Business Continuity
Envestnet Summary BCP Disclosure 2023
Envestnet Summary BCP Disclosure 2023
Business Description
Envestnet is transforming the way financial advice is delivered through an ecosystem of technology, solutions and intelligence. By establishing the connections between people’s daily financial decisions and long-term financial goals, Envestnet empowers them to make better sense of their finances and live an Intelligent Financial Life™. As of December 31, 2022, nearly 106,000 advisors and approximately 6,900 companies including: 16 of the 20 largest U.S. banks, 47 of the 50 largest wealth management and brokerage firms, over 500 of the largest RIAs and hundreds of FinTech companies, leverage Envestnet technology and services that help drive better outcomes for their businesses and for their clients.
Envestnet is organized around three primary, complementary business lines: Envestnet Solutions, Envestnet Data and Analytics, and Envestnet WealthTech. The structure is designed to enable Envestnet to further help financial advisors, financial institutions and fintech companies deliver an Intelligent Financial Life™ for their customers and marks the next chapter of growth for Envestnet.
- Envestnet Solutions provides the wealth and asset management solutions across Envestnet’s ecosystem—including research, overlay, portfolio management, direct indexing, sustainable investing, and retirement services—as well as the partnership with Envestnet exchanges and other wealth solutions providers.
- Envestnet Data and Analytics brings together the combined capabilities of Envestnet | Yodlee, Envestnet Analytics, Envestnet Abe.ai, and more, to serve as the foundation by which Envestnet creates and deploys personalized and actionable insights and intelligence for its business lines.
- Envestnet WealthTech comprises the wealth technology solutions and platforms that service Envestnet’s advisory business lines, including MoneyGuide and Tamarac platforms, and next-generation tools, including a Client Portal that provides clients with a seamless user experience.
Envestnet Solutions
Envestnet Wealth Solutions empowers Financial Advisors at Broker-Dealers, Banks and RIAs with the tools they require to deliver holistic wealth management to their end clients, enabling them to deliver an Intelligent Financial Life to their clients. Wealth Solutions platforms include: 401k.com; AI Labs; ERS (Envestnet Retirement Services); FolioDynamix; Harvest; MoneyGuide; Redi2; Tamarac; and UMP (Unified Managed Platform. In addition, the firm provides financial advisors with practice management support so that they can grow their practices and operate more efficiently. As of September 30, 2022, Envestnet Wealth Solutions’ platform assets grew to approximately $5 trillion in nearly 18 million accounts overseen by nearly 106,000 Advisors.
Services provided to Advisors include:
- Financial planning
- Risk assessment tools
- Investment strategies and solutions
- Asset allocation models
- Research
- Portfolio construction
- Proposal generation and paperwork preparation
- Model management and account rebalancing
- Account monitoring
- Customized fee billing
- Overlay services covering asset allocation, tax management and socially responsible investing
- Aggregated multi-custodian performance reporting and communication tools
- Data analytics
- Access to a wide range of leading third-party asset custodians.
We offer these solutions principally through the Envestnet Unified Managed Platform (UMP), through the following product suites:
- Envestnet | Enterprise – provides an end-to-end open architecture wealth management platform, through which advisors can construct portfolios for their clients. The process begins with aggregated household data which then leads to a financial plan, asset allocation, investment strategy, portfolio management, rebalancing and performance reporting. Advisors have access to over 22,000 investment products. Envestnet | Enterprise also offers data aggregation and reporting, data analytics and digital advice capabilities to customers.
- Envestnet | Retirement Solutions (ERS) – offers a comprehensive suite of services for advisor-sold retirement plans. Leveraging integrated technology, ERS addresses the regulatory, data, and investment needs of retirement plans and delivers the information in a holistic way.
- Envestnet | PMC®, or Portfolio Management Consultants (PMC) – provides research and consulting services to assist advisors in creating investment solutions for their clients. These solutions include nearly 4,900 vetted third-party managed account products, multi-manager portfolios, fund strategist portfolios, as well as over 950 proprietary products, such as quantitative portfolios and fund strategist portfolios. PMC also offers portfolio overlay and tax optimization services.
