real time advisory - iia case submission 2013

IIA & PICPA Case Competition 2013 Team: Real Time Advisory John Cao | Tho A. Hoang | Khoa Huynh | Ryan S. Wood

CASE BRIEF: DEVELOPING A MOBILE DEVICE STRATEGY This report is created by Real Time Advisory Group in order to provide Fairfield Trust Company a mobile device strategy which recommends an innovative Bring-Your-Own-Devices (BYOD) program for Fairfield personnel and online trading program for Fairfield customers, identifies risks involved within the programs, and build effective controls in order to manage the addressed risks. With the recommended programs, Real Time Advisory Group is confident to bring a solution for Fairfield that will help the company not only save costs, retain key personnel, provide comprehensive customer service, but also enhance Fairfield’s competitive advantages to maintain its future growth.

REAL TIME ADVISORY FAIRFIELD TRUST COMPANY

REAL TIME ADVISORY 4/5/2013

Table of Contents FAIRFIELD TRUST COMPANY -‐ BACKGROUND & ISSUE .......................................................................... 3

INTERNAL STRATEGY – IMPLEMENT A BYOD PROGRAM ....................................................................... 3 SIX RISKS OF IMPLEMENTING BYOD ................................................................................................................ 3 INTERNAL SOLUTIONS – BYOD PROGRAM ....................................................................................................... 4 COMPARISON OF A BYOD AND BLACKBERRY PROGRAM ..................................................................................... 4 TO-‐BE DIAGRAM INTRODUCTION .................................................................................................................... 6 DATA ACCESS AND PROTECTION CONTROL FOR BYOD PROGRAM ........................................................................ 6 PAYMENT AND ADMINISTRATION OF EMPLOYEE EXPENSES RELATED TO MOBILE DEVICES ........................................ 8

EXTERNAL STRATEGY – EXECUTING TRADES BY ELECTRONIC DEVICES .................................................. 9 CUSTOMER SERVICE BACKGROUND ................................................................................................................. 9 ISSUE ......................................................................................................................................................... 9 FOUR RISKS OF IMPLEMENTING TRADES BY ELECTRONIC DEVICES ........................................................................... 9 CONSIDERATIONS AND RECOMMENDATION .................................................................................................... 11

ETHICS & COMPLIANCE ...................................................................................................................... 12

APPENDIX .......................................................................................................................................... 14 SAMPLE POLICIES ....................................................................................................................................... 14

WORK CITED ...................................................................................................................................... 15



Fairfield Trust Company - Background & Issue The Fairfield Trust Company (“Fairfield”) is an independent investment and wealth management firm headquartered in Philadelphia, PA. It offers formal investment services to various entities and provides wealth advisory services to complement their primary services of investment management and trust administration. Fairfield Investment Management (“FIM”) has $3 billion of assets under management for Fairfield’s proprietary family of mutual funds. As of 2012, Fairfield is a national trust company with 12 offices throughout the US, including offices in New York, Delaware, Illinois, and California, employing 210 people, and serving more than 2,500 clients. The company has three categories of employees: management, investment advisors and administrative support (HR, Compliance, Accounting, and IT). With the company’s rapid grow, the expansive use of these devices results in significant costs associated with paying for the infrastructure and supporting users. Changes in technology led to some issues dealing with mobile device usage. The BlackBerry service contract will end within the next three months, and the infrastructure is due to be replaced. BlackBerry service will cost ten percent more for the new contract and no longer offer unlimited data usage. Employees request to use devices that are not currently supported by the IT department. Some of them have to go back and forth between BlackBerry and personal mobile devices. Some also want to bring their personal tablets to assist with presentations to their customers. The BlackBerry devices can only access to company mail, and no external access to the company’s network other than through VPN on company-issued laptops. Although the majority of data stored on the company’s servers is low risk, those data are highly confidential. On the customer side, they do not allow for online trading via the Internet or via a mobile device-based app. Customers can only check on their portfolio by contacting their investment advisors, but they themselves can’t access the information on demand. Fairfield management is currently looking for ways to save costs, retain key personnel and provide comprehensive customer service. The management team is working on the project about development of mobile device strategy. They are seeking recommendations on whether to remain with their current corporate-liable BlackBerry program or move to a BYOD program, which allows employees use their own devices for business purposes.

Internal Strategy – Implement a BYOD Program

Six Risks of Implementing BYOD Based on the definition and identification of BYOD program, the management team needs to consider the following risks related to this program:

1. Malware and Spyware: Although in the past, malicious software and malware activities mainly affected personal computers, in recent years the mobile industry has seen an increase in the number of malware and spyware programs which cause serious harm or loss of confidential information from individual users and companies. BYOD program especially, which supports a variety of mobile operating systems (OSs), there will be higher chance to be effected by malware and spyware activities. According to an article “A Survey of Mobile Malware in the Wild” published by Internal Journal of Computer Aided Engineering and Technology, there were six predictions for the trends of mobile malware in 2012 including the following: a. Mobile Pickpocketing: This type of malware activity will lure users into applications that will charge

money through text messaging and calling of premium services. One of the first to surface in June 2011 was called GGTracker and the most recent attack was called RuFraud.

