As technology plays a bigger role in financial firms' operations, they have to be mindful of increased risks
As office shutdowns, quarantines, and social distancing continue to be a way of life, wealth management firms are embracing the benefits of remote work. But along with those benefits, firms have to recognize potential compliance risks arising from the pervasive use of information and communication.
One important question, as noted by WealthManagement.com, is how protected people’s devices and networks are. That includes ensuring their laptops are secure, and detecting and remedying any cybersecurity concerns.
Another potential stumbling block comes from the adoption of technology to archive communications. While most firms may already have a fairly strong email archiving system, GJ King, president of RIA in a Box, noted that the wide array of options for archiving could put some employees on a treacherous learning curve.
“There’s good archiving technology. It’s there, but you’re asking people to dramatically and quickly adopt new tech,” he said. “It’s a recipe for things to go wrong.”
And as a shift to electronic communication makes conversations much more discoverable, advisors may more than ever have to think before hitting send. Some investment advice transmitted via text or chat could be construed as a push to make aggressive bets amid a volatile market. From an internal practice standpoint, things said during team meetings can take on much more significance.
“Whether on a conference call or videoconference, these interactions between colleagues may be looked at with 20/20 hindsight at some point,” MarketCounsel CEO and co-founder Brian Hamburger said. “[T]hose words may be used against them in a context they never would have imagined.”
And when advisors are working at home with no one looking over their shoulder, it may be harder to remain fastidious. In some cases, some may forgo little bits of documentation that they need to be doing. In the worst case, you can get an errant advisor engaging in fraudulent or unethical behaviour — and compliance departments trying to maintain oversight will have their work cut out for them.
“This is going to be enormously stressful for firms and compliance departments, because they’ve got to do it, and have to innovate, and have to do it from home,” said Ben Edwards, a professor in business and securities law at the UNLV William S. Boyd School of Law.
Addressing cyber risks has long been a priority among Canadian regulators and self-regulatory organizations, including the Investment Industry Regulatory Organization of Canada (IIROC). In its Cybersecurity Guide, IIROC offers the following recommendations for secure remote access:
- Implement a remote access policy and train staff to adhere to it;
- Remote access should only be provided using secure VPN technologies;
- Configure the secure VPN so that split tunnelling is not permitted;
- Monitor and log all remote access sessions; and
- Require two-factor authentication for all remote access sessions.