Envestnet Data & Analytics
Envestnet Data & Analytics applies the use of data, intelligence and technology to support the millions of decisions people make about money and their financial future every single day, by gathering, refining and aggregating end-user permissioned transaction level data – combined with financial applications, reports, market research analysis, and application programming interfaces (APIs) for its consumers.
Envestnet Data & Analytics’ holistic end-to-end platforms serve as the foundation for personalized and actionable data, insights and experiences across the Envestnet ecosystem, to service the Wealth, Banking and Technology industries. These platforms enable actionable intelligence and next best actions for Envestnet clients -- driving measurable results to deliver the Intelligent Financial Life™ for consumers, small and medium size businesses, advisors and investors.
- Wealth Data Platform (WDP): A cloud-based data intelligence solution for wealth advisory firms that allows home offices and financial advisors to connect and enrich all the data sources across their practice and provide clients with actionable insights at scale on one holistic platform.
- Banking Data Platform (BDP): Available for banks and financial institutions of all sizes including those who support small to medium-sized businesses (SMBs), the BDP provides an option to better support and guide customers on their financial journey along with their need to obtain high-level, holistic views of their retail banking and business’ finances, through Envestnet’s BDP.
- Technology Data Platform (TDP): FinTech, personal financial management and small business lenders can obtain high-level, holistic views of their business’ finances through innovations within Envestnet’s TDP – including the option to better support and guide customers on their financial journey through the use of finance apps and payments.
- Research Data Platform: provides unique intelligence and data experiences for research organizations through its massive set of user-permissioned transaction level data.
These platforms are comprised of products and solutions including Yodlee, Truelytics, Insights Engine and AI, Savings Tools and more. Our D&A products and platforms have fueled innovation for financial institutions (FIs) and FinTech for more than 20 years, as well as our Wealth advisory clients.
Approximately 1,600 financial institutions, financial technology innovators and financial advisory firms, including 16 of the 20 largest US Banks, subscribe to Envestnet Data & Analytics platform to underpin personalized financial apps and services for approximately 32 million paid subscribers.
Envestnet Data & Analytics serves two main customer groups: Financial Institutions (FI) and Financial Technology Innovators, which we refer to as Yodlee Interactive (YI) customers.
Envestnet WealthTech
This business line comprises the wealth technology solutions and platforms that service Envestnet’s advisory business lines, including financial planning solutions, solutions and platforms geared toward Registered Investment Advisors (RIAs), and next-generation tools, including a Client Portal that provides clients with a seamless user experience and a holistic view of their customer’s finances.
- Envestnet | Tamarac™ provides leading trading, rebalancing, portfolio accounting, performance reporting and client relationship management software, principally to high end Registered Investment Advisors (RIAs).
- Envestnet | MoneyGuide provides leading goals-based financial planning solutions to the financial services industry. The highly adaptable software helps financial advisors add significant value for their clients using best-in-class technology with enhanced integrations to generate financial plans.
Given our reach in financial services, Envestnet senior management understands the importance of the services we provide to our clients and that any interruption in service has the potential of severe repercussions to our business partners. As a result of the environment we live and work in, management teams’ face increasing regulation and liability surrounding resiliency to any event that can disrupt the business. On an enterprise-level we aim to identify potential impacts that threaten our organization and provide a continuity framework to our employees. This framework has the purpose of building resilience and capability for an effective response that safeguards the interests of our key stakeholders, reputation, brand, and value creating activities.
Business disruptions can range from temporary power outages or severe weather outages to earthquakes, cyber threats, or internal attacks. Whatever the potential disruption, we must be prepared to safeguard our employees and our business, by achieving a state of readiness and resilience to face any adversity or challenge with minimum impacts.
The Enterprise Business Continuity Plan ("BCP") addresses the framework in which a business disruption would be managed to minimize the loss of vital resources throughout the company. This is done by using regulatory and best practice guidelines to identify potential threats and impacts on department, location, and enterprise levels. Envestnet’s Business Continuity Program is linked to regulatory controls, good corporate governance, effective risk management and it establishes sound management practice for this important area within the business. This document provides an overview to the Envestnet Business Continuity Program including all BCPs maintained by our organization.
