For IARs using third-party vendors that access or store client information
<aside>
🛡️
To protect client data and maintain our fiduciary duty, any vendor that interacts with client information must be reviewed and approved in advance. This process ensures our entire team maintains high standards for cybersecurity and data integrity, in line with SEC expectations.
</aside>
When is Vendor Approval Required?
We need to request vendor approval before using any service provider that:
- Stores, processes, or accesses client non-public personal information (NPI)
- Integrates with client data or pulls from systems we use for financial planning, reporting, or communications
- Is not already on the above approved vendor list
Step 1: Vet the Vendor Yourself
🔷 Before submitting a request, gather some of the following:
- A general overview of the tool or service
- What the vendor will be used for and how it interacts with client information
- Whether the vendor offers data encryption (at rest and in transit)