Raj Udeshi invokes 'Theranos' fraud in testy exchanges over data collection with Envestnet's Bill Crager and Jud Bergman at Tiburon CEO Summit

I think it's pretty clear to me what's going on here. The question of "who's data is it anyways?" is the valid one that each and every industry is going to grapple with over the coming years. From my perspective, the data is that of the end client - not the advisor, not the custodian's and certainly not 3rd party partners. If 3rd party partners want to aggregate a client's data along with others and sell it - then they should have to get direct approval from the client and possibly compensate them for that. That's the way it's meant to be. Period. Full stop.

Brian, I got sort of left in the dust in this debate when data got parsed into individual data and de-individualized data. Ahead of the publication of this article, I never quite got clear on what the difference is and how the ethics flow in that spectrum. -Brooke

Hi Brooke - here's how I suspect it works...let's use company "X" for the discussion to generalize. Basically if I'm company X and have access to client data I would have a hard time justifying selling the data for Client 1 or 2 individually. That would clearly be violating the privacy of each individual client. So instead, I remove all names and aggregate all the data together using different metrics....say all clients of a certain age...all clients of a certain net worth, all clients in a particular geography...all clients in a particular geography with a certain net worth. I then sell that data. So I've "de-identified" particular clients but are then selling characteristics of the entire dataset. That allows me to claim that I'm not violating anyone's individual trust, and hence don't need to disclose anything. Company X then has a new revenue source based on data sales to 3rd parties. This gets tricky, because if you boil your search query down enough you feasibly could access the data of an individual client...for example, all clients in a particular zip code of a certain age and income might drop the meaningful "aggregation pool" down to a small number of clients - perhaps just 1.

This is an interesting topic and one financial services needs to get ahead of. With that said, it is a very difficult area with all sorts of land mines. Brian, your comments are very logical. But honestly, consumers for years have willing given away their data in order to get cheaper or free services. It would be hard to argue that anyone using Facebook, Google or 1000's of other services don't know that those companies are generating lots of money from their data. And although lots of lip service complaining about, we are really trending towards people just accepting it. Also, any firm that aggregates data should have all sorts of safeguards in place that would not allow you to query down to that small of a pool, no matter how specific your query is. So that really should not be an issue. With that said, Financial Services is really built on trust, it is not Facebook and people want to feel secure in their data. I believe their is a middle ground that exists, but it will take clear leadership to define and enforce that. I think discussion such as this are good for the industry.

Jim - who's data is it? No disrespect, and I do understand that we've been "trending towards people just accepting it" for years. That doesn't make it legally right as Facebook and Google are finding out. So, I ask you - who's data is it? I say all personal data is that of the client. I say additionally that all transaction data is that of the client as well. Can we agree on that - or not? Now, I suggest that in such an environment advisor, custodian and/or 3rd party provider(s) have 2 options - explicitly ask end client for use of that data (with or without renumeration to the client), or deciding to withhold service to client's who don't agree to sharing their data. Actually pretty simple. The problem I think we get into is with regards to who's data it is? I think there is a case to be made that "de-identified" data created and owned by advisor, custodian or 3rd party may be justifiably there's to do so as they see fit; but it would be much more straightforward (and legally defensible) if client's acknowledged this.

Brian: I don't have a pony in this game, I don't collect data that I use or sell. With that said it is naive to say clients own their data when they literally give their data away hundreds of times. Whenever you use your credit card, your cell phone, your email, your Alexa, when you shop on line, etc. etc. etc. you are giving away your data. It is hard then to come back and say well here I don't want to do that here and you need to pay me. It is just not going to happen. Our whole society and economy is changing on these lines and it is pervasive everywhere. And while there is a lot of bad, there is a lot of good that is coming out of that too. You need to stay in the lines (as Facebook really needs to figure out) which is why you need good leadership (thought and actual). But this issue is not going away and there are a lot of benefits to it if it can be managed correctly.

Brian: I realized I didn't answer your question and you won't like my answer. I may not agree this is the way it should be, more the train as left the station and there is no way to bring it back. No, you no longer own your own data. You don't, I don't. When you start digging into the world of big data, it is shocking the volume of data that is being generated, collected and used, most of it on some level would be considered personal data to somebody. The explosion of IoT, sensors, cameras, facial recognition, voice recognition. Your data is being collected and used on some level at a mind boggling rate, arguably with data that is far more personal than your financial transactions. I am saying financial services would benefit from embracing, defining and putting parameters around then trying to hide from it, because honestly there is no hiding from it any more and you are always better if you control the conversation versus not.

Jim and Brian, You really zeroed in on where the fault lines lie. What exactly does holding title to data look like and can data about individuals be completely de-individualized? Is erring in one direction or the other a net positive? Brooke

Brooke: Interesting questions. I have no idea what holding title to data in today's world would look like, that was kind of my point. There is so much of it and it is everywhere, virtually no one can hold title to any of it. I don't think I would say you can completely deindividualize data. You can come close. But even if you do a great job, there are probably really smart people out there working on ways to do deindividualize it for nefarious reasons. A risk we are taking. I think your last question is the most interesting. I think we focus a lot on the negatives, and there are a lot of negatives to focus on. But there are a lot of positives too. My initial reaction is no, there is not a net positive in either direction. Individual areas would definitely have a net positive on one side or the other, but overall I guess I fall in the middle. As an example, I made a conscious decision to share my dna on 23 and me. That gave them a lot of really personal data that could be used to harm me. It also gave me data I wanted. I have big holes in my family history so the reports were fascinating to me. I also know the data gathered can have really positive impacts on mankind as a whole. So I weighed the good and the bad and decided to do it. I think that may define my position as well as anything.

