By Sarah Sutton, Jay Donlin, Buddy Doyle and Jeff WilkShare Article
Starting Your RIA – Choosing Your Tech Stack
Technology platforms impact nearly all aspects of your business, so selecting the right technology for your RIA is more than just choosing a custodian. Oyster’s experts discuss defining what your firm needs, designing your technology processes around your business processes, and vendor due diligence, as well as other things to consider.
Libby Hall: Hi, and welcome to today’s podcast. I’m Libby Hall. And with me are Oyster CEO, Buddy Doyle and consultants, Sarah Sutton, Jeff Wilk, and Jay Donlin. As part of our series on starting your own investment advisor, we’ll be talking about the importance of your technology stack. Where do you start and what are the things that you need to be thinking about as you decide which technology to invest in? Let’s get started.
Buddy Doyle: Thanks Libby. We’re joined today again by Jay Donlin, Sarah Sutton, and Jeffrey Wilk to talk a little bit about selecting your tech stack. Jay, in our previous podcast, you’ve talked about how selecting your tech stack is pretty important to do, and that you probably want to sequence that before you select your custodian. Jay, can you give us a little more insight into that?
Jay Donlin: Sure, Buddy. We’ve talked a lot about just the number of tech providers in our previous conversations. FinTech providers in this industry now has exploded. And so it becomes a very important decision. Sometimes I feel it’s more important than the custodian. I think I’ve already said that before. Which kind of tools you want to deploy in your RIA, will they be accessible to clients as well, you know, in some sort of fashion, and how you just want to build out your operating model, what effects do you want to gain through use of technology and that sort of thing. So it becomes a pretty important decision, if not the most important decision, when you’re launching your RIA, to define what those products are you want to utilize.
Buddy Doyle: And Jeffrey, I know you do this for a living – selecting technology, helping clients implement that, along with Jay and others here. Any particular advice you have on how to begin that search?
Jeffrey Wilk: It’s a great question. And it’s kind of a classic build versus buy process a firm really needs to go through. And I think to at Jay’s points, really understanding your firm’s requirements at the onset is paramount. In terms of looking at a custodial relationship, first or a second, it’s really important. How can you pick a custodian when you are evaluating everything they offer, before really knowing what your own capabilities are to do it on your own, or what your desires are to do it on your own? Right? So, I do think you need to go through that process that kind of inner firm searching, soul searching, if you will, about your own business requirements and a number of other types of factors too.
Buddy Doyle: And I think if you look at the way you’re doing business today, whether you’re in a wire house or an independent rep firm, you’ve probably established methods that you like and things that you’d like to enhance. And so it is really important to design your technology selection process around your business process. And that sounds straightforward, but it’s amazing how many times we see people look at some software that’s got some sizzle to it and get excited and decide to invest in it. And it’s not just how it looks, it’s important. It’s going to be how it functions, and how it functions in the long term for you as well. So, Sarah, I know you’ve done a lot of compliance work recently with firms helping them get started and moving, but you’ve also been in the front office of an RIA and had to have those hands-on experiences with planning, with portfolio management tools, and client onboarding tools. How did you go about selecting technology in the firms that you were with?
Sarah Sutton: It’s always great to dream and to visualize and build, especially, when you’re starting or when you’re thinking about pulling the trigger and moving to an RIA and having your own business in practice. But the one thing you want to make sure is that you have the basics of what you need. So take what you have today, what you have to have going forward with your practice, and then making those decisions about what you can incorporate into your basic needs, then look at the wants. So one of the things that I believe that we tend to forget about is we think that, it’s tech, it’s just going to work. And one thing we have to keep in mind is there’s a lot of sharing of information back and forth between systems and technology. These are called APIs or system integrations. This is one thing that can get expensive. So you may have a system you love, it’s the newest feature that you want to incorporate into your practice, but it might not talk to the other systems that you already have or to your custodians. So it’s very important that you take that into consideration.
Jay Donlin: Sarah, let me jump in on that as well. I had a client that, they wanted to add a particular software vendor for CRM and talking to a custodian. And of course the vendor said, oh yeah, we integrate with this other custodian as well. But they didn’t integrate very deeply, it might have just been name, address or something. So it’s not just integration. You have to kind of get down into the weeds and determine how deep is the integration. Is it two-way, can you drive things to that custodian or do you only accept things from that custodian in regard to data? So those are all important decisions that you have to kind of flesh out, when you’re looking at a vendor as well.