Firm Policy
Our firm’s policy is to respond to a Significant Business Disruption (“SBD”) by safeguarding employees’ health and safety, as well as, firm property; performing financial and operational assessments; quickly recovering and resuming operations; protecting intellectual property, books and records; and allowing our clients to conduct business.
Our strategy is to manage an approved enterprise-wide Business Continuity Program (“BCP”) to maintain the policy and standards while providing a comprehensive education and implementation process. The objective is to create, document, test, and maintain departmental business resumption plans in order to recover critical systems and functions. At least annually, Operations & Service departments with critical business processes test plans to ensure that they are workable, in compliance, and that staff are aware of their roles in the event of a business interruption. A corporate communication and management process exists to ensure critical business processes resume quickly, thereby reducing financial risk.
Annually we provide a Summary BCP Disclosure statement via our corporate website or an updated hard-copy version to clients upon request. Our firm creates and documents BCP plans based on the potential risks of disruption to our employees, workspace, and/or technology in each of our critical locations. Our firm provides this through resumption plans at the department, location, and enterprise-levels.
Significant Business Disruptions
Our plan anticipates two kinds of SBD, internal and external. Internal SBDs affect only our firm’s ability to communicate and do business, such as a fire in our building. External SBDs disrupt the operations of the securities markets for a number of firms, such as a natural disaster; acts of terrorism; cyber-attacks; equipment or system failures; unexpected loss of a critical service provider / facilities / key personnel; or a wide-scale, regional disruption. Our response to an external SBD relies more heavily on other organizations and systems, especially on the capabilities of Clearing Firms for trade execution for many of our clients.
As cybersecurity incidents have the potential to contribute to an SBD, Envestnet’s Business Continuity and Disaster Recovery planning controls complement the firm’s Information Security practices. Envestnet continuously refreshes our Information Security Program to align with industry best practices and applicable regulations. Envestnet has implemented a robust Information Security program that leverages elements from NIST CSF, NIST Standards, ISO 27001:2013 and other relevant industry best practices. Under the direction of the firm’s Information Security Officer, the program includes a threat-driven risk-based information security policy and risk management framework, a dedicated security function, while performing independent attestations and internal assurance activities to ensure program alignment.
Plan Location and Access
Our firm will maintain copies of its BCP plan(s), including the annual reviews and approvals in accordance with our Records Management policy, along with any changes that have been made to it for inspection. Copies of plans are available to plan owners and plan approvers via the ‘Envestnet Community’ within the Fusion Risk Management platform. Optionally, plan owners and plan approvers may maintain copies of plans in either hardcopy or electronic form using a secure medium of their choosing - Network Shared Drive; Microsoft Office 365; etc. These secondary copies shall be maintained and securely destroyed in accordance the Global Information Security Policy – Information Classification and Handling Policy and Compliance Manual – Records Retention Schedule.
Office Locations
Our firm headquarters is located in Berwyn, PA and has US offices in Boston, MA; Denver, CO; Powhatan, VA; and Raleigh, NC. In addition, international locations exist in London, United Kingdom; Sydney, Australia; and Trivandrum, India. Some of the above referenced locations are dedicated to specific service offerings provided by other Envestnet entities and thus have separate Business Continuity Summaries to cover individual operations. We engage in order taking and entry in Berwyn, PA.
# |
US Office Locations |
Address |
Envestnet |
1 |
Berwyn, PA - |
1000 Chesterbrook Blvd, Suite 250 Berwyn, PA 19312 |
ERS |
2 | Boston, MA |
205 Portland St, Suite 202 Boston, MA 02114 |
Redi2 |
3 |
Denver, CO |
1801 California Street, 23rd Floor Denver, CO 80202 |
UMP |
4 |
Powhatan, VA |
1588 Oakbridge Terrace Powhatan, VA 23139 |
MoneyGuide |
5 |
Raleigh, NC |
621 Hillsborough Street Raleigh, NC 27603 |
Tamarac |
# |
International Office Locations |
Address |
Envestnet |
6 |
London, United Kingdom |
Level39, One Canada Square, Canary Wharf, London , United Kingdom E14 |
Yodlee |
7 |
Sydney, Australia |
Level 4, 11 York Street Sydney NSW 2000 AU |
Yodlee |
8 |
Trivandrum, India |
TC 4/2035-1, Kowdiar Post Trivandrum, Kerala, India 695003 |
UMP |
9 |
Trivandrum, India |
First floor, Bhawani, TechnoPark Trivandrum, Kerala, India 695581 |
ERS |
Alternative Physical Location(s) of Employees
Envestnet does not maintain specific ‘hot site’ recovery facilities for operational failover. In the event of a significant business disruption (“SBD”), Envestnet will move our staff from affected locations to the relevant predetermined workspace failover site assigned to each employee record within their Department Resumption Plan and maintained in our Business Continuity Planning system.
