Client Portal Due Diligence

Reading Time: 2 minutes

8 April 2019


More and more advisers are choosing to use client portals to enhance their client service proposition.  This rise in popularity is largely due to their clients being able to access their information more easily.  Fewer clients are wanting to wait for days to receive items in the post, they are wanting it instantaneously.  Research is also showing that the older generation is now more tech-savvy than they were 10 years ago.  This means that as a business, you need to ensure you are fulfilling your clients wants and needs, rather than falling behind the competition.

But it’s not as easy as just picking a provider and off you go.  You need to be carrying out full due diligence on the provider you choose.  Many are offered as white label, which means that it’s your brand that the clients see when they log on to the interface.  They are none the wiser that it’s actually a different company.  Therefore, if anything goes wrong, it will be your company that they hold responsible and you face reputational damage if you do not carry out your due diligence correctly.

Before signing on the dotted line, one of the first things you should to do is check the provider’s ability to comply with GDPR and DPA 2018.  This is because GDPR places an obligation on you, the data controller, to only use providers (data processors) that can demonstrate compliance.

Also having a contract in place between you and your provider is a must.  In the contract, you need to look for obligations on the provider to:

  • Only act in accordance with your instructions;
  • Comply with confidentiality obligations – this goes for all staff;
  • Ensure the security of the personal data;
  • Cooperate with any interaction with the ICO;
  • Return or destroy the personal data at the end of the contract;
  • Provide you with all the information necessary to demonstrate compliance with the GDPR.

As you are also trusting in the provider to hold personal data, you have an obligation to know the location of the data under their control.  As such, it is important to keep a close relationship with them to ensure that the correct data protection procedures are being followed.

Ideally, you should look for a provider who will be ISO27001 certified. And if the system allows linking to the client’s bank account, that it has also gained authorisation as an Account Information Service Provider (AISP) from the FCA which is a requirement introduced under PSD2.

Need Help?

If you want any help establishing a due diligence process, get in touch with our team today on 0161 521 8641 or


Let’s chat