Finance Document Protection

Securing documents for Financial Advisers.

Financial advisors need to share sensitive information with auditors, investors, analysts and other third parties without compromising the security of their documents. DRM enables financial to comply with regulation and share documents securely.

Today, people are increasingly adopting cloud based solutions for storing, working on and exchanging documents, not just photos and videos. It seems cheaper, faster and simpler to get a Terabyte of cloud storage for not very much, than to buy and install a hard drive for the laptop (or squeeze extra hard with a tablet machine). And you get lots of additional services with the cloud – backup and recovery, automatic synchronisation and distribution.  And security.

Of course there’s always security.  But exactly what that security is busy delivering can be the subject of considerable debate.  For some people the presence of SSL (Secure Sockets Layer) is the hallmark of web security.  Just see the web site security badges proclaiming that all is well.  But it only protects information on its route from Alice to Bob and leaves it just as protected with Bob as it was with Alice.  Which may well be, “Not a lot.”  One thing is for sure, recipient Bob can do anything he likes with whatever documents he receives from Alice – or anyone else.

The secure storage and exchange of personal data

Financial advisers store and access a lot of information about people.  Obviously some is financial, but it may include healthcare and criminal records.  They have to share that information with others (banks, insurers, lawyers, tax authorities, the clients themselves) and a fair proportion of that information is going to be personal or sensitive data.

So a lot of people are going to be quite interested in how personal data is adequately protected from unauthorised disclosure.  Apart from relevant industry and sector regulators, there are professional bodies with codes of practice, International standards such as ISO 27001, data protection legislation (GDPR, PIPEDA, Safe Harbor, Australia Privacy Act, and so on) all to be noted.  GDPR (the European General Data Protection Regulation) has finally woken up industry because the EU Information Commissioners (regulators) can levy eye watering levels of fines if you do not play by their rules.  And the Australian Act contains criminal penalties as well as scales of fines.

A simple message is arriving – take data protection seriously – protect financial documents.  It is no longer acceptable to just put a disclaimer at the end of a document or an email (caveat receptor?) and think you can wash your hands of the responsibility.  Regulations like GDPR demand that you have a plan and that it says you do something proportionate and reasonable to keep financial documents safe.

How can you make financial documents secure?

The first thought is to dust off the encryption toolkit and start extolling its benefits of stopping access to documents.

And then you find that no matter how good the encryption is that is used to protect documents travelling round the Internet, it means nothing if the recipient can promptly do what they want with them.  And it doesn’t matter if you are using lowly password protection, or sophisticated two factor authentication.  That’s just being used to control getting access to the contents.  It doesn’t go on to say what happens after the contents are revealed to the recipient.

Not surprisingly, different regulators have different views about encryption.  After all, right now documents containing confidential information get put in the post and can be opened by anyone.  So should there be any difference in professional liability for using the post or using email?

The answer is yes, because sending email is rather like putting your information on postcards – anyone can read it and the volume of information that can be compromised is huge.  By comparison a relatively small amount of information can be lost in the post and it is difficult to capture even if you work for the postal service.  So you need to think about a solution that will enable you to email finance documents securely.

But as we have seen, encryption on its own is unlikely to satisfy a regulator unless encrypted files are being sent from inside one data center to another.  So a financial adviser is probably alright logging on to the portal of a bank or insurer in order to type in information, but when communicating with clients needs something a bit more robust.

Finance document protection and DRM

The only route forwards is to start using Digital Rights Management (DRM) technology to protect finance documents.  DRM utilises encryption to prevent unauthorised users from being able to see or use any part of the document contents.  And it also stops the authorised user from being able to misuse the content by forwarding it to other people or by modifying it so as to misrepresent the original content.  (Adding the word ‘not’ can change meanings completely.)

This has some privacy and some commercial implications.

Nobody can see the documents except the people they are allocated to.  So there is no privacy leakage, and that can be demonstrated.

Documents (policy details, quotations, valuation estimates, investment recommendations and so on) are tightly controlled.  Authorised users can’t pass them around to other agents or competitors.  Documents that have time limits, such as quotations valid for a number of days, can be made to expire on given dates, and can be reset if the quote is extended.  Electronic copies of the documents cannot be altered once issued so there is no possibility of someone misrepresenting a policy or a declaration or similar.

DRM systems can prevent printing documents, but often a hard copy is required as backup to the electronic copy.  When this is needed the DRM system needs to be able to apply watermarks to the printed copy, both to authenticate it (preventing someone doing a cut and paste of the content using a scanned copy or a photocopy) and also linking the identity of the authorised person making the printed copy to the original document.

You can prevent printing, or permit printing with watermarking that identifies users in the case of document leakage.  You can choose fixed or variable end dates for documents, but be able to change end dates dynamically when required.  Actual content cannot be modified because the document will fail to show if there is any attempt to alter it.  And document use can be logged so you have an audit trail of who viewed or printed a document and when and where this occurred.  You can even lock documents to specific locations so that they cannot be viewed on devices outside of a certain area.

Locklizard PDF DRM systems provide feature rich systems that deliver all the requirements that financial advisers (and other professionals managing personal and sensitive data) require in order to satisfy the requirements of any of the regulators.   You can adhere to regulations without worry and automatically retain and archive files for the required period of time, without any additional work.

Locklizard simplifies compliance with legal, regulatory and business mandates without complex document management.  Share sensitive content securely and protect your sensitive financial information while remaining productive.