b. Botnets: A botnet is a program used to send spam emails or participate in DDoS attacks. Although mobile botnets have not been fully deployed, it is expected to grow and develop very fast in the near future.

c. Vulnerable Smart Devices: Nearly every Android smartphone has some kind of security pitfalls in it. Complex systems have security bugs found in both Android and iOS, which can be easily taken advantages of by malware activities.

d. Automated Repackaging: Hackers are not only taking money out of developers’ pockets but also consumers when repackaged applications are loaded with malware.

e. Malvertising: Malvertising is an activity, which creates a genuine looking advertisement that link to fraudulent sites. Malvertising can lead to malware downloaded to a device without user awareness.



f. Browser attacks: Malware activities using browsers are increasing rapidly.

Additionally, BYOD is also a target of hacking activities. By exploiting a system’s or network’s weaknesses, hackers can gain access to confidential data to disclose, steal, or damage the information in the mobile infrastructure.

2. Encryption and Information Protection: When confidential data is authorized to be accessed and downloaded to personal devices, the data will contain a risk of not being encrypted properly and vulnerable to malware or hacking activities.

3. Data Loss: Implementing a BYOD program can increase the risk of mobile devices stolen or lost. Since the program allows employees to bring their own devices to work, without specific polices, corporate data can be disclosed easily. Furthermore, personal devices are not likely to have appropriate backup programs which help restore data after data loss due to significant damages to the devices.

4. Mobile Device Access Control: Personal devices are not required to have complex password configured, thus they are more vulnerable to external attacks and may lead to exposure of confidential information to hackers.

5. Jail Breaking (iOS) or Rooting (Android): Many mobile users choose to modify the original operating system to expand the capabilities of iOS and Android devices for their personal use. Such modifications can make their devices more vulnerable to external attacks and may expose confidential information stored on these devices to hackers.

6. Management Risks: A focus on applications rather than on corporate strategy may limit a complete corporate view of the deployment, maintenance, and security of a mobile platform. A BYOD program may also prevent a centralized approach to the management of applications and devices due to different operating systems and different modifications from the users. It also leads to difficult scalability due to lack of a unified mobile strategy and little to no mobile governance for a BYOD program.

Internal Solutions – BYOD Program Although there are many risks involved with a BYOD program, the fact that Fairfield Trust Company is searching for ways to save costs, retain key personnel and provide comprehensive customer service leads to our recommendation of a BYOD program with a combination of a mobility platform, an Enterprise Mobility Management (EMM) system, and new Bring-Your-Own-Device (BYOD) policies as a solution for Fairfield’s Mobile Strategy.

Comparison of a BYOD and Blackberry Program Our recommendation for replacing the Blackberry Program with a BYOD program to Fairfield is based on the following comparisons:

1. Cost Savings: With the BlackBerry program ending in three months, the infrastructure is due to be replaced with one that will hold significant cost increase by approximately ten percent. Also, Blackberry will no longer offer unlimited data plans. Therefore, renewing a BlackBerry program is not a cost saving strategy for Fairfield. On the other hand, a BYOD program is cost efficient to the company because telecommunication service plans are now the responsibility of the employees. Also, Fairfield can save additional money when it does not have to purchase new devices and pay maintenance fees for the employees. A BYOD program can help Fairfield save costs in conjunction with implementing a mobility platform, and an Enterprise Mobile Management (EMM) system. To solve the problem of data plan, it is recommend Fairfield include a requirement to register for unlimited data plan in order to participate in a BYOD program. Implementing this requirement will save cost on identifying which data downloaded from the devices are for business use to reimburse.



2. Key Personnel Retention: Based on the case study, employees in Fairfield are becoming more familiar with new technologies and would like to use them at work. Furthermore, changes in technology and personal mobile use have made some employees to request for bringing other devices that are not currently supported by the BlackBerry program. Especially investment advisors and management who have to travel most of the time and meet clients, variety of mobile devices needs are higher for them. BlackBerry Program has limited capability to support a variety of devices and with BlackBerry devices; employees can only check their business emails. With a very competitive business environment, turn-over rates may increase if the company does not adapt quickly with new technology in the work place. A BYOD program not only gives the employees the freedom to use any devices available out of the market, but it also allows them to advance the devices based on their needs.

3. Comprehensive Customer Service: Personal customer service is a competitive advantage of the company’s culture, which differentiates them from other larger competitors. However, the company is dealing with higher customer services demands since the company is serving more than 2,500 clients across the country but it only employed 210 people. Furthermore, the management team and investment advisors travel frequently to meet clients. They need access to market information from the exchanges around the world in order to provide advisory services to the clients. Current BlackBerry program limits the personnel from providing services to the clients anywhere at any time due to the fact that the program only offers the ability to check corporate emails and will not offer unlimited data plan in the future. With BYOD, management and investment advisors will be able to access to market information from all exchanges around the world in order to offer 24/7 advisory services for the clients. Furthermore, communication with current clients and presentations to potential clients will be advanced by a variety of devices brought by the personnel. It is also recommend that Fairfield offer the management and investment advisors incentives to bring new technology to business because it will help strengthen personal customer services strategy.



