I recently had a discussion with a peer in the industry who works as a compliance director at an independent broker dealer. We were analyzing a recent SEC administrative proceeding that sends somewhat of a chilling message to technology managers at independent firms.
The SEC settlement at note fell under the Reg-SP rule of safeguarding customer information. In this case it was an independent broker dealer and RIA with a large universe of independent affiliated representatives. In short - it found the firm liable for having not mandated and enforcing (my emphasis) appropriate security on every computer that had access to its intranet and online trading tools.
This is a simple scenario to resolve in captive systems or in a business entity where it has complete control over all its locations and infrastructure. However - when you consider the current independent business model - in a simplified view it is an aggregation of numerous business agreeing to follow common procedures and processes. That has not to date included the top level entity's (broker dealer or RIA) ability to control the Internet connection, security software, anti-virus applications, email client and so on, at the affiliated branch level.
This ruling brings that tradition into question. If a dually registered firm can be fined (six-figures in $) for an unsecured workstation at an affiliated branch that resulted in a breach of customer data - then that firm will likely re-think its strategy on how it needs to manage the technology of the businesses that affiliate with it.
Discussing this was not intended to be a "sky is falling moment" - but this peer was also noting that her broker dealer is already in serious discussions for how to assess and design a deployment of an anti-virus security suite to all of its registered representatives and affiliated RIA's - and modifying its technology fee appropriately.
My goal in recapping this discussion and issue was to refocus Operations teams toward adding a year-end internal audit of their procedures for managing customer information. There are several steps that can be taken.
This is just a very brief discussion of a topic that deserves broader coverage. More will follow on strong processes for Operations teams to manage customer information.