Envestnet’s overall Business Continuity and Disaster Recovery strategies have been designed to complement each other and to address not only worst-case scenario in the event of an SBD, but also disruptions of a lesser magnitude.
Envestnet maintains stop-gap measures for business continuity, some of which are outlined below:
- To address loss of platform technology, Envestnet and its affiliates have an established presence in geographically dispersed primary and disaster recovery data center facilities for their platform technologies, resulting in the ability to support business out of either facility, should one of these locations be compromised by a natural disaster. Both data centers are hardened with redundant HVAC systems, electrical systems with battery backup and diesel generators, and temperature and environmental monitors. Access to the data centers is secured by cameras and card key access with biometric scanners. Both data centers are staffed 24x7x365;
- To address contingency arrangements for loss of key personnel due to a pandemic or other limited event, Envestnet maintains an Employee Unavailability Plan as a supplemental document to the Firm’s Enterprise, Location-Specific and Departmental Business Resumption Plans. Long-term or permanent arrangements would be made in conjunction with Human Resources Succession Plans.
- To reduce key man risk, most critical Operations & Service departments work in a distributed fashion, meaning that they have multiple locations that perform the same production work. In instances of weather issues or regional disasters, these distributed locations can continue processing, and unaffected Envestnet locations can serve as a relocation point for critical employees should the SBD timeframe be extended;
- All employees are assigned a workplace strategy to be employed in the event of an SBD – work from home; relocate to an alternate Envestnet facility; on hold; etc. In order to support these strategies:
- US-based employees have been issued Envestnet laptops to support working in a remote fashion and utilizing secure VPN capabilities and our web-enabled systems to access our custom platforms in order to support critical business processes in a remote fashion.
- India-based employees have pre-designated individuals that would relocate to an alternate Envestnet facility or work remotely using laptop / thin client. In order to maintain security in either case, the thin clients connect to our VDI interfaces and secure VPN in order to access our web-enabled systems. The primary strategy will be to relocate critical Operations & Service department employees to an alternate Envestnet facility; however the secondary strategy to work remotely is driven by the potential for ‘shelter in place’ orders that may be put in place from time to time by government, states, countries, or municipalities in locations where we conduct business.
- Periodic testing of these strategies is required for critical Operations & Service departments.
Clients’ Access to Funds and Securities
Envestnet does not maintain custody of clients’ funds or securities; custody is maintained at third-party Custodians designated by our clients. In the event of an internal or external SBD, if telephone, email, or fax service is available, our registered persons will take client orders or instructions and contact our Clearing Firms on their behalf; and if our Web access is available, clients may access their funds and securities by contacting their Custodian directly. Envestnet will provide alternative phone numbers and will make the Custodian contact information available to clients as required.
Data Backup and Recovery (Hard Copy and Electronic)
Our firm maintains its primary copy of books and records at its Berwyn, PA and Denver, CO offices. Our firm maintains the documents required by Rule 204-2, SEC Rule 17a-3 and SEC Rule 17a-4.
Our firm maintains its backup hard copy books and records through various third-party storage vendors. Hard copy records are sent to offsite storage as needed.
Our firm maintains its backup electronic books and records through strategic partnerships with various parties for our platform technology and backup vendors. The data vaulting / managed backup service and data center providers, which house our production and disaster recovery sites, are hosted in the United States and do not have direct access to Envestnet data or client Personally Identifiable Information (“PII”). Data center providers only provide physical space, security, and environmental controls; Envestnet owns and manages the equipment within our secured cage. Backup vendors only store data on behalf of Envestnet; Envestnet encrypts data before transmission, vendors do not have access to encryption keys. We have a defined data protection strategy to cyclically back up our electronic records to meet the recovery time objectives of our various mission critical systems.
