Beacon Flash: Culture Of Compliance – A Conversation With Aaron Spradlin, United Planners’ CIO

Chip: 00:00

Aaron, I am so happy to have you here. Welcome to the beacon flash podcast.

Aaron:00:13

Glad to be here, gentlemen.

Chip:00:15

So hey, I remember the first time I met you probably 12 years ago, maybe longer. We were in doubt. We’re in the lobby of Dallas, Texas and one of our early roundtables. And I remember you, and I sat there probably for two hours talking about the state of the industry. And here we are again. So welcome to the show.

Aaron:00:36

You bet. You bet. That was those were great roundtables, and I always look forward to them. They’re amazing.

Chip:00:41

Well, we’re still doing them. So that’s right. And you’ll be at our roundtable in Sonoma. So we’re excited to see you there. So I want to jump right in. And, you know, the area that you’ve been focusing on, obviously, as as CIO, for your firm, you’ve been focusing on the broader scope of providing information security and the tech stack for your firm. But one of the things I really want to kind of dive into is, what do you think we where are we, right, these days relative to cybersecurity?

Aaron:01:20

Right, right. That’s a great. So you and I have had a lot of conversations about this for years. And you know, what I, early on, you’re one of the early thinkers and people that was talking about the challenges of risk management in financial services, and you were talking about it very broadly, across many sectors of broker dealers and large financial services firms. And at the time, we were also released a note that that really also exists in cybersecurity, in particular, is a lot of risk management challenges. And so at the time, and even today, we’re still struggling with this idea of a culture of compliance. Right. And so where, where I believe the advancement has come, is in the small wealth management offices, traditionally, investment advisory firms, and the like. And BDS in particular, and a lot of NDAs have made a lot of advancement, in my opinion, in a culture of compliance, understanding it, especially because we’re the direct, we’re receiving the direct investing examinations from the SEC and NSD. And so we’re in this challenge of culture compliance, where I see that we’ve made very little progress and was always my initial greatest concern was in vendors, and I do not see any growth in vendors understanding their obligations to create a culture of compliance around cybersecurity and culture compliance in general. And they’re still very much a culture of innovation, and low cost.

Chip:03:04

Let me step in there real quick, Aaron. So, for our listeners purpose, let’s take a half a step back, right? And can you define culture of compliance?

Aaron:03:15

Yeah, I’m gonna do my best and somebody from the compliance departments can tell me I’m wrong. But so you know, culture of compliance really, is what it sounds like. So when it really what it has to do is the the controls, the training, and the overall culture that you build as a firm around the idea that everything you do is centered around a fundamental idea of of compliance, right? So what is compliance? In this case it has to do, for example, when it comes to cybersecurity, and how you manage your code and protect your code, in particular, how do you do code changes? How do you do change management? How do you so it’s like, everybody leans into that they see it as a good part of their job and want to improve change management. It’s where people buy in to the idea of versus resist the idea. So the opposite of culture Compliance would be what I typically run into, and even in my own culture, trying to change it, when you add a new control, they’re like, Well, this is the business with where they use the business killing division, or, you know, this is this is one more thing that’s, you know, wasting our time or in my way. So for example, when you deal with senior engineers, and you say, Listen, you have the keys to the kingdom. So we’re gonna lock you down more, right? You as the most senior engineer have to be the most considerate of what you have access to. And you need to have the most keys you have to turn with other individuals, because you have too much access. So where are those people bought in? And everybody’s bought it culturally. The second part of that answer is long time ago, I worked for one of the largest financial institutions, and luckily, I’ve worked for many of them so we aren’t for everybody forgot which one it was, but the he actually brought in the idea of cowboy ethics, very popular book out there. And the idea around cowboy ethics was, how do we as a company, and as a culture understand, for example, one of the principles you and I talked about last time, it’s just because they wrong, don’t make it right. Right, this idea that just because the regulations don’t specifically say you can’t do it, doesn’t mean you can’t. That’s a culture of compliance. So I’m a firm that understands we’re going to not shoot for the edges, we’re going to shoot for what’s in the best interest of the clients and the consumers we serve. That’s what a culture of compliance looks like.

Chip:05:37

Fabulous. All right. So let’s so let’s take that, right. I think you said that the wealth firms are doing an adequate job in this area.

Aaron:05:48

We’re growing, we’re doing better.

Chip:05:50

How are the advisors doing?

