Reg BI, broker-dealers don’t have to meet the fiduciary requirement that RIAs have to meet. So that can be an advantage for [RIAs].
As [the Financial Industry Regulatory Authority] starts to change its [rules] and we get more interpretation of Reg BI, over the long run we’re going to be in a better place. The consumer will be more protected because with Reg BI, the proprietary-product momentum and pushing that was going on in the broker-dealer world should [likely] be eliminated.
But Reg BI may confuse investors who can’t discern between RIAs and BD FAs and don’t want to read fine-print disclosures, which they can’t comprehend anyway.
That’s a hard one because I do think it’s confusing. In Europe and other jurisdictions, there’s just one standard. The multiple standards in the U.S. aren’t well understood by the investor. So if I were a consumer doing an IRA rollover, I’d look for a registered investment advisor or a dual registrant.
Do you think there should be a single standard in the U.S.?
I can see the benefit to that, absolutely.
What are your thoughts about the demise of the Labor Department’s fiduciary rule?
It was a good result because having a compliance process that’s practical was definitely not what the DOL rule was. It wasn’t a good fit with the business. I wasn’t a big fan of it. Certain requirements weren’t efficient: They were the product of a regulator that didn’t understand the industry or securities regulations. I like to see compliance controls that are efficient, make sense and work with the business that has to follow them.
What’s your philosophy about the role of a compliance department?
Every compliance department should protect the organization and the brand but also deliver a return on investment to help build the business. [My firm] offers a compliance ROI assessment program that helps the department show its value-add for the business.
What’s your opinion of compliance training in general?
Much of it is more like academia. It’s fairly rote. People [receiving it] get bored and don’t pay attention or spend a lot of time with it and so, aren’t getting much value.
What sort of training, then, does your firm offer for, say, FINRA and SEC requirements?
I’m a big advocate of using behavioral incentives. [For example], we have micro-training: five-to-seven-minute [dramatized] vignettes that show [lessons learned].
It’s an edu-entertainment software program we [commissioned] that was created by people in the entertainment industry in Los Angeles. The producer, director and all the actors aren’t academics or corporate folks.
What does this tool comprise?
We [employ] virtual reality [for instance]. So, in order to watch, the advisors put on cardboard VR glasses. If you’re a compliance officer and want to roll out training for your advisors, they’ll get, in short bites, the technical regulations as they watch the vignettes. That’s more practical in relation to an advisor’s life.
Any other behavioral incentives that you use?
We’ve gamified the training, where the advisor gets to pick the ending. It’s [fairly] lighthearted, and there’s periodic humor to keep you on your toes. But compliance is a serious topic, so we keep it mostly serious.
— Related on ThinkAdvisor: