In today’s world of increasingly sophisticated financial crime, knowing which platform offers the security you and your clients need is not always easy. Here are the questions you need to ask to make sure your platform is truly looking out for your interests.
For cloud-based platforms, is it a ‘private’ cloud structure?
A private cloud is built upon infrastructure that is dedicated exclusively to one firm’s activities. It is not shared at any point in the infrastructure lifecycle with people or systems outside of the platform operating business.
It can be hosted in an internal data centre, a partner data centre or a specialist facility.
At a minimum, platforms should keep all essential services (i.e. software development and testing) in a private cloud infrastructure with identity-based security so only authorised persons can access sensitive resources to ensure maximum control, oversight and security.
How do they control access to investor information?
Platforms deal with sensitive data and it is imperative that staff can only see and interact with the information they need to carry out their duties.
Access to different areas of the platform should be limited to the type of activities a staff member carries out.
Make sure your platform controls the functionality available to its staff and maintains up-to-date permissions as staff changes.
Similarly, the platform’s controls must be such that advisers are only able to see their own clients’ information, investment managers are only given access to their own fund strategies (and not investor information,) and investors are only able to see their own portfolios.
How do investors interact?
If a platform is able to give access to an investor to view their information, access must be made available via an SSL secured connection (like https) with an encrypted connection between the investor and the platform.
Today’s cutting-edge platforms are building in mobile ‘portal’ layers between platform and investor to provide a richer experience when accessing investment data (valuations, asset pricing and overall net worth) on any device at the swipe of a finger.
This provides an attractive ‘investor- centric’ view, while the adviser maintains an ‘adviser-centric’ view directly from the platform.
Next-generation investor portals will even allow advisers to communicate directly with their investors via a mobile app.
How do they protect against hackers?
Your platform should have a solid Network Intrusion Detection system that monitors for traffic patterns and anomalies in real time.
It must ensure confidentiality, integrity and availability of customer data and their operating environment, and to engage in security best practice at all times.
This includes patching through prevention, detection and situational awareness, and reviewing the security of software, systems and processes regularly from an attacker’s perspective, not just that of a defender.
It’s also a good idea to engage third-party penetration/ security assessment companies to regularly and formally assess systems and products for defects and vulnerabilities.
What is their contingency plan in case of a disaster?
It is important for any company that works with sensitive data to have a disaster recovery program firmly in place and tested regularly.
They should have a primary/production and an offsite, encrypted secondary environment running contiguously.
The back-up environment must be located far enough away from the primary environment so as to be unaffected by the disaster.
The infrastructure should be easily accessible and have multiple layers of built-in redundancy so as to allow for single or multiple failures across systems and servers without causing a failure of the entire system.
How do they protect against financial crime?
Finally, to protect the integrity of the company and safeguard investor interests, it is important to rigorously screen applicants for characteristics associated to money laundering or terrorist funding.
Factors such as country, method of obtaining wealth, and whether an applicant is politically exposed, are all indicators of how likely an applicant is to be involved in criminal activity.
Your platform’s compliance framework should be embedded into daily operations with staff well trained in screening and monitoring for unusual activity.
Whether dealing with data or client money, a platform should take security extremely seriously in order to provide advisers, investors and investment managers with the confidence to focus on the job of growing client wealth.
