In recent years, the financial services sector has seen a marked increase in the availability and use of automated digital advisory programs for investments, banking products, and insurance services, often referred to as robo-advisors. Customers are able to create and manage their accounts through mobile or online applications, for a lower fee and at times lower account minimums, than through traditional financial advisory programs. Depending on the type of advisory model permitted in a jurisdiction, clients may have minimal to no interaction with human beings (e.g., investment advisors, administrative staff, etc.). For the purpose of this discussion, “institution” is used to collectively refer to banking and financial institutions, businesses offering financial services, and financial services advisors and agents, and “customer” is used to collectively refer to any individual using robo-advisory services to solicit financial advice.
Through online and mobile applications, robo-advisors collect various details from customers such as their personal identification information, income and assets, risk tolerance, and financial goals. This type of service uses automated and technological means to maintain client records, manage confidential information, and through the use of algorithms, generate advice which is communicated to customers electronically. Last year, the U.S. Securities and Exchange Commission issued a risk alert regarding compliance issues for advisors that provide electronic investment advice citing deficiencies with institutional compliance programs (e.g. policies and procedures), inadequate algorithmic testing, and insufficient recordkeeping. From this risk alert, institutions can ascertain certain priority areas of regulatory oversight, regulator expectations, and information and risk management challenges for institutions providing robo-advisory services. Institutions must ensure that they comply with the banking and financial services regulatory framework in the jurisdictions in which they provide robo-advisory services, and implement sound information governance practices related to records management, personal data protection, and cybersecurity.
In many jurisdictions, financial regulators direct robo-advisory services to comply with the existing banking and financial services regulatory regime in areas such as investment services, insurance, and anti-money laundering and counter-terrorist financing (e.g., client identification, suspicious activity monitoring, etc.). Depending upon the jurisdiction, the regulatory requirements applicable to robo-advisors may require institutions to maintain specific records, deploy robust cybersecurity and technological measures, monitor electronic communications, and implement internal processes for “human oversight” by personnel and staff. Recordkeeping obligations may include the retention of audit trails, client identification records, account files, customer communications, recommendations and advice, risk assessments, risk profiles, conflict of interest records, policies and procedures, and more.
The following examples of information governance related regulatory requirements for robo-advisory services represent key areas of risk:
- Australian Securities & Investment Commission (ASIC) issued regulatory guidance related to the provision of digital financial product advice to retail clients (RG 255) which provides that digital advice licensees should have sufficient technological resources to maintain client records and data integrity, protect confidential and other information, meet operational needs including system capacity, and have business continuity and disaster recovery plans. ASIC expects licensees to have appropriate system design documentation that sets out the scope and design of algorithms, conduct robust algorithm testing, have appropriate processes for managing any changes to an algorithm, and be able to control, monitor and keep records describing any changes made to the algorithm over the past 7 years. Licensees must also retain personal advice records to retail clients for 7 years.
- Canadian Securities Administrators (CSA) issued Staff Notice 31-342 – Guidance for Portfolio Managers Regarding Online Advice which outlines the ways in which portfolio managers can provide advice using an online platform, while complying with regulatory requirements. Canadian online advisors provide hybrid services, in that they use an online platform for the efficiencies it offers, while advising representatives are actively involved in and responsible for decision-making. The CSA expects online advisors to regularly conduct due diligence reviews and comply with statutory and regulatory requirements such as those relating to client identification, privacy of information, and the prevention of money laundering.
- Hong Kong Securities and Futures Commission (SFC) issued Guidelines on Online Distribution and Advisory Platforms which sets out principles and requirements applicable to online distribution and advisory platforms for investment products operated by licensed or registered persons. A platform operator is required to maintain records relating to the platform including: comprehensive documentation on platform design, operational processes and risk management controls for a period of not less than 2 years after the online platform ceases to operate; audit trails of activities and transactions (and incident reports) conducted on the online platform for a period of not less than 2 years; and audit trails and records relating to all suitability assessments for 2 years for exchange-traded investment products and 7 years for non-exchange-traded investment products. Regular reviews must also be conducted of all activities conducted on the online platform including client profiling, investment product selection, and reasonableness of any recommendation or advice generated by the algorithm (e.g. sample checking and testing).
For regulatory compliance and risk mitigation purposes, institutions offering robo-advisory services should implement the following information governance best practices:
- Maintain records in compliance with any statutory and regulatory requirements, regulatory guidance or directions, and industry standards related to robo-advisory services as well as continue to comply with applicable banking and financial services laws including anti-money laundering and prevention of terrorist financing.
- Ensure their records retention schedules appropriately reflect and cover records related to robo-advisory services.
- Comply with local and regional data protection laws in the management of personal information of customers.
- Regardless of the type of robo-advisory model used, implement and document due diligence and human oversight measures (including periodic testing) over automated and algorithmic systems including maintaining audit trails.
- Adopt, regularly review, and update (as needed) information governance policies and procedures to adequately account for robo-advisory services; and
- Ensure appropriate technological and cybersecurity measures are in place including data breach and incident response plans.