Aaron:05:53

Well, again, from a culture of compliance is where we started this question. I believe they’re asking the right questions. They’re concerned, they’re doing the things to progress towards where we all need to be, which we know is not where we’re at today. So suggesting where we need to be is not. But they’re, they’re engaged in the training, they’re asking the questions, they’re doing those, and those are the things that you see out of culture compliance, right? Is a progress towards better because as you know, the threat is emerging and changing. So unless you have a constant change management culture around this, you’re going to fall behind, so there’s no, so they understand that it’s not about some super cool technology to compete on the machine and all the problems go away. Right? What we’re vendors believe that, right? Vendors continually believe that they found some silver bullet, and now they’re good, right? Or, you know, and I’m gonna, I’m gonna say something controversial here, but they’re gonna go out and get some fake sock to audit and claim that that’s enough. Right? And, you know, because we all know, the sock to audit cert really checking the right things. And so, you know, SOC audits are great, but not if they’re not part of a cultural complex. So, because, you know, you can get around those.

Chip:07:16

So, you know, it’s interesting, because I look at your shop, you do development, right, but you also partner with third party vendors, right. And we talked a little bit about this culture of compliance. Where, you know, as we, as we talk about this, where do you see us having to kind of tighten, you know, when we, when we go out, right, and we’re talking to enterprise wealth firms, and we’re seeing less and less, hey, we want to build this right? And more and more, we want to partner. Okay, so we’re going to, we’re going to lease we’re going to rent whatever you want to call it, right. So that comes with its own set of responsibilities in this concept of culture of compliance. Right? So how, how do you see, you know, where do you see the need to tighten?

Aaron: 08:13

Okay, so. So, as an industry, many years ago, I believe I was the loudest voice and was the strongest proponent of moving our industry towards no trust. So

Chip:08:33

Yep, please define no trust.

Aaron:08:36

So no trust is as best known devices, known users. Private Networking, and putting the security as close to the data as possible, right. And so you know, trying to try and to the ultimate goal, no trust is to bring the security and the trust all the way down who you trust, no trust to data, the idea that you would give me an admin user, that by definition, granting them access to database would not be considered no trust, right? Okay. So no trust at its core, though, in my opinion, is a fundamental change in culture compliance, that says, we’re going to move away from this idea that we’re going to operate on the open internet and, you know, somehow, you know, we’re not, we’re not going to be the next, you know, for attacked, we’re not going to be subjugated to zero day attacks. And that dream has been gone for a long time. So everybody has to understand that dream is gone. So then the question is, how do we partner through private trust, private, private networking between vendors? How do we move the data off the open Internet? How do we move to towards sharing the idea of known devices. So is there a technology out there? Like, for example, in our case, we have used one of the technologies we use to try to, we also use Casaya. And we use some other technologies to identify devices that are quote unquote, known devices, we then score those devices to understand if those devices are meeting the minimum standards, not highest standard, but minimum standards before we even let them in. And then we identify the user, which is what most people do today. But then we do author user. And this is because you’re letting somebody into the most private confidential data that you have, and especially the back office system, so why aren’t you identifying the devices they’re on? Why you allowing them to log in from anywhere? Why aren’t you trusting and privatizing the network communications? Why aren’t you doing all these things? Because it’s not a technology problem anymore. It’s a cultural problem. So we did ship is long time ago, United planners created one specific type of culture, which is we have a triangle on our website that says, business solutions, and solving problems, exceeding expectations, right. So the point was, we created a culture in which anything that we did for our advisors wasn’t just a cost of doing business, compliance wise, but we brought some solution innovation that created was beyond their expectations. Okay? How do you do that? Well, you give them a private network that increases their network performance. Right. So now they’re happy that they’re, they’re not using legacy VPN technology. Now, they’re using middle grade technology that is increasing their technology performance, you’re, you’re providing network monitoring device monitoring to them, in a way they can’t do themselves and appreciate the fact that you’re letting them know that devices are protected. So you’re bringing them some type of solution they want to lean into. So it’s, it’s about how you provide them a solution that creates business efficiencies for them, while at the same time operating in both your best interest. Understanding that that does actually still cost more money, right for everybody involved. So there is a culture in which you can innovate, solve problems, and do so exceed their expectations, and then that makes them want to stay with you. And it allows us to market towards them. We wrote a white paper that’s on our website, financial planners.com That explains how we used cybersecurity as a way of recruiting. So we recruit on cybersecurity. Now, that’s a culture. And that’s how you create like you joined us because of our cybersecurity. So next time I come to them with an innovation like Sophos or an innovation like, they’re they lean into that, because that’s why they joined us. Right long answer. But that’s, you know, if you want to put the ecosystem together, it’s what it’s like.

Chip:12:53

So you know, it’s interesting, because you and I, obviously, we’ve, we’ve discussed this at nauseam at different times. Where do you see this going? Right, so where do you see our industry evolving? You know, over the next 36 months? Boy, penny for your thoughts, right. I’ll tell you what I would, I can tell the regulators are going to do.