To-Be Diagram Introduction

To-Be diagram is a visualized tool for us to introduce to you our solution implementing a BYOD, Mobile Device Platform, and Enterprise Mobility Management System. The diagram contains four main components: Database, Mobile Device Platform, Enterprise Mobility Management (EMM) System, and Mobile Devices. The first component is the database, which includes an ERP database, any legacy databases, third party databases, and the Internet. The second component is the Mobile Device Platform, which is used as the base for connectivity, certified mobile applications (both in-house and third party applications), and Operation System adapters. The mobile applications can be developed for both internal and external parties. The third component is EMM system used to monitor the platform, and the last component is mobile devices owned by employees.

Data Access and Protection Control for BYOD Program Knowing that data is one of an organization’s most important intangible assets and implementing a BYOD program can raise potential risks of data loss or exposure, it is important to take mobile security into considerations at different level.

1. At The Source: “Source” indicates any components within the company’s firewall, especially confidential data residing in the databases. The “source” data must be protected by implementing user policies and strategies to grant, limit, or prohibit access to the corporate network. To address this, it is recommended that Fairfield implements specific



mobile virtual private network (VPN) tunnels or a secure mobile network operation center (NOC) so that every time the employees need to get access into the source, they need to get authorization from the company network center. Anytime data is pulled from the databases, a control will be in place to require personnel’s identification and passwords. Please refer to indicator 1 in the diagram. Furthermore, the authentication should be given to the employees based on their job titles and company ranking. Management and investment advisors should have the authorization to get access to view and edit clients’ confidential information, while administrative support employees should have limited access to this type of information.

2. During Transmission: The transmission of information over a wireless network should also be secured. Securing transmission includes verification and authentication of the sender as well as the use of additional processes such as data encryption. Within the BYOD diagram, security is not only in place between the databases and connectivity, but it is also in place between the connectivity and mobile applications, and between applications sitting in different adapters and the devices. Please refer to indicator 2a, 3 in the diagram. To secure the information transmission from the connectivity to the application, EMM System will only allow corporate data to go through applications that are certified by the corporation’s IT department to ascertain that the applications do not include virus, malware, and they are used for business purposes. All of these applications can be downloaded through an online store (2b) residing within the EMM system and the employees are required to use only the applications available here for business. To manage security of information transmission between the application and the mobile devices using different adapters, it is recommended that the company should have a policy to require employees have their devices configured with complex passwords in the Operating System Interface, which may include 8 characters, contain characters and number and special sign, as well as requiring the employees to change their passwords every 90 days. Furthermore, three important elements at this stage should be taken into considerations: sending, reception, and transit. The activities falling within these three elements should be monitored properly by the IT department in order to recognize and resolve any potential data loss or stolen.

3. At Target (Internal Devices): Due to variety of devices employees may bring to work under a BYOD program, Fairfield will anticipate more risks of exposure of confidential data through theft, loss, or malware and spyware activities. Therefore, EMM system is designed with Lock & Wipe function (4) in order to automatically lock the devices and erase all confidential information through wireless signal or first connection to Fairfield’s network once they are reported lost or stolen. Besides requiring employees to configure complex passwords in the devices, new policies also require employees report loss, stolen, or any malware activities occur to the mobile devices immediately to IT department in order to activate the Lock & Wipe process on time. Monitoring function (5) in EMM system also plays a role in tracking the location, reporting the activities, and terminating any illegal transactions on the lost or stolen devices. The information obtained from this function can be used to help find the devices and prevent any exposure of confidential information.

4. Authentication, Firewalls, and Jail Breaking or Rooting Policies: In order to qualify for a BYOD program, all personnel must be approved for authentication and permissions by the managers based on their job titles. A report will be operated automatically every month by a function named Profile & Roles (6) in the EMM system. The report then will be sent out through emails to appropriate managers or HR Department and requires them to ascertain that all job titles of personnel using a BYOD matched with the authentication and authority they possess. Key managers and HR Department have to notify any terminated employees, transferred employees, or new hires to IT department within three business day in order to remove, update, and add new access respectively. Firewalls are required to be constructed within each database and in Fairfield networks, under management of the IT Department, to prevent any spyware or virus attacks. Furthermore, standard anti-malware software is required to install and update to the latest version in the mobile device under a BYOD. The software must be from a trusted corporation that Fairfield feels confident about their services. New policies must require employees not intentionally jail break or root their devices once registered under the a BYOD program. If they do so, Monitoring function within the EMM system will notify IT department, then IT will lock the devices right away and send a warning message to the personnel.

