Posts

Protecting client information is critical in a digital world

Today there are many different ways for us to communicate financial information with clients: in-person, over the phone, email and so on. With all of these ways to communicate, it is important for us to continue to keep client information confidential and secure. Social insurance numbers, dates of births, investment account numbers, bank account numbers — it’s all sensitive information that must be protected.

Years ago we would regularly share confidential information by fax with clients. The information would then be printed out and stored in physical files. Clients would have a landline and often owned a fax machine as well. With the introduction of the personal computer and the internet, email became an alternative mode of communication. Most view email as quick and efficient; however, using email to share confidential information does have some risks.

One of the major risks involved in sending confidential information by regular email is having that information getting into the wrong hands or having someone else trying to extract this information. With a regular email, information that you receive, or is sent to you, will be sitting within your email account. Anyone who inappropriately accesses your email account will also have access to all of the information within your account (sent box and inbox). If you have confidential emails saved in your Gmail, Hotmail, Yahoo, or Shaw accounts, it could be at risk.

When we receive an email from a client we must take the extra precaution to ensure the information is legitimate. For example, when clients contact us via email to request funds we always require a phone call as well to confirm that this is a legitimate request coming from our client.

In an effort to help keep information secure and confidential, there are some extra steps that both advisors and clients are starting to take. One example is by using the financial firm’s own server to share confidential information. A simplistic explanation of a secure email is that you are really not even getting the information emailed to you. I know that sounds confusing.

Let us use an example of an adviser who is setting up a telephone meeting with a client who has never used the secured server. Beforehand, the client would like to obtain a copy of their holdings detail report and recommendations for the account. The portfolio manager types a message to the client that looks like a regular email, types “[Secure]” in the subject line, and attaches two PDF documents — the holdings detail report and recommendations.

On the client’s side, they will not initially get the message with the two attachments. What they first receive is an automated message that the portfolio manager has attempted to send the client a secure, encrypted message. Within this automated email message is a link that will direct the client to the firm’s own server.

For clients that have not used the secure service, they must click on the register button. This triggers the client to receive a temporary password to their email account to enable them to register for the secure email service. To register as a first-time user, a client will need to immediately establish a secret password (different from the temporary password), as well as create a challenge question(s) that can be used to verify your identity.

An added safety measure that is available is having your secure account automatically locked if there are multiple failed attempts with an invalid password. In order to recover this password you would need to answer one or more of the challenge questions mentioned above. Other features may also include having the original message deleted automatically after a certain time period.

The process for registration takes less than five minutes. Once the client has the account set up then they will be able to see the message sent by the portfolio manager.

It is important to note the confidential information remains on the firm’s own server and is encrypted. It will look like you are accessing an email within your email account, but the information is actually accessed through the password-protected account on the financial firm’s server.

By viewing information only on this encrypted service, you greatly minimize your exposure to your information being compromised. Using the above phone meeting example, the client can easily print the holdings detail report and recommendations or simply view them online. The information does not sit within the client’s email account.

Of course, clients have the ability to download the information from the encrypted server to their own personal devices and accounts. Once the information has been forwarded from the server, rather than just viewed or printed, then clients could be potentially exposing themselves to other risks.

We understand that having to create an account and enter a password to view your financial information might feel a bit cumbersome. In the end you can have more comfort that your confidential account information is being treated appropriately and ensuring that information does not get into the wrong hands.

Kevin Greenard CPA CA FMA CFP CIM is a Portfolio Manager and Director, Wealth Management with The Greenard Group at Scotia Wealth Management in Victoria. His column appears every week in the Times Colonist. Call 250-389-2138.