Everything Financial Advisors Need To Know About PII

What is Personally Identifiable Information?

Personally identifiable information (PII) is anything that can be used to trace an individual's identity, such as their name, SSN or biometrics information. Wealth management firms are, of course, privy to some of the most intimate details about a client’s personal and financial life — you and your staff likely handle lots of PII, whether you’re aware of it or not.   

For this reason, exposure to a cyberattack can be very costly to your organization, not only from a financial perspective but also to your firm’s reputation. This is just part of the reason why protecting PII is an important priority among advisory firms that use and store customer data.

Why It’s Important to Protect PII

Signing a new customer typically means that you’ll get access to PII information like their name, address, marital status, financial status, login information, email address and more. Additionally, this data will likely be collected, analyzed and shared with other partner businesses or tools. As the organization that’s collecting this data, ultimately, it’s your responsibility to protect it — you can’t assume that the protection offered by your vendor partners is enough. 

Say, for example, you’ve hired a contractor or paraplanner to take on some extra work during tax season. This contractor will need access to client PII  while they’re under contract. But what about after? Do you have clear offboarding policies in place to remove their access to your CRM and related applications?

The point of this example isn’t that you shouldn’t be trustful of your employees, but that there are a lot of potential gaps in your security policy that could put PII at risk — and this doesn’t even take into consideration the increasing sophistication of hackers who may be actively working to breach your data. 

Data Privacy Laws and Regulations Advisors Should be Aware of

There’s also a regulatory component to this, of course. Particularly in the financial services sector, each company is accountable for personal data they come across while doing business, and must adhere to strict security initiatives. If not, then they put themselves at risk of receiving regulatory fines as well as losing the trust (and business) of their customers.

Here are the 3 main privacy laws that advisory firms should be aware of:  

1. The Gramm-Leach-Bliley Act

Signed into law by Congress in 1999, the Gramm-Leach-Bliley Act requires advisory firms to provide full transparency of their privacy policies and practices to customers. This act also prohibits firms from disclosing nonpublic personal information (aka PII) about a customer to non-affiliated third parties, such as people that are employed jointly by a financial institution. 

2. The SEC Safeguards Rule (Regulation S-P)

Regulation S-P is the SEC’s privacy rule under the GLB Act. It states that advisory firms registered with the SEC must adopt policies and procedures that address safeguards for the protection of customer information and records. 

These policies must be designed to ensure the security of customer records, protect against threats to the security of customer records, and protect against unauthorized access to customer records. 

3. The FTC Safeguards Rule

The FTC’s Safeguards Rule requires advisory firms to adopt policies and procedures that address the safeguarding of customer records and sensitive information. It requires firms to maintain a log of authorized users and keep an eye out for unauthorized access.

How to Perform a Data Audit/Risk Assessment

Now that you’re aware of the privacy laws and regulations financial advisors need to comply with, the next step is to conduct a PII data audit.

A PII data audit is the process of reviewing and evaluating the use of personally identifiable information within your organization. The main purpose of this audit is to identify any vulnerabilities or risks that exist around PII and to ensure that your firm is compliant with data privacy laws. 

Just like protecting your home, it’s better to set up a security system before you need it than to try and install one while a burglar is in the house. With that in mind, here are three key tips to conduct a successful PII data audit: 

1. Identify and Classify Data

The first step in protecting PII is to know what it is, and where it is. As RIA firms’ tech stacks become increasingly complex, it’s not uncommon for data to be stored in multiple silos, in multiple formats, with different naming conventions. Working through all this is easier if you use a data discovery tool, which will help you collect and combine data across your network, and identify patterns and trends in the data in how it’s stored. Whether you use a discovery tool or not, you should, at the end of this project, have in place documentation outlining  what PII your business collects, where it is stored, and who has access to it.

2. Classify PII in Terms of Sensitivity

Once you’ve identified your PII, you can classify it according to sensitivity and put in place appropriate controls. Ultimately, it isn’t possible or smart to implement blanket security controls over your data (imagine needing to enter a password each time you look up a client’s address), so some nuance is required. 

Use a risk matrix to determine which data is most vulnerable, and which would have the largest impact on your business if compromised. With this information, you can then prioritize which sources of PII require the highest level of protection.

3. Implement Security Controls

Security controls range from password policies to sophisticated apps and monitoring services. Starting with the results of your data classification project, work with your IT team to determine the appropriate combination of technology and training required to protect your most sensitive PII.