5. Data at Rest Protection: Data residing within databases must get backup using tapes every month and using software every week. Tape backups then must be sent out to Fairfield’s safe for protection. The tapes are renewable every year in order to



be reused. Backup software must be from a trusted corporation that Fairfield is confident about their services. Backup using software must be performed within Fairfield’s databases, as well as within each mobile device. Personnel are required to start backup in their devices every day at a specific time, and they have the option to whether backup their personal data or not. If they choose to back up their personal data, Fairfield must have a commitment not to utilize this data for any purposes. Backup process will be run and monitored automatically by Backup & Restore function (7) within EMM system. The backup software will be automatically installed and configured in mobile devices when they are registered for the BYOD program.

6. Training and Risk Awareness Promotion:

Fairfield is recommended to require its employees to attend mandatory training sessions about Mobile Devices Usage on a yearly basis in order to help employees understand their rights and responsibility using their devices under a BYOD program. Furthermore, it is recommended that the company should have an awareness promotion campaign to encourage employees to protect the corporate’s confidential information and report any suspicious activities related to malware, spyware activities, and exposure of confidential data.

Payment and Administration of Employee Expenses Related to Mobile Devices One way many companies manage the telecommunication expenses for multiple devices is to implement a Telecommunication Expense Management (TEM) system. Please refer to indicator 8 in the diagram. To have an effective TEM system, Fairfield must identify proper management functions and to analyze the cost and benefit of TEM. Visibility of mobile device usage is the first step in effective EMM system. A company can and should be tracking the various device uses that drive up expenses. Beyond basic voice, data, and text services, an expanded lifecycle management platform can point to the source of charges for other activities that rapidly multiply expenses. A full-featured platform should also let IT set limits for usage and tailor the limits to job function or the user's position in the organization. Thresholds and alerts can enforce company usage policies, and reports can help departments budget more accurately.

Advanced management functions • The goal is to help the business monitor and optimize expenses and policies over the entire lifespan of each

device. • Starting with purchases, a device lifecycle management platform can introduce and automate a hierarchical

approval process for devices and service plans. Employees' options and reimbursement policies can be tailored to departments and user profiles, and devices and plans can be bundled and offered to lower spending.

• Businesses also need the ability to track and correlate employee, device and service plan status. The introduction of a full-featured device management solution inevitably uncovers service plan payments being made for devices no longer in use, or reimbursements coming out of a department's budget for employees who have left the company or changed jobs.

• Real-time visibility makes it possible to identify and flag devices that do not meet the company's requirements in terms of minimum hardware and software levels, or those devices that are eligible for upgrades or plan adjustments. Automated functions can also include history logs for users and groups, giving IT and finance teams valuable information for trend analysis and accurate expense forecasting.

• These types of capabilities are key differentiators for the platforms offered on the market today. And the levels of automation also vary from vendor to vendor. While a small business might be able to regularly review reports, a large enterprise should carefully consider the time required to manually review summaries of device status and use, and look for a solution that automatically generates change orders to service providers in the event of any detected changes in device or employee status.

Investment Valuation While it is true that some of the EMM and TEM solutions require substantial getting-started investments, both for the software and for the required server platforms, there are cost-effective software-as-a-service (SaaS) offerings available at price points that offer very attractive ROI to businesses of all sizes. Businesses should also look for a solution with lightweight agents for the devices being managed. This is essential for extending the life of the MDM solution, in terms of its scalability as the company grows. Users are also much more likely to accept a solution that has a small device footprint, especially in the case of a BYOD.



Return On Investments For example, the insights that can be gained about device use behaviors can enhance budgeting, and also enable more accurate forecasts for infrastructure capacity planning. And businesses can identify opportunities for cost reductions, and lower telecom expenses by as much as 40% by choosing carriers and plans that ideally suit the company budgets. Tracking real-time patterns ultimately shifts device management from a reactive to a proactive activity, and enables immediate changes that can avoid over-spending in a fast-growing expense category. With the automatic alerts and advanced features such as automatic change-order generation, the advanced lifecycle management platforms further drive down total cost of ownership for the solution and maximize the effective savings relating to the managed devices.

External Strategy – Executing Trades by Electronic Devices

Customer Service Background Since its inception in 1994, online trading has boomed with almost every investment firm having an online trading platform. With the boom of computer technology and the mobile takeover, online trading has become more important than ever for traders. According to Forrester Research’s 2011 study, 11% of US online adults with investment accounts say that they are mobile investors. 27% of those mobile investors are also mobile traders who bought or sold stocks, bonds, mutual funds, or ETFs (Akamai Industry Factsheet, 2012). Online trading has given anyone who has a computer, enough money to open an account and a reasonably good financial history the ability to invest in the market. You do not have to have a personal broker or a disposable fortune to trade online. The difference between an online stock brokerage firm and a full-service stock brokerage firm is the entirety of the service. Full-service brokerage firms provide the aid of a highly skilled stockbroker or investment planner to management your investments. Online stock brokerage firms, or discount stock brokerage firms, do not provide any broker’s or investment planner’s help. Depending on the expertise and knowledge of a customer, online stock brokerage firms can be risky for newer users. However, over the years, online stock brokerage firms have become more competitive by offering many free analytical tools and services as traditional full-service brokerages provides. Currently, Fairfield does not allow online trading for their customers either through the Internet or through a mobile device based app. Customers check their investment portfolio by contacting their investment advisor, but they do not have immediate access to their information. Fairfield would be classified as a full-service brokerage firm with no online integration. Almost all of Fairfield’s competitors in the market have adapted online trading. Most stock brokerage firms have implemented the availability of online trading. Amongst the firms with online trading, another differentiating factor is whether they are a discount stock brokerage firm or not. Discount brokerage offers a discount fee for making a stock transaction, and financial advising services come with the order as an additional fees ranging from $32 to $45-which portrays market prices.

