Considerations for wealth managers to improve their technology stance
Technology advances over the last few years have ushered in new tools and solutions for asset managers to improve how they streamline and automate their workflow processes.
Wealth managers have a big opportunity to evolve their business offerings in line with digital investor trends, and potentially steal a march on their competitors but to do so will require an open mind on how they think about technology risk and their ability to develop a robust IT framework; one that stands up to scrutiny in an increasingly complex regulatory environment.
A report by Fidelity entitled How cost pressures will reshape the asset management industry, states that asset management firms with complex layers between investors and their assets will lose ground to robo-advisors and other wealth management-type services.
The global robo-advisory market is forecast to grow at a annual compound growth rate of 53.54 per cent from 2018 to 2023, according to the Global Robo-advisory Market (2015-2023) report.
For any forward-looking wealth manager, technology innovation could result in significant revenue increases. This cannot be underestimated given that GDPR and MiFID II regulations in Europe, among other global regulations, are collectively placing huge margin pressure on wealth managers. A report by WealthBriefing, for example, suggests that some 57 per cent of wealth managers believe that regulatory change will increase even further in speed over the next three years.
In addition, the report found that 49 per cent of wealth managers were “willing or wholly willing” to embrace outsourced hosted technology solutions.
This is good news for RFA, a leading technology consulting group which offers a comprehensive range of IT services to fund managers.
Prioritising technology risks
As wealth managers embrace technology, it is paramount that they understand the risks in their operating models.
“At a top level, we conduct a site survey to assess what the client has in place, with respect to software system infrastructure, cybersecurity controls, etc,” explains George Ralph (pictured), Managing Director of RFA. “We then follow that with a workflow review, which looks at the client’s workflows from an operational perspective.
“From this, we identify the highest technology risks and advise the client to address them.”
At the end of the evaluation, RFA puts together a recommendation report, which gives the client a full overview of what they need to do next and any products/tools it thinks they should implement to improve the efficiency of how they use their computer systems.
“We might recommend that firms bring in specialists from outside to help them with different areas of their business,” says Ralph. “Our partner APS Solutions for example, are change management and transformation specialists in the wealth management sector. If we see a need for additional expertise to address risk in a clients’ operations, then we have a network of experts we can introduce.”
The introduction of general data protection regulation (GDPR) in Europe requires wealth managers (and indeed all European businesses) to keep their clients’ personal data safe and secure. Those who fall foul of data breaches without having proper controls in place risk facing financial penalties up to 4 per cent of their total annual turnover.
“From a technology viewpoint, as wealth managers introduce new technologies and cloud systems it is making them more efficient as it allows investors to log on to see their portfolio allocations in real time, but at the same time it introduces more back-end complexity,” says Ralph.
As wealth managers embrace outsourced technology solutions, one of the key considerations for staying secure is vendor management.
“More wealth managers are embracing, yet they don’t necessarily have the in-house skills to do all the due diligence.
“Our clients are able to utilise us – many of whom are former CTOs – to do vendor management because we have the requisite due diligence skills. The risk management process we use extends through to vendor management, where we use a scoring system based on due diligence. A vendor like Cisco, for example, would be a low risk as they don’t have to provide a system and organisation controls (SOC) report. However, if it is a cloud provider like Microsoft Azure, they have to provide annual SOC reports. We log whether we have to chase each supplier for the SOC report or whether they proactively provide it,” outlines Ralph.
Various industry reports suggest that wealth managers are still lacking in confidence when it comes tackling cyber threats. But as they introduce more automation to their business models, wealth managers will need to get up to speed when it comes to building and maintaining a strong cybersecurity posture.
Ralph observes that one of the problems with GDPR is that a lot of financial institutions do not necessarily understand that the data processor is just as liable to pay the financial fines for a data breach as the data controller is. “I get the sense that many firms, however, still do not know what a data processor is. Any third party who has access to your data, including IT contractors, which a lot of firms use rather than full-time staff, is considered a data processor.
“We have an e-learning compliance training tool for all staff to use, including contractors, which allows senior management to review who has completed the training; it covers all aspects of compliance, from GDPR to cybersecurity,” explains Ralph.
Last year, RFA was certified by GCHQ to do GAP analysis on GDPR, which was an extension of its existing cybersecurity audit. As such, RFA is fully certified as part of the IASME governance standard.
“We look at a client’s data privacy impact assessment, data categorization, IT policies and procedures, all the way down to how they configure their firewalls and manage intrusion and detection,” says Ralph.
Artificial intelligence developments
One example of how RFA can bring artificial intelligence tools to benefit wealth managers and stay one step ahead of potential data breaches is a new intrusion detection and prevention monitoring tool, called MDR (Managed Detection and Response).
Rather than operating statically in a single environment like some intrusion detection systems, which are reactive and rely on humans to read the data logs to see if any suspicious activity has occurred on the network, RFA’s solution proactively identifies any breach that may be occurring.
“One client tested this system alongside a couple of other high-profile software providers where the portfolio manager deliberately started downloading a series of spreadsheets. The two other software systems did nothing because they did not consider it malicious behaviour, whereas our system blocked his machine immediately as it was unusual behaviour,” says Ralph.
Practice makes perfect
RFA also conducts virtual disaster recovery exercises to test its clients’ staff members, as well as investigative response work after an actual breach has happened, to help them identify what steps to take immediately.
“If you have to report a breach to the Information Commissioner’s Office, they want proof that you understand why it happened and have put the right processes in place to stop it happening again. We recommend doing a disaster recovery test every year and that the client performs a virtual DR test every six months,” concludes Ralph.