In the event of an internal or external SBD that causes the loss of our paper records, we will access electronic versions of these records in our various systems and platforms. If our primary site is inoperable, we will continue operations from our backup site or an alternate location. For the loss of electronic records, we will recover the electronic data from our backup records stored in the disaster recovery site, or, if our primary site is inoperable, continue operations from our backup site.
Financial and Operational Risk Assessments
Envestnet has an established Risk Management initiative with which we manage our proprietary risk inventory, related controls, mitigation plans, and risk treatment consistent with industry best practices and regulatory guidance. Envestnet risks are reviewed and assessed on an ongoing basis within the organization to support various initiatives and compliance programs including, but not limited to ISO 22301; Sarbanes-Oxley Act (“SOX”); SEC Rule 206(4)-7; Internal Audit; Business Continuity; and Risk Management.
Envestnet’s Risk Management program is facilitated by a cross-functional Risk Management Committee ("RMC") responsible for supervising the Enterprise Risk Framework of the Company. The RMC, chaired by the Chief Compliance Officer and co-chaired by the Principal Director, Business Continuity & Risk, is comprised of over 40 senior-level management representatives from various disciplines within the firm that meet formally to review, assess and discuss any significant risks or exposure and to review the steps taken to minimize identified risks or exposures. The Risk Management program is managed using a corporate risk management tool and facilitated through established policies, procedures, and training that raise awareness and provide a means of reporting and addressing potential problem and risk areas within the organization. As a public company, Envestnet is required to produce a 10-K each year and file it with the U.S. Securities and Exchange Commission (“SEC”). Risks related to our business are disclosed within the ‘Risk Factors’ section of the 10-K. In practice, this section focuses on the risks themselves, not how Envestnet addresses those risks.
Envestnet’s risk assessments, risk inventory, meeting minutes, and other Committee materials are considered confidential and may not be shared externally.
Envestnet’s Risk Management Program includes the following:
- The RMC meets formally on a scheduled basis throughout the calendar year to review, assess and discuss any significant risks or exposure and steps taken to minimize identified risks or exposures.
- The RMC is responsible for ensuring that sound policies, procedures, and practices are in place for the enterprise-wide management of the Company’s material risks and to report the results of the Committee’s activities to Senior Management and Board of Directors.
- The RMC is responsible for executing and monitoring risk management practices and may engage with independent firms as needed.
Operational Risk
Our firm recognizes that operational risk includes the firm’s ability to maintain communications with clients and to retrieve key activity records through its mission critical systems. In the event of an SBD, we will immediately identify what means will permit us to communicate with our clients, employees, critical business constituents, critical banks, critical counterparties, and regulators. Although the effects of an SBD will determine the means of alternative communication, the communication options we will employ will include our web site, telephone, voicemail, and secure email. In addition, we will retrieve our key activity records as described in the section above, Data Backup and Recovery (hard copy and electronic).
Financial and Credit Risk
In the event of an SBD, we will determine the value and liquidity of our investments and other assets to evaluate our ability to continue to fund our operations and remain in capital compliance. To the extent that we have financing requirements at the time of an SBD above and beyond considerations that are already contemplated through insurance coverage, we will request additional financing from our bank or other credit sources in order to remain in compliance with any applicable capital requirements. If we cannot remedy a capital deficiency, we will file appropriate notices with our regulators and immediately take the appropriate steps.
Mission Critical Systems
Our firm’s mission critical systems are those that ensure prompt and accurate reporting of securities holdings and the processing of securities transactions, including order implementation, reconciliation, comparison, allocation, clearance and settlement of securities transactions, the maintenance of client accounts and the delivery of funds and securities. More specifically, these systems include the custom platforms that support our core business offerings. In addition, our mission critical systems include any corporate applications that support our communication needs surrounding internet, phone, and email.
We have primary responsibility for establishing and maintaining our business relationships with our clients and have sole responsibility for our mission critical functions of order implementation, reporting, billing, reconciliation, comparison and allocation. In addition, we provide execution, clearance and settlement of securities transactions. Our Custodians provide through contract execution, clearance, settlement of securities transactions and the delivery of funds and securities.