Issue With Fairfield’s interest in demonstrate their “leading edge” as a large investment firm, Fairfield must be competitive with the market by allowing its firm to execute trades by electronic devices. However, due to their limitations by their use of technology and by their current business practice, they are at risk by fully implementing all trades by electronic devices. They are limited by their use of phones only for order transactions by the customers and by public online research for market information from various exchanges around the world. With the integration electronic devices to execute trades, an online trade system must be developed like the one for E*Trade or Scottrade first before implementing an electronic device system.

Four risks of implementing trades by electronic devices Fairfield should worry about four risks involved in implementing trades by electronic device –of which includes mobile, tablet, and computer devices. These four risks, which effect both Fairfield and its customers, are heavy reliance on technology, vulnerability of the customers’ personal devices, fraud, and financial.

Risk of heavily relying on technology The Internet will be heavily relied upon to conduct much of the trading activities. This can be subjected to



interruptions and network instability. The technologies operations can be vulnerable to disruptions from human error, natural disasters, power loss, computer viruses, spam attacks, unauthorized access and other similar events. Disruptions to or instability of the technology or external technology that allows the customers to use the products and services could harm the firm’s business and its reputation. In addition, the technology systems, whether they be its own proprietary systems or the systems of third parties on whom Fairfield rely to conduct portions of the operations, are potentially vulnerable to security breaches and unauthorized usage. An actual or perceived breach of the security of the technology could harm the firm’s business and its reputation.

Financial Risk Choosing to be an online trading firm or being a traditional full-service trading firm can have a major impact on the revenue. An online platform will demand Fairfield to become a discount brokerage firm, as the market is very competitive. Online firms like E*Trade and Scottrade can offer customers fees ranging from $7 to $9.99 per stock order. However, traders are independent from brokers’ help. Full-service firms like UBS have very high commission fees and investment requirement for their customers. A typical full-service firm like UBS can cost a person with at least $25,000 investments of fees ranging from $110.87 to $1,250.00. Fairfield must decide what platform to go with. Choosing to change from a full-service brokerage firm to an online discount firm could lower their current revenue due to the steep price change.

Risk of vulnerability of our customers’ personal devices Vulnerability of the customers’ mobile, tablet and computer devices could lead to significant losses related to identity theft or other fraud and it could harm the firm’s reputation and financial performance. Because this business model will relies heavily on its customers’ use of their own personal computers, mobile devices and the Internet, the firm’s business and reputation could be harmed by security breaches of the customers and third parties. Computer viruses and other attacks on the customers’ personal computer systems and mobile devices could create losses for the customers even without any breach in the security of our systems, and could thereby harm the firm’s business and its reputation.

Risk of fraud to the customers Investors who engage with online trading- even though research and stock analyses are readily available via the web- will be at risk of fraud without the help of a broker or investment planner. The chances are much higher for fraud if the investor conducts independent online trades with a lack of knowledge and experience in finance needed to be aware of fraud. Fraudsters have taken advantage of this, leading to several notable methods of defrauding investors. These include:

• Pump-and-dump schemes - People spread the word about a supposedly good stock via online message boards, online stock newsletters, email and other methods. The resulting interest in the stock drives up the price. The organizers of the scheme sell their stocks for a huge profit, and then stop promoting it. The price plummets, and investors lose money.

• Fraudulent IPOs - Some investors like IPOs because they provide a chance for an early-mover’s advantage and to make a substantial profit. Some scammers, though, spread the word about an upcoming IPO for companies that never intend to go public or that don't exist. Then, they abscond with the investor's money.

• Fraudulent Over-The-Counter (OTC) stocks – Con artists promote stock in companies that do not exist or start a pump-and-dump scheme for an OTC stock. After investors buy stock in non-existent companies, scammers simply take the money and run.

• Fraudulent company information - Publicly traded companies have to release information about financial performance. Overstating or misrepresenting a company's goals and achievements can drive up the stock price.



Considerations and Recommendation

Trade By Electronics Considerations

Commissions and Fees The online trade industry is very competitive. Companies like E*Trade or Scottrade spell out their commission and various fees on their website. This industry-wide practice makes online trading very competitive. Fairfield will have to disclose its commission and fees in order to compete with the top online trading firms.

