When I founded Envestnet almost 20 years ago, my vision for the company was clear: to help independent advisors and financial institutions better serve their clients through cloud-based technology and related services.
Data aggregation has long been an essential element of this vision. Financial advisors need a single source for financial information that would otherwise be spread across numerous accounts and paper statements. This integrated view helps empower advisors to provide unified, fiduciary advice and steward their clients’ financial wellbeing. In other words, it helps them work with their clients to address the reality of their financial situations and find the solutions that best meet their financial objectives.
We were among the first to provide this all-in-one view to advisors and four years ago, we incorporated the use of aggregated consumer-permissioned data (data that individuals give their permission to use in distinct ways) held away from the advisor’s primary custodians to help investors and their advisors better understand and manage their financial lives.
This innovation grew out of our belief that individuals and families are best suited to decide how to use their financial information, especially as it relates to their own financial wellbeing. The benefits for investors and advisors are many: a more complete and real-time view into an investor’s financial picture; faster information sharing and verification of accounts; and the security of knowing financial information is coming directly from the source, not from an unsecured intermediary like email.
When you spend as much time as Envestnet has examining the potential benefits of data aggregation and bringing this vision to life, you inevitably consider the elements of risk that come with such potential investor benefits. Data security has always been embedded in our business, but when we first launched, data breaches weren’t headline news.
Today, we see stories reporting millions of accounts being hacked, stolen or simply left unsecure for bad actors to exploit. The reality is that as more data becomes digitally available, the risk of it being stolen and put to work for nefarious purposes rises as well. While the threats to digital data security are real, they can’t be addressed by going back to the old ways of storing information in physical form. That would be akin to advocating for a return to horses while the Model T rolled off the assembly line.
Every innovation needs guidelines for keeping people, and their information, safe. In the case of the automobile, it took more than 20 years for the country to get standardized traffic signals and for someone to dream up the stop sign. With digital data, we don’t have that kind of time. There is simply too much at stake.
As a financial technology platform, Envestnet has a responsibility to ensure the highest levels of safety and security for anyone sharing information on our platform. We take this role seriously and want to ensure that we and the entire financial industry are living up to expectations of our clients.
One of the challenges of adhering to an as-yet-unspecified standard is the lack of shared vocabulary. While advisors have a broad and shared understanding of what it means to be an investment fiduciary, no such basis exists for data.
Advisors know that fiduciaries must do more than achieve results in the best interests of their clients. They must operate with both good faith and integrity in serving their clients. That seems like a useful and appropriate starting point for responsible data management, or the role of data stewardship, as we have come to think of it.
Data stewards treat consumers and their information with the utmost respect. They are held to a more rigorous and higher standard than data brokers, who exist to gather and sell personally identifying information that can be used to identify and target individual consumers.
We have adopted the following principles as part of Envestnet’s Data Promise, which aims to ensure our data stewardship is aligned with our underlying obligations to advisory clients. We urge all providers and users of consumer financial data to adopt them as well.
- First, consumers must be provided clear notice of how their “Personal Information,” such as their name or email address or social security number, can potentially be shared before registering for a service. Even then, sharing this type of Personal Information that identifies individuals with third parties for purposes unconnected to the service should never be done, unless there is clear disclosure and a straightforward ability for a consumer to opt out.
- Data stewards never use the specifics of advisor-derived client data for reasons other than the benefit of those advisory clients. Data stewards may use aggregated, statistical data points from a broad base of accounts to present trend analysis. When data is gathered as part of an advisor’s fiduciary role (to review retirement account investments, to see current checking and savings balances, to review current liabilities and payment schedules, for a few examples), that data must only be shared between the advisor, the supporting institutions(s) and the permissioning investor.
- The safeguarding of consumers’ Personal Information is paramount. Our practices include implementing continuously monitored data security systems and processes, as well as encrypting consumer data and de-identifying it for instances in which Personal Information is not needed. As the threats to consumer data security becomes more sophisticated, so too must the means of protection. We are tasked with continuing to innovate in the realm of data security to ensure we stay ahead of the risks.
- When a fiduciary advisor is not involved in the data sequence, companies should still take care to provide protections. For example, when supporting data analytics where there is no fiduciary advisor and the data has been de-identified, recipients of that de-identified data must be restricted to further ensure that it is never “re-identified.”
- Finally, data stewards exert governance over the technology-powered tools to which the consumer has granted permission to access their data. As a conduit for consumer-permissioned data for use within a wealth-tech network, Envestnet takes governance seriously and not only will require recipients of that data to use it consistent with what consumer consent was provided, but will also monitor recipients on an ongoing basis with a risk-based compliance program.
These principles are rooted in our core tenets of good faith and integrity as data stewards to our advisory clients and are meant to provide consumers with peace of mind knowing they are protected as they use tools to improve their financial health at every stage of their life. Consumer data is valuable—to individuals, to their advisors and to financial enterprises and fintech providers who can better tailor their services to help investors achieve financial wellness.
As policymakers, financial institutions and the rest of our industry grapple with how to better safeguard consumers’ Personal Information and related rights, we encourage all providers and users of consumers’ financial data to adhere to the principles of data stewardship and to treat consumer data like the valuable asset it so clearly is.