Clearing Firms utilized by our client maintain a business continuity plan and the capacity to execute that plan. The Clearing Firms represent that they will advise us of any material changes to plans that might affect our ability to maintain our business and they have presented us with an executive summary of their plans. In the event any of the Clearing Firms execute their plan, the firms represent that they will notify us of such execution and provide equal access to services as its other clients. If we reasonably determine that the Clearing Firm has not or cannot put its plan in place quickly enough to meet our needs or is otherwise unable to provide access to such services, the Clearing Firm represents that it will assist us in seeking services from an alternative source.
The Clearing Firms represent that backup of our records are taken at a remote site. Each Clearing Firm represents that it operates a backup operating facility in a geographically separate area with the capability to conduct the same volume of business as its primary site. Each Clearing Firm has also confirmed the effectiveness of its back-up arrangements to recover from a wide scale disruption by testing.
Recovery time objectives provide concrete goals to plan for and test against. They are not, however, hard and fast deadlines that must be met in every emergency situation, and various external factors surrounding a disruption, such as time of day, scope of disruption, and status of critical infrastructure— particularly telecommunications—can affect actual recovery times. Recovery refers to the restoration of clearing and settlement activities after a wide-scale disruption; resumption refers to the capacity to accept and process new transactions and payments after a wide scale disruption.
Business Impact Analysis
As a part of Envestnet’s annual review and update of our BCP Program and Plans, Envestnet performs a Business Impact Analysis (“BIA”) to account for any changes in our operations, structure, business and/or locations to ensure that our planning effort encompasses the entire organization. The BIA to reflects on the potential impact from a Financial; Legal / Compliance; Operational; Market Share; Reputational; and Strategic perspective a disruption would have on Envestnet.
Through the BIA, Envestnet has identified critical departments, critical business processes, inter-dependencies and recovery priorities for both technology and resources. The BIA process is supported through our Business Continuity Management Tool, Fusion Risk Management and assists the firm in analyzing the following criteria for each critical business process:
- Building a criticality profile, outlining personnel resource requirements, as well as, mitigation strategies;
- Assessing the potential financial, operational, legal/compliance, reputational, market share, and strategic impacts over several points in time ranging from 1 day to 30 days or more during a significant business disruption (“SBD”);
- Identifying and prioritizing critical business processes and associated Recovery Time Objectives (“RTOs”);
- Providing visibility for upstream and downstream dependencies between critical business processes across the firm;
- Providing visibility for system and technology resources for both internal systems and external service providers;
- Identifying key personnel that support processes in either a primary or secondary role;
- Naming alternate processing facilities where work is processed in a distributed fashion;
- Outlining dependencies on key documents and vital records; and
- Identifying critical strategic partners / third-party vendors required to support our business.
Our Firm’s Mission Critical Systems
Order Implementation
Currently, our firm receives orders from clients via the Envestnet Trading platform, email, phone and fax. During either an internal or external SBD we will continue to take orders through any of these methods that are available and reliable, and in addition, as communications permit, we will inform our clients when communications become available to tell them what alternatives they have to send their orders to us.
Clients will be informed of alternatives by email, Envestnet website and/or telephone. If necessary, we will advise our clients to place orders directly with their Clearing Firm or an alternative.
We currently implement orders by sending them to the clients’ Clearing Firm.
Other Services Currently Provided to Clients
In addition to those services listed above in this section we also provide our clients with rebalancing, reconciliation, portfolio management, reporting, overall account information, and the ability to withdraw or deposit funds into their accounts. In the event of an internal or external SBD, we would continue to provide these services through unaffected locations or through our Clearing Firms.
Mission Critical Systems Provided by Our Clearing Firms
Our firm relies, by contract, on our Clearing Firms to provide order execution, order comparison, order allocation, and the maintenance of client accounts and the delivery of funds and securities.