Customer Service Customers may request the help of an expert once in awhile, whether it’s asking a question about ADR fees, how to place a specific type of trade, or figuring out an icon function within a toolbar. Many brokerage firms typically offer a variety of support channels including phone, email, online knowledge bases, FAQ’s, customer forums, and online chat. Customer support representatives must keep in mind that unhappy customers are more likely to complain than happy customers who give praises, therefore representatives must ensure proper wait time, attitude, and effectiveness of the responses within the support channels.

Platform Tools Every online trading platform offers its own unique set of functionality. Whether it is a new trader or a long-time veteran, make sure that the trading platform streamlines the tasks that the trader performs most often. If a customer trades a lot of option spreads, it’s much easier for the customer to right-click a specific contract and select “Sell Iron Condor” than it is to buy and sell the four legs individually. Release notes can be especially helpful in pointing new functionalities, but are also a good gauge of how much effort the development team is putting into adding new features versus fixing bugs from previous releases.

News & Research Data Even if a customer’s approach to trading is primarily technical in nature, it can be helpful to have easy access to current news articles, company fundamentals, and other data beyond price and volume.

Integration with Tax Software One of the most burdensome aspects of trading frequently is dealing with the tax consequences. For a customer who prepares his or her own taxes using a package such as TurboTax, he or she can save an enormous amount of time if the platform is able to export all of his or her trading activities as a CSV or TXF file that can be imported into the tax package.

Recommendations For Executing Trades By Electronic Devices Real Time Advisory suggests to Fairfield that it is allowable to execute trades using electronic devices. Fairfield must keep in mind that trading using electronic devices, which requires the use of an online platform, is riskier in its pure form than its current traditional trading system. By implementing risk reducing and risk eliminating controls in place, Fairfield can mitigate its risk appetite. Also, proper management of these external controls is needed as well to ensure secure operation.

Risk of heavily relying on technology Leading institutions recognize that an appropriate defense requires a coordinated effort among corporate groups, with a focus on security, privacy, fraud prevention, and records management (PwC Mobile Banking App Security, 2012). Integrating security in the application development process will significantly reduce the overall likelihood of identify thefts and data breaches. During the application development process, developers must ensure secure coding practices are in place. As well periodical testing should be performed on the technology to identify vulnerability in the system.

Financial Risk Allowing customer accounts and assistance flexibility is the first step in minimizing financial risk. Fairfield is at high risk by switching to a complete online trading system. Revenue from fees and commission earned on trade



purchases with the current traditional system will significantly decrease by implementing the market-influenced price of online trade firms. Fairfield can mitigate this financial risk by allowing certain account types to be online based and other accounts to stay traditional serviced. A prime example of this business model is Charles Schwab, which is a hybrid online trade firm. They implemented stock trades with an online platform, but certain investment accounts they kept as advisor assisted such as foreign exchange accounts.

Risk of vulnerability of our customers’ personal devices There are three technical safe guards –should support all major platforms for mobile devices- that will help to eliminate or reduce vulnerability of the customers’ mobile devices. Customers should be aware of cell service and secure network connectivity such as WiFi. Safeguard one is encryption, which requires creating a third party email only encryption solutions to support devices that cannot enable full device encryption. Safeguard two is a reset function for phones and tablets when a foreign response occurs on the device such as fail login attempts and remote commands. Safeguard three is that Fairfield’s EMM systems should facilitate a central control of device security policy such as password and device encryption. Fairfield must look into having a loss reimbursement guarantee, which reimburses the customers for losses caused by a breach of security of the customers’ own personal systems. Such reimbursements could have a material impact on our financial performance.

Risk of fraud to the customers There are many ways that a fraudster can be dangerous. Fraud can occur on any platform which aggregate news. Popular online tools such as spam emails, social media, and uncertified and replicated websites are ways that fraud can happen. Fairfield can prevent the four types of online trading fraud listed in the risk section of this report by providing a secure means of news within their mobile device functionality or provide the customer with a resource list to trusted news streams. A separate resource list can be in the form of listed items on a webpage of Fairfield’s site or Fairfield can establish an independent forum where customers can share opinions and resources with constant monitoring for fraud advices or unsecure links to other sites.

Ethics & Compliance

Ethical considerations There are several ethical considerations that Fairfield needs to pay attention when dealing with mobile devices including company to employee perspectives and company to client perspectives. At Fairfield, employee privacy sometimes can become an ethical dilemma, especially under a BYOD strategy. Due to the nature of the financial industry, financial firms, especially Fairfield handle numerous confidential information about the customer. Therefore, companies need to implement a way to make sure that the client information is still confidential. However, sometimes if the client data protection program goes overboard, the company can uncontrollably intercept into employees’ personal information. It can intrude employees’ privacy unintentionally. Also, when the company changes its direction completely from Blackberry program to 100 percent BYOD, it will cause a problem to some employees, who do not want to follow a BYOD policy or cannot afford a mobile device that the company management system can support. Therefore, even though the company probably can save the cost with the new strategy, keeping employees’ retention is also another key point to consider when implementing the new strategy. Since employees use mobile devices for both business and personal purposes, it is essential for the company to be aware of the mobile device abuse of usage. Because the devices are personal, it can be overuse for personal purposes. When the strategy is proposed to make work easier for employees and increase productivity, the strategy can potentially raise an ethical consideration about employees’ usage for personal purposes. It will be a dilemma to ask the question how much it is considered appropriate for personal use. It really depends on the employees’ work ethics when it comes to how much time they should be used for personal issues using their own mobile devices. When confidential information is extremely important for a heavily regulated industry Fairfield is in, sometimes employees may accidentally perform malware activities that can leak, even destroy the company’s confidential information. Also, with unclear structures, when employees unintentionally download some malware applications, they may fail to report the incident, which can create any anticipated threats or hazards to the security or integrity of



