Contact
Sign In


Business Continuity

Envestnet Summary BCP Disclosure 2020

 

Business Description

Envestnet Wealth Solutions empowers Financial Advisors at Broker-Dealers, Banks and RIAs with the tools they require to deliver holistic wealth management to their end clients. Wealth Solutions platforms include: UMP; ERS; Tamarac; FinanceLogix; FolioDynamix; and MoneyGuide platforms. In addition, the firm provides Advisors with practice management support so that they can grow their practices and operate more efficiently. At the end of 2019, Envestnet Wealth Solutions’ platform assets grew to approximately $4 trillion in nearly 11.9 million accounts overseen by more than 100 thousand Advisors. Services provided to Advisors include: financial planning, risk assessment tools, investment strategies and solutions, asset allocation models, research, portfolio construction, proposal generation and paperwork preparation, model management and account rebalancing, account monitoring, customized fee billing, overlay services covering asset allocation, tax management and socially responsible investing, aggregated multi‑custodian performance reporting and communication tools, plus data analytics. We have access to a wide range of leading third‑party asset custodians.

Through our parent company we offer these solutions principally through the following product and service suites:

Firm Policy

Our firm’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ health, safety, and firm property; making and financial and operational assessments; quickly recovering and resuming operations; protecting intellectual property, books and records; and allowing our clients to transact business.

Our strategy is to manage an approved corporate-wide Business Continuity Program (BCP) to maintain the policy and standards while providing a comprehensive education and implementation process. The objective is to create, document, test, and maintain departmental business resumption plans in order to recover critical systems and functions. At least annually, Operations departments with critical business processes and Technology departments test their plans to ensure that they are workable, in compliance, and that staff are aware of their roles in a business interruption. A corporate communication and management process exists to ensure critical business processes resume quickly, thereby reducing financial risk.

Annually we provide a Summary BCP Disclosure statement via our corporate website or an updated hard-copy version to clients upon request. Our firm creates and documents BCP plans based on the potential risks of disruption to our employees, workspace, and/or technology in each of our critical locations. Our firm provides this through resumption plans at the department, location, and enterprise-levels.
 

Significant Business Disruptions

Our plan anticipates two kinds of Significant Business Disruptions (SBD), internal and external. Internal SBDs affect only our firm’s ability to communicate and do business, such as a fire in our building. External SBDs disrupt the operations of the securities markets for a number of firms, such as a natural disaster; acts of terrorism; cyber-attacks; equipment of system failures; unexpected loss of a critical service provider / facilities / key personnel; or a wide-scale, regional disruption. Our response to an external SBD relies more heavily on other organizations and systems, especially on the capabilities of Clearing Firms for trade execution for many of our clients.

As cybersecurity incidents have the potential to contribute to an SBD, Envestnet’s Business Continuity and Disaster Recovery planning controls complement the firm’s Information Security practices which have been standardized using the ISO/IEC 27001, under the direction of the firm’s Information Security Officer.
 

Plan Location and Access

Our firm will maintain copies of its BCP plan(s), including the annual reviews and approvals in accordance with our Records Management policy, along with any changes that have been made to it for inspection. An electronic copy of our plan is located on the Fusion Risk Management platform with historical copies maintained on the Envestnet network shared drive within the Business Continuity directory. Additionally, hard copies are kept in each location and safely at BCP leaders’ homes.
 

Office Locations

Our parent company headquarters is located in Chicago, IL and has US offices in Berwyn, PA; Denver, CO; Midlothian, VA; Orlando, FL; Powhatan, VA; Raleigh, NC; Redwood City, CA; Seattle, WA; Secaucus, NJ; and Sparks, MD. In addition, international locations exist in Bangalore, India; Brisbane, Australia; London, United Kingdom; Sydney, Australia; and Trivandrum, India. Some of the above referenced locations are dedicated to specific service offerings provided by other Envestnet entities and thus have separate Business Continuity Summaries to cover individual operations.