Jeff Wilk: Hey Jay, let me just tag onto that comment too. A little bit. I think one of the important things that you’re both raising is the due diligence process. When looking at a potential vendor, one of the things I’ve frequently seen is that, well, how do you put this? I mean, all too often, I’ve seen individuals or even teams getting so comfortable with a particular vendor after only the going through a certain stage of the due diligence, or they’re relying on what a peer told them, that they may not go all the way through the tool themselves with their own criteria, thinking I’ve seen enough, this is great. I’ve heard it’s a great tool. And they stop as a result. They’re not truly discovering the full functionality of that tool. And in some cases, particularly compliance perspective, there may be functionality in there that they don’t want, or that they shouldn’t be granting broad access to because of the way they’re structured or maybe for licensing reasons, things like that. So by stopping short in their due diligence, they don’t see everything up front and it may become a big surprise later on, and it may not even be possible to customize, or there may be large additional costs to customize the tool then to restrict some of those things they missed in their due diligence. So people have to be careful too. They have to make sure that they’re doing their full and complete due diligence, not just getting to a point of comfort and then stopping.
Buddy Doyle: And I think when you do due diligence on these vendors, and of course, people do due diligence on us all the time. So we’re experts in giving and receiving due diligence based off of your experience. But, you know, fundamentally having the requirements document that lists out the things you’re trying to accomplish, and who is impacted by whether the functionality is there in the software or not, and what workarounds you might have, or a piece of software, all part of that build versus buy decision, where again, you get sort of enamored sometimes when you look at things and they’re really cool and the vendors can put on some really nice golf tournaments and things like that gets you excited. But what you really need to do, is make sure you understand what it is I need from this software. How much of it can I accomplish with this piece of software?
Do I need two pieces of software? Can I do some things manually? And that is a key component to the build versus buy decision that Jeffrey was talking about at the very beginning is, what is the total cost of ownership for this platform over a period of time? There’s a component. What’s that? What does it cost to build? What does it really cost to build and own, on an ongoing basis? And think about it like you would any investment in your portfolio, what’s your time horizon, what’s your budget? What’s your goals and objectives, and are you ready to hit those goals and objectives? And what happens when things go bad? Right? One of the things about software is you get really reliant on that software if it saves you a lot of time and improves your efficiency, but no software is perfect.
No software has been designed to perform in every scenario. And so, I think you also need to ask yourself what happens if that software isn’t there for a day? How do you know how that software is, is your information that you’re putting in that platform secure or not? And is that company going to be around? Do they have a cool piece of software and no financial balance sheet to last, if you are their only customer? And so I think that you really have a lot of things that you need to do. And one of the things that I’ve always done, in my past, is assemble a team of people that have technology expertise. They have the financial expertise to help do the calculations of build versus buy or buy one versus another with different parameters. And you need business people in to make sure that they are getting the functionality that they need.
And you also need your compliance and risk management people there, because it’s similar to building a home when you’re building your firm. There are certain building codes that it’s not your county inspector, but it is the SEC or the state regulators or somebody else that’s looking at you. And they’re going to make sure that you’ve followed those building codes of controls, supervisory controls, worm compliance, all those things have to go in there. And Jeff, how do you coordinate all those people and get them all to get to the same outcome at the same time so you can move forward?
Jeff Wilk: That’s often the biggest challenge, Buddy. But I think it starts right off the bat, with identifying who those folks are at the get go and assembling the team of all key stakeholders. And then keeping it together as a cohesive group throughout the entire process, putting a regular cadence in place with the types of documentation and meetings as well as the parameters that you just referenced is also critical. Everything from due diligence to an implementation plan, with strong feedback loops, if you’re currently working on other tools. A conversion plan is critical as well, but I think what’s paramount is that it really comes down to frequent, repetitive, consistent communications across the team that you put together on the first place.
Buddy Doyle: And Jay, I know you do this in firms, large and small, and it’s a different outcome, right? It’s a different process and a bit of a different outcome when you’re in large and small. These big wire houses, they have gurus, right? That do this. This is their only job that they do for a living. Some of those gurus can help you out, but they’re always going to be, if they’re at your custodian, working for the custodian. They want you to have a good experience, but let’s figure out who their master is. But any thoughts on that when you’re lifting it out of an independent rep firm, how you do that?
Jay Donlin: It takes a certain level of expertise to go through these processes, to know they’re all the right questions asked in order to get the answers you need. If you don’t have the experience in that type of work, you need to find somebody that does. It could be somebody else in your firm that you’re going to partner with, or someone else outside your firm. That individual, or group, needs to have a technology aptitude in order to own and walk through this process.
Buddy Doyle: And I think when you’re going through that process, you know, one of the things to keep in mind is not every platform might have the same level of criticality to your org organization. So, you know, if it’s a portfolio management trading platform or it’s something to help you deliver funds to your clients when they need it, right? Those are really, really important things to have and business continuity around those things, your RTO or recovery time objective on those should be very short. Um, but they do go down. It does happen. You hear about some of them in the press, and you don’t hear about some of them in the press. You don’t hear about most stone in the press. When you have a system outage at a, at a custodian at a RIA, uh, at a tamp, uh, it’s, it’s hit everyone. Uh, that’s ever been successful is to have a system fail.
