Individual Wealth Management Solutions - Security Implications ... some thoughts

Private wealth management is becoming one of the hottest area in the financial services sector. With internet technology enabling the expansion of financial services sector, its not just ultra wealth investors (in tens of millions of dollars to invest), but also small time investors (with few hundred thousands), looking to invest in variety of financial instruments.

With an understanding that the value chain in the wealth management industry will become expanded and move towards global distribution and the access to information by several parties in the value chain will be through several channels, security around information becomes the topmost concern. The need for tightening information security is further heightened with intrusion of transported data is on the rise resulting in increased identity theft activities.

Following are some of potential implications around information security as applicable to distributed wealth management environment:

Distributed Identity management:
Authentication, authorization and managing the accessing party’s identity will be extremely difficult. The core portfolio and financial product information is assumed to be maintained with the sponsor. However, the participants in the distributed value chain will be in a matrix kind of virtual group. For example, an advisor could be an independent entity or could belong to a small organization of advisors or even belong to a sponsor. The participating investor could be an independent consumer or a institutional investor. The relationship between participating actors is a complex one and their core identity information is likely to be distributed throughout the value chain without being present in single location. In this situation, authentication and authorization of participating actor becomes extremely complex. Federated identity management is a possible way to address this matrix kind of participant environment (or exchange type of environment). But there are no clear standards or guidelines that will address issues and implications in this kind of wide variety of consumer-participating-exchange kind of environment. In addition, emerging federal standards such as multi factor authentication makes it more complex to evolve further on federated identity management concept.

Multi channel information access:
With proliferation of usage of internet protocol, the information access is being facilitated through several channels – thin browser clients, voice activated access clients and mobile devices such as cell phones and PDAs. Combined with many-to-many participant relationship, this ability to access information through multiple channels poses serious security implication. While security aspects around information access through a browser is getting stabilized, the maturing voice and wireless technology with changing standards make it difficult to adopt to specific implementation methodology/standards.

Protection during data/information transportation:
Again, as an effect of expanded nature of distributed participation, the number of hops the data/information has to go through the value chain is increased. The data/information is moved around between private and public transport mechanisms at several points within the value chain due to compound nature of transactions. Though technologies like cryptography and PKI are available to insulate the transported data, the need for implementing such technologies in a multi-hop distributed environment brings in complexities around governance and sustenance.

Disparate technologies among collaborating entities:
Another effect of multiple collaborating entities in the value chain is presence of disparate technologies. While technologies in the back end with most sponsors is typically mainframe environment, applications with open standards such as J2EE and .NET along with message oriented middlewares (MOM) are widely used in financial transaction application worldwide. The SOA and WebServices technologies are expected to provide interoperability for seamless transaction processing in the Wealth Management solution. However, security approaches in the WebServices area are still in the early stages of being tried out. Full encryption of transactions makes them heavy and hence marshalling/unmarshalling events while the transactions gets processed within services impact the performance levels thus impacting the SLA/QOS. Selective encryption guidelines through standards like WS-* are being defined – however, adoption of such standards will take some time.