Who owns a client’s financial data?
This question came up at a roundtable I hosted at the recent T3 Enterprise conference. The subsequent conversation demonstrated that the answer may be more complicated than we realized.
On one hand, a growing number of advisors (and their service providers, like eMoney, Everplans, Orion, ShareFile, Box and so on) are enhancing their clients’ experiences by organizing their finances in online client vaults. But at the same time, a countervailing trend is increasingly making it harder to populate those vaults accurately.
Consolidated account statements are one issue, said Eric Clarke, CEO of Orion Advisor Services, an asset management solution based in Omaha, Nebraska. Assets not directly managed by the advisor are included in performance reports, asset allocation software and client vaults, both as a convenience and as a way for the advisor to see a client’s full financial picture. This outside account data is most easily gathered using account aggregation software like ByAllAccounts, Yodlee and Quovo.
The most logical way to have these programs pull in information from outside brokerage accounts, 401(k) plans, bank accounts and credit card sites is for the advisor to collect every client’s user name and password for each client account, enter it into the software and instruct it to pull in the latest data every day, week or month. But if the advisor has access to those user names and passwords, that might be considered having custody of the clients’ accounts and might trigger the dreaded custody audit.
So, instead, the advisory firm will have each client go into a room with a computer hooked up to the account aggregation engine, and the client will input user names and passwords in privacy. The software would store these keys to the data and pull the information without giving custody to the advisor.
In theory, this is great. But anybody who uses aggregation programs knows they quickly become an infernal headache. Some financial institutions require their customers to change their passwords periodically, which cuts off the aggregation software’s access to the account data until the client comes in and enters the new password. Or clients may change their passwords without notifying the advisory firm, blocking access to where the data used to be.
More troubling, in this era of increased hacking activity and cybersecurity awareness, consumers are being told (I think reasonably) to request two-factor authentication protocols on all their financial accounts. That way, if a hacker were to somehow get hold of a client’s user name and password, and tried to wire money elsewhere, the financial institution would text-message a code to the customer’s cell phone. Did you authorize this transaction? If the scammer doesn’t have the customer’s phone in hand, the scheme is stymied.
But two-factor authentication makes it impossible for the aggregation software to gather account and performance information for the client’s consolidated statements. Increasingly, as clients and institutions ramp up their cybersecurity protections, consolidated reporting becomes less and less feasible.
The roundtable participants then took up the question of who owns the client data? The consensus was that the account information was — technologically, at least — the property of the custodian. Credit card activity information is the property of the credit card company, banking records the property of the bank and so forth. How so? In a world where the data doesn’t exist unless you can access it, and where institutions control the access, de facto control belongs to the service providers, not the end client.
Joel Bruckenstein, the tech guru who helped facilitate the discussion, suggested a new kind of entity in the financial services world: a centralized client data repository. As he brainstormed with the panel, we eventually realized that clients could actually own their own data if somebody would build this repository and overlay it on the financial services world.
How would it work? Clients would give access to the repository the way they now do to an account aggregation engine, and the repository would become the entity that they log into, which would avoid the hassles with changing passwords and two-factor authentication. Two-factor authentication would give them straight-through access to each credit card, bank or brokerage account. The data now being collected by the account aggregation engines would be collected and consolidated at the repository.
Then, if clients wanted their advisor to create a client portal that organized their financial lives, the advisor could set up an account in eMoney, Box or Everplans, and the clients could specifically give the repository permission to send some or all of their financial data, nightly, to their client portal. Every portal and all the various asset management, CRM and financial planning engines would plug into one data source, one protocol, one API — and each client would have complete control of where the data does and doesn’t go.
This puts a lot of trust in one organization, which might have to be a nonprofit, and which would be regulated much like a custodian. Bruckenstein pointed out that, 10 or 15 years ago, if you were to ask your doctor for your medical records, the doctor (or hospital) would routinely tell you that you weren’t entitled to them. They owned the data. When the Affordable Care Act came along, it clarified that patients do indeed have the right to their own records and mandated that doctors and hospitals have computerized systems that would allow them to quickly retrieve and easily share this information with patients and other professionals.
Why should financial services be any different, Bruckenstein asked.
Is there any way advisors can bring clients into this repository world today? Eric Wulff of Aurum Wealth Management Group in Cleveland and Akron, Ohio, said his firm built trust with new clients by telling them, upfront, that they own the data that is collected in the normal course of the financial planning process.
To back this up, Wulff tells clients that should they decide to leave his practice, he’ll port all their data to a
By the end of the roundtable, we thought that, ideally, someday every advisor would set up a box.com account in each client’s name, owned by the client, establishing this sharing of data as a professional norm. (Note: I do not have a business relationship with the company).
That may not be a perfect solution, but for now it may be the best one we have available.