Um, but I think that you’ve got to have a plan for, you got to have a backup plan for that, and you should probably have a backup to your backup plan for those really mission critical things, to make sure that you know how to do it in a less efficient way, just so you can get that accomplished if your wizards all, uh, die and go away. So, so that is a really important component and other systems, you know, things that you can use once a week or once a month to test or review or understand kind of how you’ve been performing. Those can be less critical. So think about the things that your clients need you’ve or immediately, and that should be something where your business continuity plan ought to be pretty pristine. And you should ask your vendors how they test what their redundancy looks like, and you should ask them about outages that they have had and what they did to resolve those. Sarah. I’m sure you’ve been through some outages as well. And, um, I’ve probably had customers on the other end of your, your phone that were a little distraught. Um, but any advice on business continuity planning, you’re, you’re you do a lot of our compliance work. So I know you we’re preaching to the choir here, but, uh, any, any thoughts you’d like to share?
Sarah Sutton: Yes, Buddy, I’ve definitely had firsthand experience with technology issues. An IT vendor is one of the integral parts of a practice, especially on the RIA space, because you are more than likely not going to have the larger entity-based IT support that you’ve had in the past. So, choosing your IT vendor is crucial. I would say it’s one probably one of the most important decisions that you’ll make. It also incorporates, you know, what level of support you’re getting from them. It’s not something to go cheap on. It’s something to make sure that you investigate. Ask other folks that are in your same situation, or that have RIAs or small businesses as to what level of support you need. Talk to them about the consistency, accuracy, overall, just general knowledge that the IT company is providing for you on an ongoing basis because cyber security and IT kind of go hand in hand right along with account security for your firm and for your clients.
So it’s a very important aspect. Um, we did have an experience just in the past few years, and it was very interesting. We had a really bad snowstorm just south of Memphis, Tennessee, and it pretty much shut down the city for about by six, seven days – ice, snow, everything, couldn’t go anywhere. It was one of those things. It was still during COVID where we aren’t going to the office. Everybody was at home working remotely. And because of the cold weather, it actually affected our ability, just the way that their IT company and vendor had set up our ability, to get into our system. Access it, because it was so cold, it literally was frozen, which I’d never heard of before. But one of those things you have to think about, environmental anomalies that can happen that are not a common occurring in your area or where your firm is located. So it’s just, again, one more thing to think from a business continuity standpoint, different questions to ask and really investigate the IT vendor that you decide on.
Buddy Doyle: What’s interesting – just for our listeners, Sarah is not in Minneapolis. When she talks about a box that freezes in the snow, I think where you live, that’s unusual, right?
Sarah Sutton: Yes, very.
Buddy Doyle: But you do have to plan for those things. And that’ll be something where you will spend, you should spend more time than you usually do. At Oyster, we have the big smoking hole in the ground standard that we put in where the basics of our business continuity plan was if you went to the office and you observed a big smoking hole in the ground, no one’s not looking at that now. And so that’s how we ended up in the cloud. We’ve been through several iterations of onsite servers, managed servers and data centers, and then cloud, and kind of walked through that. But every time we did it, we asked ourselves what happens if this goes terribly wrong? And as financial advisors, we’re often very optimistic because we’re helping our clients meet their goals and objectives, and we’re forward looking and forward thinking. But don’t forget to put that risk management lens on, just like you do on your portfolios and think about your diversification of process.
Jeffrey Wilk: Buddy, just an interesting side note to that, if you will. We talk a lot about the risks and it raises a question in my mind about when people talk about costs and the budget, part of that build versus buy review. There’s always this concept, too, of costs versus the true costs, right? Those true costs come into play very quickly with all of the disaster planning and backup recovery. All those things that if you don’t get them right, there’s a price to pay. Unfortunately, they’re not always in the forefront of people’s minds when they start looking at technology either, as they’re focused on functionality. But if you don’t look at all the down streaming impacts things, like Sarah mentioned about freezing weather and stuff like that, there’s a lot of true costs that can come into the picture quickly. More likely than not the end client looking to your portal to get their money, isn’t really going to care why you’re server box froze, right? There’s just this inherent expectation that you have a solution in place for that, but without a tested plan. And then you’re sitting there with no backup, you’re now taking on reputational risk and there’s often forgotten about backups. I’m sure these are not most people’s calculations when deciding to go one direction or another when building out their tech stack.
