Robo Risks: The Hidden Threats From Providing Online Advice
Robo-advice has been heralded as an alternative to costly face-to-face services, capable of bringing affordable financial advice to the masses. With algorithms designed to guide users to the best investment strategy on a personal basis, these services offer a new route to market.
Debate about how much the demand for these services will grow and how best to take advantage of the potential opportunities has been rife. Robo-advice has typically been considered the preserve of start-ups and digital-focused challengers. That’s no longer the case, however, as banks and asset managers move more of their investment services online.
With Opportunity Comes Risks
Robo-advice geared toward the mass market has been offered in the US for about seven years. One of the main benefits of online advice is scalability, providing advisors with the opportunity to reach new markets worldwide. However, as online services grow, so do the risks associated with them.
Firms looking to provide robo-advice are typically faced with two choices:
- Enlist a third party to establish and operate the service on the firm’s behalf.
- Develop proprietary software and dedicate an internal team to run the service.
In both instances, firms must ensure the service is protected through IT security procedures that take the model they are operating into account. The risk that money or data could be stolen from the third-party operator or the organization itself can be mitigated through insurance.
Robo-advice can present challenges for firms, as the company as a whole — not an individual — is liable for the advice given. This has implications for the company if it is sued after providing advice through this method.
Additionally, the nature of these services means that client data is being processed, handled, and stored online in some form. Firms operating robo-advice services must be compliant with US cybersecurity regulations on federal and state levels, including:
- Regulation in the majority of states requires notification by the company to residents if a breach of information occurs.
- The Safeguards Rule requires financial institutions under the Federal Trade Commission’s jurisdiction to have measures in place to keep customer information secure. Companies must develop their own safeguards and take steps to ensure customer information in their care is safeguarded.
- Financial institutions are advised to identify their risks and determine their cybersecurity preparedness through the Federal Financial Institutions Examination Council (FFIEC), which recently developed the Cybersecurity Assessment Tool.
Robo-advice is a high-potential distribution channel. But it and other new technologies bring new risks, making the identification, mitigation, and transfer of related cyber exposures all the more important.