Alternate Communications between the Firm and Clients, Employees, and Regulators
Clients
We communicate with our clients using our platform technology, telephone, email, our web site, fax, U.S. mail, and in person visits at our firm or at the other locations. In the event of an SBD, we will assess which means of communication are still available to us and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party. For example, if we have communicated with a party by email, but the Internet is unavailable, we will call them on the telephone and follow up where a record is needed with paper copy in the U.S. mail. In addition, we may also utilize our automated notification system, AlertMedia, as a means to reaching select contacts at our client home office locations quickly during an SBD to provide disruption notification, procedures, and contingency arrangements.
Employees
We communicate with our employees using the telephone, email, and in person. In the event of an SBD, we will assess which means of communication are still available to us and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party. We will also employ a call tree and/or our automated notification system, AlertMedia, so that senior management can reach all employees quickly during an SBD to provide disruption notification, procedures, and contingency arrangements.
Key Service Providers / Strategic Partners
We communicate with our key service providers / strategic partners using the telephone, email, fax, U.S. mail. In the event of an SBD, we will assess which means of communication are still available to us and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party.
Regulators
We communicate with our regulators using the telephone, email, fax, and U.S. mail. In the event of an SBD, we will assess which means of communication are still available to us and use the communication closest to those we have used before the disruption.
Regulatory Reporting
Our firm’s RIA business is subject to regulation by the SEC and the particular states in which we are registered. We file reports with our regulators using paper copies through the U.S. mail and electronically using fax, email, and the Internet. In the event of an SBD, we will check with the SEC and other regulators to determine which means of filing are still available to us and will use the means closest in speed and form (written or oral) to our previous filing method. In the event that we cannot contact our regulators, we will continue to file required reports using the communication means available to us.
Envestnet Solutions
US Security Exchange Commission SEC Headquarters 100 F Street, NE |
US Securities Exchange Commission SEC Chicago Regional Office 175 W. Jackson Boulevard, Suite 900 |
US Department of Labor 200 Constitution Ave NW |
Our firm’s Data & Analytics business is subject to regulation by the Office of the Comptroller of the Currency (“OCC”); the Federal Reserve System (“FRS”); and the Federal Deposit Insurance Corporation (“FDIC”). We file reports with our regulators using paper copies through the U.S. mail and electronically using fax, email, and the Internet. For our UK branch we file reports with the FCA using their online service RegData. In the event of an SBD, we will check with the OCC, FRS, FDIC, and other regulators to determine which means of filing are still available to us and will use the means closest in speed and form (written or oral) to our previous filing method. In the event that we cannot contact our regulators, we will continue to file required reports using the communication means available to us.
Envestnet DATA & ANALYTICS
Office of the Comptroller 101 South Tryon Street, Suite 400 |
Financial Regulatory Services (FRS) 530 East Trade Street |
Federal Deposit Insurance Corporation (FDIC) |
Financial Conduct Authority (FCA) |
Australian Competition and Consumer Commission (ACCC) |
Office of the Australian Information Commissioner (OAIC) |
US Department of Labor |
|
Communications with Law Enforcement / FBI
In the event of a security-related incident which requires assistance from external agencies, Envestnet will communicate with local FBI authorities regarding the nature and extent of the incident.
Below is our contact information for the FBI Chicago and San Francisco Field Offices. The Envestnet Information Security Department will coordinate all communications.
Federal Bureau of Investigation (FBI) Chicago Field Office |
Federal Bureau of Investigation (FBI) North Carolina Field Office |
Critical Business Constituents and Counterparties
Envestnet has identified dependencies on several key service providers. As a result, Envestnet follows a formalized a risk-based strategy for performing vendor due diligence and oversight. Envestnet works with the business to identify vendors that support their critical business processes and performs due diligence on the vendor and their service offerings at the onset of the relationship. The due diligence review is tailored to the specific service provided by the vendor, and typically includes information and physical security, regulatory compliance, business continuity, and enterprise risk management.
For vendor onboarding, the Envestnet Legal department, along with Envestnet’s Information Security team, requires that all vendors are subject to strict confidentiality, non-use and non-disclosure restrictions, and that all contracts contain appropriate language to specifically address issues related to Information Security, Data Security, Confidentiality, and Service Level Agreements (as applicable to the specific vendor engagement), as specified within Envestnet’s Information Security in Supplier Relationships Policy and further supported within Envestnet’s Compliance Manual. Both policies are reviewed during annual, external ISO and Compliance Audits.
