Robo Risks: The Hidden Threats from Providing Online Advice
Robo-advice has been heralded as an alternative to costly face-to-face services, capable of bringing affordable financial advice to the masses. With algorithms designed to guide users to the best investment strategy on a personal basis, these services offer a new route to market.
Debate about how much the demand for these services will grow and how best to take advantage of the potential opportunities has been rife. Robo-advice has typically been considered the preserve of start-ups and digital-focused challengers. That’s no longer the case, however, as banks and asset managers move more of their investment services online.
An Attractive Opportunity
Robo-advice geared towards the mass market has received regulatory backing in the UK, boosting the sense of opportunity in the offing. The Financial Conduct Authority (FCA) and HM Treasury published the recommendations of the Financial Advice Market Review (FAMR) in March 2016. On recommendation from the FAMR, the FCA has established the Advice Unit, a dedicated team within the regulator that supports firms willing to explore the provision of fully or partially automated affordable advice.
One of the main benefits of online advice is scalability, providing advisers with the chance to reach new markets around the globe. However, as online services grow, so do the risks associated with them.
Firms looking to provide robo-advice are typically faced with two choices:
- Enlist a third party to establish and operate the service on the firm’s behalf.
- Develop proprietary software and dedicate an internal team to running the service.
In both instances, firms must ensure the service is protected through IT security procedures that take account of the model they are operating. The risk that money or data could be stolen from the third-party operator or the organisation itself can be mitigated through insurance.
Additionally, the nature of these services means that client data is being processed, handled, and stored online in some form. All firms operating robo-advice services must be compliant with the new EU General Data Protection Regulation (GDPR). Among other rules, the regulation stipulates that all financial services firms must:
- Ensure the privacy impact of any new product or service involving personal data, or technology that processes it, is assessed when it is being designed.
- Receive explicit consent, described as “clear affirmative action”, to the processing of sensitive data (pre-ticked boxes will not be enough).
- Notify any personal data breach to the FCA “without undue delay and, where feasible, not later than 72 hours after having become aware of it”.
New technologies bring new risks, making the identification, mitigation, and insurance of the cyber exposures which accompany this high-potential distribution channel all the more important.