Aaron:13:21

So the regulators have come out. The SEC, and the FBI have really encouraged everybody to move, no trust. So we’re already there. We have a great if anybody wants to search for United planners, I can Yahoo, there’s a great press release recently, that we did around being the first firm to take all of our infrastructure off the open Internet. That is not that is not everybody needs to move that way. Right. And I don’t think I don’t think anybody in five years will be in business, if their stuff. They’re there, they’re leaving their API open to the open internet, I just think advisors would bail out, or right. And so I can tell you, for example, all of our vendors we have for our home office today. Not only are they having to use private networking with us, for my vendors that I use, but I require my data to be off the open internet for them to. So I have backoffice technologies where I’m like, you segregate my data, do not commingle my data, do not expose the API to the open internet for my data. And then I want Private Networking for that. So So if somebody’s going to want to sell to most of the largest people that have money broker dealers, like myself and other watch institutions. I think the pressure is coming to take the data off the internet, when I can tell you is that I get a lot of pushback on something that costs them very little money. To do private networking alone is easy. There’s 1000 choices. I prefer the use of clever dome, not only because I founded the company, but because I think it’s more secure and faster. But if they don’t want to use that you don’t force them to use.

Chip:15:03

Well, I will say this about cleverdome. It’s a nice envelope in many ways, right?

Aaron:15:08

it’s a shared network, it’s a shared solution. People can opt in or opt out, I’m not forcing anybody to use it. And I don’t, it’s there as a solution as a thought leader, for where we can go. And as you saw a recent press release, we’re now a network of networks. So we’ve added additional networks to the solution that we can do. So I do believe there’s your thoughts on that, but I think the idea is that the point is, is that having to do VPN legacy L two stuff is gone. Okay. So there is no trust networking, there is AWS solutions out there, there’s all kinds of solutions. So it’s easy to do. But the fact that they’re like, I don’t want to do it, you know, it’s like, I mean, like, when did you become boss? I’m the client, right? Is that culture. So let’s roll, that they don’t want to segregate my data, like they think that commingling all the data in a single database, and exposing that data with an API to open Internet using user base authentication alone, and not even bothering to have an IP locking on the data. I mean, even Salesforce, you know, requires two FA today, and all the major institutions allow you to do IP restriction. I mean, they don’t even have IP restrictions. You know, so this is just like, stuff you should have been doing in the 19, you know, the 2000s. And they don’t even do IP restriction. They don’t segregate data. And they’re out there selling this technology to all these advisors based on low cost. All right, so Okay, I think that’s dead.

Chip:16:44

Okay. All right, you think that’s, that’s dead, you said,

Aaron:16:48

I give you asked me in the future – those firms will not be in business, they will be acquired, which is going on. And then the people who acquire them are going to get stuck with the cost of figuring that out.

Chip:17:00

Right. So those firms that aren’t doing do authentication, IP restriction, managing known devices, and segmenting the data, to give it to sum it up real quick, right?

Aaron:17:09

They’re just gonna lose clients, they’re gonna, they’re gonna be great, lose the relevance, and they’re gonna be exposed.

Chip:

Okay, I get it, I get. So let’s look, I got two more questions. And then given this as a 20 minute flash here, but the subject matter is awesome. So I’m having fun with it. So when we look at how do you see the information sharing structure, changing within the wealth space, because the amount of work that we’re doing out there right now where we’re weaving in the client, we’re weaving in the advisor. And ultimately, we have to weave in the home office at the enterprise. Right? So the client may be adding in account information. Personal information that is trans transferring to the advisor, who they hate if they’re in a 1099 environment, they’re running their own environment, per se. Right, and then you got the broker dealer. So how does information sharing structure change within the wealth space?

