Oops! Voya leaks advisor production numbers online
Just months after a biting penalty from the SEC over securing client data, Voya Financial Advisors suffered another information blunder — this time, around publishing its own advisory staff’s sensitive information.
The independent broker-dealer accidentally posted a list of its most lucrative financial advisors on its website, making the production credits of hundreds of its advisors available to the public.
“To be clear, this was not a data breach,” says a Voya spokesman. “Our list of advisor production information is shared among the representatives in our network, and the list does not contain any client data or any personally identifiable information. The link was inadvertently made publicly viewable and has since been deactivated.”
Production credits are a commonly used industry metric to gauge how much revenue an advisor earns for the firm and generally determines advisor pay. While Voya says it shares production numbers among its reps internally, the leak gives advisors’ clients an inside look at how much revenue they make for the firm.
“Smaller producers might feel a little embarrassed,” says Frank LaRosa, CEO of Elite Consulting Partners. “For bigger ones, it could be a form of validation.”
Many commission-based firms keep production numbers confidential — especially from subordinates like sales assistants or support staff. “They might see those numbers and feel that they should be getting a bigger piece of the pie,” LaRosa says.
In September, the SEC fined Voya $1 million for failing to protect customer records after intruders accessed the personal information of several thousand customers. It was the first-ever action under the Identity Theft Red Flags — eight years after it took effect.
RIAs have begun to arm themselves against the possibility of mishandling sensitive data. Close to 70% of firms are now using some form of technology in their compliance programs, according to the Investment Advisor Association’s 2018 compliance survey. And more than half of the 450 firms surveyed believe increases in technology usage and spending are coming in the near future.
Major firms are no less susceptible to data snafus. In January, BlackRock acknowledged it had inadvertently published the names, email addresses and other information of 20,000 advisors online. While no sensitive information was made public, industry experts and regulators — notably the SEC — have warned RIAs to take extra precautions securing access to information.
For BlackRock, the problem began when an employee tried to post sales-related information to an internal CRM-related system, according to the firm, but posted it on iShares.com instead.
The reforms could serve as a checklist for firms looking to enhance their own cybersecurity posture in light of the regulator’s increased scrutiny.June 21
Commission prioritizes retail investors as OCIE issues its must-read compliance letter.February 8
However minor, the problem begins and ends with privacy, LaRosa says. “Like anybody else, advisors don’t want other people knowing how much they make for a living,” he says. “They might have an idea, but this makes it absolutely obvious.”