Rise of Robo-Advisors: Mitigating Regulatory Risk Through Information Governance

In recent years, the financial services industry has seen a marked increase in the availability and use of automated digital advisory programs for investments, banking products and insurance services, often referred to as robo-advisors. Clients can create and manage their accounts through mobile apps or online, with lower fees and sometimes lower account minimums, compared to traditional financial advisory programs. Depending on the type of advisory model permitted in a jurisdiction, clients may have little or no interaction with human beings (e.g. investment advisors, administrative staff, etc.). For the purposes of this discussion, “institution” is used to collectively refer to banking and financial institutions, businesses providing financial services, and financial services advisors and agents, and “customer” is used to collectively refer to anyone using financial services. robo-advisor. seek financial advice.

Through online and mobile applications, robo-advisors collect various details from clients, such as their personal credentials, income and assets, risk tolerance, and financial goals. This type of service uses automated and technological means to maintain client records, manage confidential information and, through the use of algorithms, generate advice that is communicated to clients electronically. Last year, the United States Securities and Exchange Commission issued a risk alert regarding compliance issues for advisers who provide electronic investment advice citing gaps in institutional compliance programs (e.g. policies and procedures), inadequate algorithmic testing and poor record keeping. From this risk alert, institutions can determine certain priority areas for regulatory oversight, regulators’ expectations, and disclosure and risk management challenges for institutions providing robo-advisory services. Institutions should ensure that they comply with the banking and financial services regulatory framework in the jurisdictions in which they provide robo-advisory services and implement sound information governance practices related to records management, personal data protection and cybersecurity.

In many jurisdictions, financial regulators are ordering robo-advisory services to comply with the existing regulatory regime for banking and financial services in areas such as investment services, insurance, anti-money laundering and terrorist financing (e.g. customer identification, suspicious activity monitoring, etc.). Depending on the jurisdiction, regulatory requirements for robo-advisors may require institutions to maintain specific records, deploy robust cybersecurity and technology measures, monitor electronic communications, and implement internal “human oversight” processes. by staff and staff. Record keeping obligations may include maintaining audit trails, customer identification records, account records, customer communications, recommendations and advice, risk assessments, risk profiles , conflict of interest records, policies and procedures, etc.

The following examples of information governance-related regulatory requirements for robo-advisory services represent key areas of risk:

  • Australian Securities and Investments Commission (ASIC) issued regulatory guidance on providing advice on digital financial products to retail clients (RG 255) which provides that digital advisory licensees must have sufficient technology resources to maintain client records and data integrity, protect confidential and other information, meet operational needs, including system capacity, and have business continuity and disaster recovery plans. ASIC expects licensees to have appropriate system design documentation that defines the scope and design of algorithms, performs robust algorithm testing, has appropriate processes to manage any changes to an algorithm and be able to control, monitor and maintain records describing any changes made to the algorithm over the past 7 years. Licensees must also keep records of personal advice to retail clients for 7 years.
  • The Canadian Securities Administrators (CSA) have issued Staff Notice 31-342 – Guidelines for Portfolio Managers Regarding Online Advice which describes how portfolio managers can provide advice via an online platform, while complying with regulatory requirements. Canadian online advisors offer hybrid services, in that they use an online platform for the efficiency it offers, while the advising representatives are actively involved and accountable for decision-making. The CSA expect online advisers to perform regular due diligence and comply with legal and regulatory requirements such as those relating to client identification, confidentiality of information and prevention of money laundering. .
  • Hong Kong Securities and Futures Commission (SFC) issued Guidelines on Online Distribution and Advisory Platforms which sets out the principles and requirements applicable to online distribution and advice platforms for investment products operated by authorized or registered persons. A Platform Operator is required to maintain records relating to the Platform, including: complete documentation of the Platform design, operational processes and risk management controls for a period of at least 2 years after the shutdown of the online platform; audit trails of activities and transactions (and incident reports) carried out on the online platform for a period of at least 2 years; and audit trails and records of all suitability assessments for 2 years for exchange-traded investment products and 7 years for non-exchange-traded investment products. Regular reviews should also be made of all activities conducted on the online platform, including client profiling, selection of investment products and the reasonableness of any algorithm-generated recommendation or advice (eg. example, verification and testing of samples).

For regulatory compliance and risk mitigation purposes, institutions offering robo-advisory services should implement the following information governance best practices:

  • Maintain records that comply with legal and regulatory requirements, regulatory guidelines or guidelines, and industry standards relating to robo-advisory services, and continue to comply with applicable banking and financial services laws, including anti-corruption money laundering and the prevention of terrorist financing.
  • Ensure that their records retention schedules appropriately reflect and cover records related to robo-advisory services.
  • Comply with local and regional data protection laws in handling customers’ personal information.
  • Regardless of the type of robo-advisory model used, implement and document due diligence and human oversight measures (including periodic testing) on ​​automated and algorithmic systems, including maintenance of audit trails.
  • Adopt, regularly review and update (as needed) information governance policies and procedures to adequately account for robo-advisory services; and
  • Ensure appropriate technology and cybersecurity measures are in place, including incident and data breach response plans.

The content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as “lawyer advertising” requiring notice in some jurisdictions. Prior results do not guarantee similar results. For more information, please visit: www.bakermckenzie.com/en/disclaimers.

Martin E. Berry