Buddy Doyle: I used to do a three year time horizon on the investment in technology to look at the total cost of build versus buy and the total cost of ownership. Of having that application supported, whether that was through training and business folks. Whether we were doing ongoing maintenance and support, or the vendor was going to do ongoing maintenance and support. How much time and energy will it take your team to put that platform in, right? There is a cost for your time that could go beyond what you’re paying for the software. It will go beyond what you’re paying for the software. And so I think, as you go through this process, it’s the cost of implementation. It’s the cost of maintenance, it’s the cost of hardware and the software and the people, right? It’s the parts and the labor that you’ve got to consider all the way through and put the right time horizon on that investment. I generally go three years because I don’t want to replace technology every year, in five years. The way today’s technology works is an eternity. You can’t predict that far out. And the cost of technology over time has continued to come down. So I think that I would consider thinking through how long and how often you want to renegotiate as part of your process, when you’re going through and selecting a vendor,
Jay Donlin: Buddy, we talked a lot about business continuity, and kind of a similar concept, and you touched on it earlier, is cyber security. We can’t, you want to do sufficient due diligence so that, you catch the guy that’s got the server sitting in his garage. You don’t want that guy, right. So it’s something that is a hot topic with all the regulators. It’s on their lists as a top priority every year now, probably for the last five years. And it’s something that you need to be concerned about. You need to do that due diligence. You need to make sure they’re going through audits, external audits to prove that they know what they’re doing, that they have sufficient controls in place. One thing that we use at Oyster is multifactor authentication. Even if you don’t use it, in your business, which we would recommend you do, we tell people, use it in your personal business. All your bank accounts should have multifactor authentication in place. So, these are the kind of things when you’re assessing vendors that you really need to be focused on as well. Do they know what they’re doing? When it comes to cyber, how strong on cyber security and take that into consideration when you’re selecting them.
Buddy Doyle: I think that’s a really important component and the regulators will expect you to understand the cyber security of your vendors. So you’ll want to have an assessment of their cyber security program, understand how they run background checks on their employees. If you’re going to put the crown jewels of your firm in the hands of someone else, you want to make sure that they are going to protect them and keep them safe, and that if they can, and they’re stolen that they’re insured so that you’re not financially harmed any more than you have to be. And I think that is something to keep in mind, cybersecurity risk is real. And the reason we push multifactor authentication so hard on our platforms, and we have them in all of them is because it’s a lot harder to break into a platform that has multifactor authentication than it is by say, hacking someone’s Facebook account, seeing that they have the same password there that they use for other things with your corporate email.
And they can just run a dictionary at different applications to see is this email address and that password on your platform. And I think that is something to be concerned about. Other things that vendors can do for cyber security is set up IP filtering, internet protocol filtering to make sure that traffic is coming from your network. None of these things are perfect. None of these things holistically stop the risk, but when you’re dealing with different vendors, you can probably get a good sense of who takes cyber security very seriously, and who has yet to take cybersecurity very seriously. And I think, it is a very important component to understand you are not just a risk to your client’s data, but your third parties are a risk to client data. And even fourth parties are a risk to client data because if that vendor is using vendors themselves or subcontracting development and other countries, your data could be anywhere.
And you want to make sure that your vendor has good vendor processes. If they’re going to allow anyone to get access to client confidential information, or even your secrets related to how you want your firm. So another important consideration there. Jeff, any other advice for our clients who are going through technology decision making, and making the tech stack choices and selecting vendors or building? I know there’s a whole separate podcast we can do on implementation and driving adoption and things like that. But I think on the selection side, any final words of wisdom?
Jeffrey Wilk: Yeah. I think two things, Buddy. I think the first would be – don’t rush in, right. Make sure you’ve got a very solid, thorough plan in place to, and all these things we talked about today, prioritize which ones are the most important. And then secondarily, and you’ve touched on this quite a bit, which is you’ve got to look long term also, right? It’s not just about that initial purchase, the initial setup. It’s about, are you in a position? Do you want to remain – can you maintain what you choose, keep up with it, do all the security requirements, everything we’ve talked about? It’s not just a once and done, it’s an ongoing responsibility and you’ve got to consider that costs, resources, risks – the whole nine yards. So take your time, plan for it thoughtfully, and think long term.
Buddy Doyle: All right. Well, thank you so much for sharing your knowledge and wisdom guys, is there anything else that we want to cover? I think we did a pretty extensive job.
Libby Hall: Thanks everyone for listening. Join us for more in our Starting An RIA series. If you’d like to learn more about how Oyster can help you start your own RIA, contact us at oysterllc.com and we’ll be happy to chat. If you like what you heard today, follow us on whatever podcast platform you listen to and give us a review. Reviews make it easier for people to find us.