Privacy is the issue no one is talking about
I'll get this out upfront; this is an issue that's not an issue until it is an issue, which will be the current view of many.
Wednesday, August 17th 2022, 12:40PM 
1 Comment
by Jon-Paul Hale
What am I talking about?
The standard practice of providers, financial services and otherwise, is to confirm contact details when you call them.
Now I get the issue of people changing contact details and the ever-increasing challenge to keep them up to date, but that's not actually what this article is about.
This is about the issue of privacy and disclosure because the providers have holes in their processes. And they will tell you this is not an issue, as they haven't spotted it.
Well doh! Yes, that's the problem!
You call a provider, they ask for your name and agency details to verify you can discuss the client's file, and then you get into the call.
At the end of the call, you have a chat about having information sent to you, and the customer service person asks for your contact email address to send it to—every single time.
Now I can understand if this was asked upfront with the verification piece, but at this point, the customer service person has your agency details; they have this information available, and it doesn't need verifying.
So what's my peeve in this minute of detail?
Privacy disclosure, that email address provided at that point at the end of the call may not be the agency email address, and I very much doubt it is being verified.
It is a bit like calling a company and asking them to pay you to a bank account you give over the phone. It should not happen, and there needs to be a process around this to ensure that this isn't an avenue of fraud.
Now back to my initial comment about contact details being correct. Yeah, that. This checking process that opens up the privacy issue is driven because people struggle to keep their information up to date.
I know this well, I have ADHD, and this is one of the symptoms, keeping track of details. So, as a result, my life has a significant scaffolding of systems and processes to manage this. Also, when I was diagnosed in 2018, everyone around me went, "no shit Sherlock, we could have told you that!"
If I can manage this, so can everyone else!
What's making me rant? The reality is that the most repeated piece of contact information I have is my phone number and my email address. It is an abject waste of time when they have this on file.
These two pieces of information are also the most readily available and can be checked when calling providers.
Basically, I'm sick of repeating this information half a dozen times a day because a small minority can't get their crap together.
Can we stop punishing the masses for the stupidity and disorganisation of the few (yes, I will get caught in this from time to time, too!) I'm not so naive to expect that this doesn't apply to everyone.
What's the answer?
Like any other piece of agency-related information, contact address, phone numbers, and email address(s) should have a controlled verification process around them.
We don't know how much of an issue this is because it hasn't been looked at or managed.
Over the years, I have come across a few advisers who have called companies posing as the existing advisers to get information on prospect policies. So it does happen. (And I have seen PAs do this where the adviser is female too!)
It's pretty easy to call a company with a private outbound number, with the adviser's name and agency code on the client's renewal schedule. Only adviser honesty prevents this from being a significant issue.
It's more of an issue than the providers would care to admit.
What's the change expected?
Instead of customer service people asking for email addresses at the end of the call, they use the system. The only question that should be asked is, "Are your agency/contact details up to date?"
If yes, "I'll use your email address on file to send you this."
If not, the verification process for changing this with the appropriate agency team members needs to be implemented and either transferred from the customer service person or the caller contacts the company directly for this purpose.
It may sound like a minor little thing, but these petty little things open the door for much larger fraud issues.
Your email address is the core contact point for the bulk of your digital accounts; if this is compromised, or changed with the provider, then the ability for a malicious actor to infiltrate your stuff becomes much much more straightforward.
And yes, in a past life, I was responsible for IT security, so I have seen a thing or two in my time around this, and it's happening more frequently.
The issues with IT security come from cultural arrogance, and this is something we often come across. Sure, making these changes will come with some hassle, but at the same time, it makes our businesses safer and helps us protect our client's privacy.
Client privacy is a significant part of the new Code of Conduct for the industry.
| « Vocational retraining - the improvements | Putting a locum into your firm may be harder than you think » |
Special Offers
Comments from our readers
Sign In to add your comment
|
|
Printable version |
|
Email to a friend |
Food for thought heading into the break; how are you going to manage the noise and time suck of compliance requests from providers against CoFI requirements on them?
The privacy act may be the very tool that protects you and reduces/removes the need to waste time on this stuff in your practice.
Providers are not regulators, big difference with legal requirements to provide information to government agencies like the FMA that the privacy act excludes.
A client that is not with a particular provider has not given explicit permission for you to share their information. So you can not share their information with the provider, despite the FMA requiring that provider to provide disclosure.
If the FMA wants that information, they can ask for it directly.
So if you do say 100 new contracts per year, and only 1-2 with provider XYZ, that provider only has rights to ask about those 1-2 specific client's. They have no rights to the rest of the clients you may or may not have talked to.
Even if that provider has scope in their agency agreement to ask, the fundamental fact is you can't circumvent the law, and the privacy act restrictions trump the provider's request.
In the same way that providers can't ask for a client's complete medical file. As directed by the privacy commissioners 2009 decision. Providers are not allowed to go fishing for information, and the law says so.