Americans were rightly jolted last summer upon learning of the Equifax hack that comprised the data of nearly half of America, giving hackers access to sensitive information such as social security numbers, mother’s maiden names, and in some cases, even estimates concerning the amount of assets that each individual owns.
The safeguards necessary to protect electronic data of customers will deservedly occupy the attention of regulators in the coming years, as it is the type of harm that is easy to ignore—from the point of view of the data custodian, there is no immediate business payoff to protecting data and the risk of hacking seems like a remote possibility.
In much the same way that Chipotle didn’t fully appreciate the need to take extreme caution with food preparation until after a disaster left its reputation for internal controls in tatters, brokerage houses and financial institutions may be slow to appreciate the importance of internal controls because they are a net cost to the company and institutions are rarely rewarded for avoiding bad things.
As a general matter, well-run businesses have three choices about how to deploy retained profits or other funds available:
- Make the core product better, either by making it cheaper, more convenient, or of a higher quality.
- Advertise the product or service so that more customers can become aware of its existence and seek it out.
- Solidify the internal controls so that the “ship doesn’t go down.” In the best case scenario, the present status quo can be maintained. The whole point of these exercises is to better prepare Captain Smith for when the iceberg approaches.
The third option, improving internal controls, is often the least satisfying of the potential sources for business funds. Making a product better is more satisfying because it deserves to lead to more money. Advertising can be enjoyable as well because an idealized version of the business’ efforts are presented to the public. But strong internal controls are intangible—very few corporate executives go to bed saying a quick prayer that their cloud did not get hacked in the past 24 hours.
The unfortunate part of internal controls are that it is like oxygen—you don’t notice it when it is there, but when cut off, there is nothing in the world that is more important.
Back in the 1990s, brokerage houses would charge $100-$300 for trades of a hundred shares. The brokerage houses were rolling in the dough! As a result, they could dedicate the proper resources to internal controls because the 1990s flavors of risk were easier to address and there was so much money for improved platform software and TV ads that internal controls got funded whether it was a priority or not.
Now, the economics for brokerage houses have moved in the direction of focusing on low costs, costs, costs. Vanguard lets you buy mutual funds with a 0.1% expense ratio, and discount brokerage houses like Schwab let you buy and sell securities for $4.95 per transaction. Other brokerage platforms have followed suit, either matching these prices or directly or offering an approximately equal alternative.
This business now relies on razor-thin profit margins and hopes to earn large volumes to offset this departure from the profitable norms of the past (or relies on other products, like trust fund administration, annuity assistance, as the source of the “real” profits).
My concern is that, as the industry is not drowning in profits in the way that it used to be, and as discount brokerage houses dedicate significant amounts to advertising because of the crowded nature of the competition, spending on internal controls will likely suffer. Paying dirt-cheap commissions does not logically seem to support heavy investment into internal controls.
If you as a customer are concerned that low-cost commissions has resulted in underinvestment in a brokerage house’s internal controls, you have two remedies: (1) you can take the Walt Disney approach of using many brokerage accounts and shuffling them and reshuffling them throughout your life so there is no single pot of gold in one spot that can be plundered; or (2) you can use old, stodgy credit unions with no online access and small deposit bases as these institutions are likely too small to catch the attention of hackers.
Either way, I do not believe that Equifax is the last of the major hacks affecting a financial services company. There are too many businesses in this industry that are earning scant profits and using nearly all of their available cash to roll out advertising campaigns to have conviction that internal controls are being robustly funded.