customer records and information. With all of that, it can eventually negatively affect the company’s reputation. Moreover, the jail breaking devices sometimes can be more vulnerable to hackers and viruses.

Compliance Issues We recognize two types of compliance that Fairfield should address when implementing the new BYOD strategy: organizational and financial compliance.

Organizational Compliance For the organizational compliance, we consider these specific ones: governance, network security, personal privacy, logical access and device security. When talking about governance, it is important to keep in mind about how adequate the policies are within the company to define acceptable usage. It is the employee compliance to make sure that there are controls in place internally to prevent the misuse or loss of corporate information and there are internal groups that monitor and oversee enforcement of corporate controls. Network security and personal privacy are more on the information system side. They are concerned on how the information system as well as confidential information is protected. It is the issue about how the IT strategy and security policies are designed and implemented in order to align all user needs and business requirements. Even though client data is important, the company also needs to consider their own employees’ privacy. It is important to have compliance in term of how to be able to identify business and personal data. Responsible personnel need to perform due diligence to make sure that the employees’ privacy is respected. When the company requires the control over employees’ activities, there should be a fine line between controlling and intrusion. For logical access and device security, it all comes down to the physical devices that employees bring to work. It is a concern about the devices not in compliance with the access to the network, internal application or database. It is also a question about what need to be done when the physical devices get stolen or lost. These organizational compliance efforts should focus on data encryption, user authentication and user-rights validation.

Financial Compliance For Fairfield, in the financial industry, there are several critical regulations that they need to pay attention to when applying the BYOD strategy. They need to look into privacy, compliance program, supervision, record keeping, and advertising regulations. Firstly, it is required under Rule 206(4)-7 and Rule 38a-1 of the Investment Company Act of 1940, investment advisors and companies respectively are required to adopt and implement written policies and procedures reasonably for safeguarding and keeping private client records and information. For supervision, NASD Rule 3010 requires firms to establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable federal securities laws and FINRA rules. These rules also go hand in hand with the Gramm-Leach-Bliley Act and Rule 30 of Regulation S-P that apply to any company or organization that collects consumer financial data and require that the data must be protected via effective internal controls. All the regulations make sure there is a control or set of structured policies established to protect the clients. With an investment management company like Fairfield, the BYOD strategy will give the employees more freedom to access confidential client information. If the controls are not strong enough, the company will face a really high fine, which sometimes can cause the bankruptcy. It is the case of Lincoln Financial Securities, Inc. and Lincoln Financial Advisors Corporation when they had to pay $600,000 for just a lack of simple control (“Compliance Solutions for Mobile Device Computing: A Practical Guide for Compliance Officers”, 2012). They failed to implement a password management and anti-virus protection program. One important regulation is Sarbanes-Oxley Act, which requires chief executives of publicly traded companies to validate the accuracy and reliability of financial statements and other information. With the mobile devices, employees can manipulate the data, which can later affect the company’s public trust. When considering Sarbanes-Oxley Act, Fairfield will need to have internal controls govern the creation and documentation of information in financial statements. According to Advisers Act, Rule 204-2(a)-7, investment advisors need to maintain certain written communications including originals of all communications received and copies of all communications sent relating to its business. NASD Rule 3010(d)(3) requires retention of the business-related correspondence of registered representatives. According to the SEC, it is the content of an electronic communication that determines whether it must be preserved. These rules have been stated even before the technology has changed the way companies do their business and communicate with clients. Mobile devices, especially smartphones, are being used to retrieve and send



emails and text to clients. Therefore, even when technology involves in every aspect of the business, these rules are still there and businesses needs to have a careful look at how implementation of the new mobile device strategy can affect their compliance position with these record-keeping rules. Regarding the fact that employees, especially advisors would want to bring their own tablets for presentations to clients, the companies need to pay attention to relevant advertising regulations, NASD Rule 2210(b)(2), NASD Rule 2211(b)(2), and Advisers Act Rule 204-2(a)(11). These rules generally require firms to maintain records of institutional sales material for a period of time. Fairfield needs to ensure that advisors use these presentations based on correct information to prevent the false impression that can affect clients’ decision. Furthermore, Fairfield’s compliance officers should be mindful that states might have adopted other applicable laws as well. For Fairfield office in California, it should consider the California SB 1386, which requires entities or individuals doing business in California to notify state residents when unencrypted personal information is reasonably believed to have been compromised. With this specific requirement, Fairfield needs to focus on the policies to protect the data and control how the data is used on personal devices. With the company like Fairfield, which is growing and opening so many offices nationally, it will be beneficial for them to keep in mind all the state regulations that may affect the business tremendously.