Aaron:18:15

Well, I’ll tell you what we’re doing. I’ll tell you what I see happening. And where it lands is a great question. So at United planners, for years, we created two cones, well, we have three concepts that most firms today are either implementing or have implemented or want to implement. One is an identity provider, we’ve had that for almost 10 years. The second is the idea of a source of accurate record, a centralized open API, back office system that can integrate with any of the different solutions that advisors use, can share data two ways is the old, you know, SSO to a data sharing. So you know, you have a back office system as a financial institution that is receiving data, whether it’s through DocuSign, innovation integration, whether it’s through, you know, a CRM innovation integration, that you’re doing two way communication, and there’s there’s this back office system that is API driven, that collects all this data stores all this data, and becomes the source of accurate record. The third thing that we have, that I believe not many other firms have is we’ve also done something called object storage solutions, where we’ve been able to take any object in the cloud, any set of data, images, videos, everything that we collect as a firm and store it in a central place, share it among multiple different systems and, and define it and make it regulatory compliant. Okay, so that is object storage solutions, for example, as a use case, allows us to get statements that are sent to clients from Orion. We’re able to store it in our system, then we’re they’re able to define the object with their data. We’re able to define the object with our data, and then the object can be shared and there’s this Come in our system without having to store it twice. Right? So, okay, so that is where we have to go as an industry. And we’ve been talking about it as an industry so that technology exists, that technology can be regulatory compliant. And we call it object storage solutions. And it’s one of the innovations that united players has that has differentiated us in the market. We do it with all bridge statements. We do a client letters, we’ve got it all this quote, got it. Okay. But I have seen some conversations with vendors trying to be that for the industry. So I know of one vendor. That is so I’d say, Ryan, I know Ryan is working on a very big project. And we thinking about all the acquisition they’ve done, how to integrate that into a single repository, and then how to bring vendors into that. So silver, silver bullet to Dotto. I know a lot of the vendors believe that they can be this for the industry. I think there’s a lot of thinking and money going into that is it can a vendor do this, can a vendor do this for the industry? Because at the time, I think TDA might have been that. We know Schwab won’t be that, and for many reasons that are justified. So if Schwab’s not going to do it TDA is essentially gone. As a culture and as a platform. I don’t I see. I know all like to testify, which, sorry for saying the last name wrong. Oh, like that there’s a platform? Yeah. Right. Yeah, man, he’s got a solution that he’s kind of trying to lead that leadership on. I know, quite a different vendors are trying to show up with technology to solve this. So chip, long answer. And I try to point these people out that people are thinking about it and trying to do it, and not bragging. But the good news is, these people are not trying to do something impossible, because we’re already doing, right. So it’s been done. But I haven’t done it in a way that I can share it out to everybody else. So these other people are trying to find ways of doing it when they can share it out and become a platform. I think that’s gonna be successful. I think what Ryan’s doing in particular, has a very good chance of being very successful.

Chip:22:08

Great. I got one last question. What keeps you up at night?

Aaron:22:16

Well, what keeps you up right now are vendors, we don’t have a great solution for vendor due diligence. We don’t have a great solution for because I’m 1099 advisors and they’re independent. I can only go so far and solving problems that, you know, that keep me up at night. You know, I you know, and so because of that, you know, I have to say yes to certain vendors that if we were not if I had my choice, I’d say no to. So a lot of vendors on my platform that prefer not be there. But I have to risk manage those. Those things keep me up at night, but nothing keeps me up at night that I don’t I don’t have a solution for right, but I’m working. So we have come up with a simplified questionnaire that we’ve been using and very successful with about I think we’re about 50 questions, I want to be 45 or 35 could be that we send to vendors that ask simple questions that let us know which firms have a culture of compliance. Sure. And which ones do not? What I’m looking for quickly is not your they send me to try to load me up with paper. I don’t I don’t really care. I got 30 questions I have to ask you, right. And based on how you ask these questions, I’ll know whether what I’m looking at is toilet paper, or whether what I’m looking at is justified and I can trust it. And do you have a full time CIO? Right? Simple things like just, you know, no. Okay.

Aaron:23:45

Thank you. Yeah,thank you. Right. And, uh, when’s the last time you’ve updated certain documents even have certain documents? And when were they last updated? I don’t even need to look at how often do you update them, these things will tell you about the culture. So that so we’ve been very successful with that we’ve been sharing it out to other firms, try to share it out to you and get your thoughts because you’re a thought leader in this area. But I do believe we can come up with as an industry a set of questions. I think we can make them public because they’re not confidential answers. And I think if we can take these questions, put them out there, share them, put them on a website. And and then you can know, who doesn’t let us publish them? And who does let us publish those? I think the best elixir to all these stuff is information. Transparency. Right. So I think that’s the solution. And I think us partnering with what you’re doing and what other thought leaders doing, find a way of taking this questionnaire that we’ve got improving it, getting it public. And, and just using it as a way of having something that every firm should have on their website anyways. You know, what are your what, you know, what, who’s your CIO? Right, you know, what are these forms when you update it? So, I think it’s one thing we’re working on that how Lets me sleep a little better at night and only we have a plan. And then I don’t think it’s helps me sleep at night sit is the fact that we took our data off the internet. So I used to not be able to sleep at all. But now knowing that you can’t even log into my website from my back office that I’m responsible for, primarily, without being on a secure private network on a trusted device. No hacking. No pinging my API. I am. I am on the dark web. I am off the open Internet. I’ll tell you what, Chip, I’ve been sleeping. Great. Good. Now I’m more worried about backups recovering.

Chip:25:43

And you get to go hang out in Big Bear. Right.

Aaron:25:45

Yeah. Not get to go. Hang on, Victor. I wasn’t in Big Bear six months ago. I’ll tell you that. Right. So but we’re off and that has helped me sleep a lot better. We’ve got vendors that are off. We’ve got vendors that are leaning into us. The future is bright.

Chip:25:58

Good. Good. Aaron. I love talking to you. Thank you so much for joining us on the Beacon Flash Podcast.

Aaron:26:06

And you bet it was awesome. Thanks, like always great to talk to you till next time and that’s how we do it.