Jim, On the lighter side, you brought us back around to the Theranos moment with the testing of your blood (or other bodily DNA farm), though presumably 23 and me has real results :) Brooke

Jim...yes, I've been reviewing your 23 & me data. You're right, there's a lot that we can use there! All kidding aside - I can see both sides of the debate and have presented the one I'm most favorable towards, which is clients owning their data and explicitly providing access to that data to 3rd parties for specific uses. That said, there is a wide range of possible outcomes and already blockchain based technologies being developed to address just these types of issues. Ultimately it comes down to disclosure and allowing users to opt-out - even from having their data used in "de-individualized" data sets. How that gets sorted out monetarily is a separate item. So, in answer to Brooke's questions: Holding title will likely be handled by one or more blockchain technologies. User can probably tune what data is provided to whomever they'd like for whatever compensation they'd like. so I don't necessarily believe "the train has left the station". I'd say the train is in the station. I don't know whether individual client data can be effectively "de-individualized" but fear the risk isn't so much the de-individualized data, but theft of original data sets. Again, I can see both sides to the discussion and am just giving my opinions here.

Seems like our Industry should take a similar approach to Facebook and ask for regulations. Unfortunately we might claim to be conflict free as a shield. We need clear regulations not grey ones we can hide in the gray.

Brooke, I think we have given you a couple more article ideas. Brian. I don't think we are as far off as we seem. I actually agree the customers give lip service to wanting what you say. It sounds good. The problem is their actions speak differently. As another example, their is probably far more private data in our inbox than in our brokerage statement. There are email services that caterer to those saying they want their data private. For $20, $25 month you can have an account that doesn't scan your email, extract data and then sell it. Yet those services barely registered on number of accounts. Everyone says why should I pay that (very relatively small amount) when I can have gmail for free. If you push them, they will even say they like that their flights and hotels automatically get pushed to their calendar, that the system will auto fill the second half of their sentences (machine learning uses large datasets of anonymized data to "learn" to do this) and even don't mind that the ads are more customized to their needs if they have to have ads. Consumers say one think but act different. Where this presents a challenge to financial services is if we follow what they say, set up a system like you describe, they will say they like it. But then let's say Google rolls out a full service RIA, that uses data to all sorts of cool things, sells the data to pay for the service and then offers it for free to customers as long as they opt in(doesn't exist today, but is not that unrealistic). I promise you people would flock to it and then we would be scrambling to remove barriers that won't allow us to compete. That is the risk. Why it is better to have a well thought out plan that is somewhere in the middle, gives some protection of the data, but also some flexibility to use it they way everyone is using it.

Yes, Raj did rudely confront Kellyanne Conway at the Market Counsel Conference. You omitted the part where her reply and made him sit down sheepishly with his tail between his legs. Yes, I was there.

Facebook + Amazon, and the buyers of their user data do not have to comport with fiduciary duty to end clients. Fintech platforms serving RIAs absolutely do. It's a level beyond those - to answer what is in the best interest of the client, surely it's not selling their data, even bundled up, even with safeguards.

John, that is an excellent point, but it actually reinforces what I was saying about needing more clarity and thought leadership on this. As a fiduciary, selling client data, without disclosing that for profit would be a clear violation. However, what if your custodian is using large anonymized datasets that includes your client data to develop a better fraud detection system? You are probably ok (which is good because this is most likely happening) because it is for the benefit of the client. What if because of this, your custodian gets significantly better, fraud instances go way down and your E&O carrier reduces your premium. Could someone argue that you used client data, without disclosing it to indirectly increase your profits. If so, that would be textbook example of violating fiduciary duties, but in truth it is not either. My whole point here is that this sounds like an easy topic, data privacy for clients but at the end of the day there is a lot of devil in the details that really needs to be worked out. If you want a truly crazy example, I will use your siting of the big companies not having a fiduciary duty. What if you as a fiduciary play a role in them getting the data, even if it is completely innocent. You email your client saying your are looking forward to meeting with them next week to discuss their college funding plan. Google scans that email (because the client has a gmail account, not you) and sells information so that the client starts getting ads for Universities and SAT prep courses. You disclosed "private" information being they have a college fund that someone else used to make money. What if on top of that you own Google stock in a personal account of yours. No one would question that, but in truth you shared data with someone who made money on it and then a very, very small fraction of which came back to you. Also, as a fiduciary you can disclose that you are selling data for a profit and legally do it. I wouldn't recommend this, but I will also say that if someone did and really offered good value to the client (my example earlier of Google doing it for free), clients would sign up for it. Not all, but a lot and you could be competing against an RIA that is charging clients nothing and making their money from the clients data.

You bring up some interesting aburdities - where does fiduciary duty end? It's really about bad incentives and whose getting compensated. The real Theranos in financial services was Wells Fargo - and it was just about these perverse incentives creating a toxic climate based on hidden payouts. Age old story and we got there without without fintech even.