Appendix

Sample Policies The use of a Mobile Devices for Fairfield business is a privilege granted to employees through approval of their management. Fairfield reserves the right to revoke these privileges in the event that users do not abide by the policies and procedures set forth below. To qualify for BYOD program, the employee must register for a verified phone service which offers unlimited data plan, and the devices must pass the background check performed by Fairfield’s IT department. Once the device is registered for Fairfield BYOD program, the owner of the device must comply with the following rules:

1. Complex passwords must be configured in the device’s interface. The password must be a minimum of six characters, which contain at least one letter or number.

2. Passwords are required to change every 90 days. The new password must not be the same as the previous four passwords.

3. All jail breaking, rooting, or malware activities towards the device registered under BYOD program are strictly prohibited. Failing to do so may result in immediate termination.

4. The owners of devices under BYOD program have the responsibility to report immediately when the devices are lost, stolen, or under malware and spyware attacks.

5. The owners of devices under BYOD program must allow backup program to process in their devices every day, and report any error occurring during the process in a timely manner.

6. The owners of devices under BYOD program are not allowed to sell their devices without permissions of the management. Under any decision to sell BYOD devices, the owners must notify IT department and get approval from their managers. The devices must go through total restoration and get certified by IT department that no other business related data is maintained.

Online Trading Policy: 1. During any kind of online transactions made by Fairfield’s clients, they must e-sign to agree that actions

performed by them will be under their responsibility and therefore, Fairfield is not responsible for any results caused by the clients’ trading actions.

2. Clients are responsible for reporting any malware, spyware, or fraudulent activities to Fairfield’s IT Department immediately.

3. Any fraudulent activities are strictly prohibited. Being committed to fraudulent activities will be filed under related Civil and Criminal regulations, and will not be tolerated.



Work Cited "2012 Investment Company Fact Book." 2012 Investment Company Fact Book. N.p., n.d. Web. 05 Apr. 2013.

<http://www.icifactbook.org/fb_ch6.html>. "A Survey of Mobile Malware in the Wild." International Journal of Computer Aided Engineering and

Technology (n.d.): n. pag. Web. Chu, Kenny. "Consumer Mobile Device Security Management October 2011." AAMC Group. N.p., Oct. 2011. Web.

4 May 2013. <https://www.aamc.org/download/262240/data/>. Ernst & Young, LLP. Bring Your Own Device: Trends and Audit Considerations. Publication. Sifma.org, 4 Oct.

2012. Web. 15 Mar. 2013. <http://www.sifma.org/uploadedfiles/societies/sifma_internal_auditors_society/bring%20your%20own%20device%20trends%20and%20audit%20considerations.pdf>.

Garcia, Jorge. "Mobility, Security Concerns, and Avoidance."Www.technologyevaluation.com. Technology

Evaluation Centers, n.d. Web. 05 Apr. 2013. IT Policy Compliance Group. Managing the Benefits and Risks of Mobile Computing. Rep. ISACA.org, Dec. 2011.

Web. 20 Mar. 2013. <http://www.isaca.org/Knowledge-Center/Documents/Managing-the-Benefits-and-Risks-of-Mobile-Computing-ITPCG-Dec2011.pdf>.

"Online Stock Trading Review." 2013. N.p., 2013. Web. 05 Apr. 2013. <http://online-stock-trading-

review.toptenreviews.com/>. PwC. "PwC Mobile Banking App Security." PwC. N.p., Apr. 2012. Web. 3 May 2013.

<http://www.pwc.com/us/en/financial-services/publications/viewpoints/assets/pwc-mobile-banking-app-security.pdf>.

UBS Financial Services. "Equity Commission Amounts." UBS. N.p., n.d. Web. 3 May 2013.

<http://www.ubs.com/content/dam/static/wmamericas/commission_schedules.pdf>. Wilson, Tracy V. "How Online Trading Works." HowStuffWorks. N.p., 2013. Web. 05 Apr. 2013.

<http://money.howstuffworks.com/personal-finance/online-banking/online-trading1.htm>. Zipfel, Krista S. Compliance Solutions for Mobile Device Computing: A Practical Guide for Compliance Officers.

Rep. Advisorsolutionsgroup.com, Jan.-Feb. 2012. Web. 18 Mar. 2013. <http://www.advisorsolutionsgroup.com%2FDocuments%2FCompliance_Solutions_Mobile_Devices.pdf&ei=0ZFfUdXnNunA0gGmtYGwCw&usg=AFQjCNGOtrwBXSXVFC8T78THWEvMAiqgVw&sig2=qs0YXdyJv_2_wsedUfoznQ>.

real time advisory - iia case submission 2013

Data & Analytics

real time advisory group

real time advisory john

fairfield personnel

fairfield customers

mobile device strategy

key personnel

recommended programs

addressed risks