Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
When advisors plan a transition to a new firm, they encounter a common challenge: How may they give a prospective buyer enough information to evaluate the practice without running afoul of Regulation S-P or breaching client confidentiality obligations?
Any firm assessing the value of an adviser’s book needs real detail. For example, they need to know how many clients the advisor serves, each client’s assets under management, age ranges, the length of the relationship, and a variety of other information.
Advisers need to share meaningful data, but both Regulation S-P and state privacy laws impose strict limits on what can be disclosed. From a regulatory standpoint, the key question becomes the following: What information can an adviser lawfully share with a firm that's evaluating their practice in anticipation of a sale or some other move?
Protecting Personally Identifiable Information
Regulation S-P draws a clear line between information that identifies clients and information that doesn't. Namely, Regulation S-P protects “personally identifiable information,” which includes anything that can reasonably identify a client, such as names, addresses, account numbers, and other unique identifiers. Advisors can't transfer or disclose this information outside their firm without satisfying the regulation, which requires disclosure of information-sharing practices and an opportunity for clients to opt out.
Advisors also need to take state data privacy laws into account. Some clients live in so-called "opt-in states," where sharing personal information requires express consent. Other clients may have opted out of information sharing under the current firm's privacy policy. In each case, the advisor must obtain the client’s consent before transferring their identifiable information to a third party. In general, advisors should take into account state law, which may be stricter than Regulation S-P.
State requirements aside, Regulation S-P's opt-out framework may be best-viewed as a floor rather than a ceiling. The gold standard is obtaining each client's affirmative consent before sharing their personally identifiable information with a third party. This avoids disputes, assures the receiving firm that the information was lawfully obtained, and helps protect the advisor from regulatory challenge.
Using So-Called Blind Data Correctly
While this is the lay of the land regarding information that identifies clients, Regulation S-P takes a different approach to "blind data." The regulation expressly says that “Information that does not identify a consumer, such as . . . blind data that does not contain personal identifiers such as account numbers, names, or addresses,” is not protected personal information.
In other words, advisors are allowed to use anonymized data to demonstrate the value of their practice or the characteristics of their client base. Advisors can present information such as client asset levels and corresponding revenue, as long as the data cannot be used to identify individuals. Advisors can also describe clients in anonymized terms by providing information such as age bands, general professions, geographic regions, asset levels, and length of the relationship.
So, for example, an advisor might share with a prospective buyer: "Client A is a 40—50-year-old attorney living in the New York tristate area with $3 million in assets and a ten-year relationship with me." "Client B is a 30–40-year-old marketing executive living in the DC metro area with $2 million in assets and a five-year relationship with me." This type of information is detailed enough to be useful to evaluate a practice, but still insulated from identification.
Advisors should just be careful to avoid providing multiple data points that, in the aggregate, could allow the receiving firm to deduce a client’s identity even without explicit identifiers. Put differently, anonymization must be sufficiently robust that the recipient cannot put the pieces together to identify the client. For example, if a client is a specific type of surgeon living in a small town, then providing the medical specialty and name of the town may identify the client.
Two Key Caveats
There are two important footnotes to all of this:
First, these principles address the data privacy side of the issue, but they don't address the contractual part. That's a topic for another day, but contractual restrictive covenants often impose significant limitations on what advisors are allowed to do in anticipation of their departure (and, of course, following their departure). From a contractual standpoint, all data may belong to the existing firm and may not be shareable — regardless of whether it's anonymized and doesn't identify a particular client.
Second, Regulation S-P has a "sale of business exception" that allows some data sharing in the context of a business sale. However, this only applies when the firm itself is transferring the client data, rather than when an individual adviser transfers the same data.
An individual adviser generally has no standing to invoke this exception, because the exception applies to the firm as the seller (not to individual personnel attempting to transfer data on their own). For more on this topic, along with a detailed discussion of the tension between data privacy laws and adviser contracts, you can reference this piece.
Isaac Mamaysky is the cofounder of QuantStreet Capital, an RIA that focuses on quantitative portfolio management and offers a platform for independent advisors, including investment, compliance, and operational support. Isaac is also a partner at Potomac Law, where he started the Investment Advisors, Asset Managers, and Private Funds practice.
A message from Advisor Perspectives and VettaFi: Discover something new! Click here to register for our upcoming webcasts.
Read more articles by Isaac Mamaysky
Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