Envestnet defines outsourced/subcontracted work as leveraging a third-party vendor for operational support. Envestnet does not use outsourced operational support for any of its core functionalities (i.e. technology support, reconciliation activities, client support, etc.). However, Envestnet engages in strategic partnerships with several third-party vendors to leverage certain capabilities. These strategic partners do not have access to Envestnet’s data or client PII, apart from Custodians, Clearing Firms, Recordkeepers, and Statement Providers that are used at the direction of our clients.
The following are examples of our strategic partners; a comprehensive list can be made available upon request:
- Data Center Providers only provide physical space, security and environmental controls; Envestnet owns and manages the equipment within our secured cage;
- Electronic Vaulting / Backup Vendors encrypted copies of web, application code and database data are backed up; The data does not leave Envestnet owned infrastructure at any given point in time.;
- Shredding Vendors are supervised onsite and throughout the shredding process;
- Data Feeds are one-way to Envestnet; and
- Custodians, Clearing Firms, and Statement Providers are known directly to our Advisor clients, and RIAs enter into a tri-party agreement, thus the RIA has the ability to conduct direct reviews and ability to approve the relationship. Additionally, Custodians and Clearing Firms are regulated and bound to laws and rules related to data security.
Business Constituents
We have contacted our critical business constituents defined as those businesses with which we have an ongoing commercial relationship in support of our operating activities, such as vendors providing us critical services and have determined the extent to which we can continue our business relationship with them in light of the internal or external SBD. We will quickly establish alternate arrangements if a business constituent can no longer provide the needed goods or services when we need them because of an SBD to them or our firm.
Counterparties
We have contacted our critical counterparties, such as our disaster recovery providers, Clearing Firms, and Custodians to determine if we will be able to carry out our transactions with them in light of the internal or external SBD. Where the transactions cannot be completed, we will work with our Clearing Firm or contact those counterparties directly to make alternative arrangements to complete those transactions as soon as possible.
Testing
Business Continuity tests are completed with critical business resources and BCP Teams at least annually to provide Envestnet Management and our stakeholders with the assurance that the business will successfully recover following a business disruption.
Below is an overview of Envestnet BCP Testing:
- Testing is a major component of the Envestnet Business Continuity Program, tests ensure that plans are repeatable, consistent and that staff are able to fulfill roles and responsibilities;
- The test schedule is created annually in Q4 by BCP Teams. Considerations are made for employee participation and preparedness levels along with the current risks and impacts to the business;
- Success is measured ultimately by achievement of testing objectives;
- As needed, Business Continuity Plans are updated to account for findings and/or feedback received from test participants; and
- Quarterly BCP Reports are provided to management for review and action, as well as, to clients if requested.
Maintenance
Envestnet reviews plans on an annual basis with all owners to ensure plans are accurately maintained and fit for purpose. At the time of review, business changes and best practices are reviewed and reflected within plans.
Location-specific Business Resumption Plans are reviewed by location level owners and Department Business Resumption Plans are reviewed by department level owners. All Business Continuity Plans are reviewed by the Business Continuity Manager. It is the responsibility of the plan owners to ensure the plans have been reviewed, are accurate and complete.
The Business Continuity Program is approved by the Chief Financial Officer, or their designee.
Updates and Annual Review
Our firm will update this plan whenever we have a material change to our operations, structure, business or location or to those of our Clearing Firms.
In addition to the annual BCP review process, key areas that trigger review and potential revisions include:
- Business Continuity Plan test results;
- Significant business / location / department changes or incidents;
- Laws & Regulations; or
- Best Practice Guidelines.
Senior Manager Approval
The approval for the Enterprise Business Continuity Plan and Program is managed and tracked through an automated approval process within our Business Continuity Planning system. Annual review and approval of the Enterprise Business Continuity Plan and Program were provided by the following individual on January 19, 2023.
I have approved this Summary BCP Disclosure as reasonably designed to enable our firm to meet its obligations to customers in the event of a significant business disruption.
By: Pete D’Arrigo
Title: Envestnet Asset Management
Chief Financial Officer
Date: January 19, 2023
* Original signature on file in main office