Tamarac US-based operations exist in Seattle, WA and Raleigh, NC. In addition, international locations exist in Trivandrum, India.

#

US Office Locations

Address

Phone Number

Envestnet
Platform Support

1

Chicago, IL - HEADQUARTERS

35 E Wacker Drive, Suite 2400

Chicago, IL 60601

866-924-8912

UMP
UMPi
ERS

2

Berwyn, PA

1000 Chesterbrook Blvd, Suite 250

Berwyn, PA 19312

610-644-3464

UMP
UMPi
ERS
Wheelhouse
Yodlee
AI Labs

3

Denver, CO

1801 California Street, 23rd Floor

Denver, CO 80202

866-924-8913

UMP
ERS

4

Midlothian, VA

15521 Midlothian Turnpike #201

Midlothian, VA 23113

804-744-5900

MoneyGuide

5

Orlando, FL

1013 E Colonial Dr

Orlando, FL 32803

 

AbeAI

6

Powhatan, VA

1588 Oakbridge Terrace

Powhatan, VA 23139

804-744-5900

MoneyGuide

7

Raleigh, NC

421 Fayetteville Street, Suite 1500

Raleigh, NC 27601

919-999-4600

Tamarac
Yodlee

8

Redwood Shores, CA

3600 Bridge Parkway, Suite 200

Redwood City, CA 94065

650-980-3600

AbeAI
UMP
Yodlee

9

Seattle, WA

701 Fifth Avenue, 14th Floor

Seattle, WA 98104

866-525-8811

UMP
Tamara
FinanceLogix
ERS

10

Secaucus, NJ

One Harmon Plaza, 6th Floor

Secaucus, NJ 07094

201-605-1876

FolioDynamix

11

Sparks, MD

53 Loveton Circle, Ste #201

Sparks, MD 21152

443-212-5072

WebbMason

         

#

International Office Locations

Address

Phone Number

Envestnet
Platform Support

12

Bangalore, India

1st Floor, Mercury (2B) Block; Prestige Technology Park

 Sarjapura-Marathahalli Ring Road

Bangalore, Karnataka, India 560 103

 +91 8039805600

Yodlee

13

Brisbane, Australia

Prospect Studios, 52 Prospect Street

Fortitude Valley, Brisbane, Australia QLD 4006

 +61 466824209

Yodlee

14

London, United Kingdom

Level39, One Canada Square,

Canary Wharf, London , United Kingdom E14

 +44 2036683703

Yodlee

15

Sydney, Australia

333 George St

Sydney NSW 2000 AU

+61 731213188

Yodlee

16

Trivandrum, India
(ENV Towers)

TC 4/2035-1, Kowdiar Post

Trivandrum, Kerala, India 695003

 +91 4714181020

UMP
UMPi
Yodlee

17

Trivandrum, India
(Bhadra Towers)

Cotton Hill Road, Vazhuthacaud

Trivandrum, Kerala, India 695014

 +91 4714181111

UMP
UMPi

18

Trivandrum, India
(Techno Park)

First floor, Bhawani, TechnoPark

Trivandrum, Kerala, India 695581

 +91 4714181030

UMP
UMPi
Tamarac
ERS

 

Alternative Physical Location(s) of Employees

Envestnet does not maintain specific ‘hot site’ recovery facilities for operational failover. In the event of an SBD, Envestnet will move our staff from affected locations to the relevant predetermined workspace failover site assigned to each employee record within their Department Resumption Plan and maintained in our Business Continuity Planning system.

Envestnet’s overall Business Continuity and Disaster Recovery strategies have been designed to complement each other and address not only worst-case scenario in the event of a Significant Business Disruption (SBD), but also disruptions of a lesser magnitude. Envestnet maintains stop-gap measures for business continuity, some of which are outlined below:

Clients’ Access to Funds and Securities

Envestnet does not maintain custody of clients’ funds or securities; custody is maintained at third-party Custodians designated by our clients. In the event of an internal or external SBD, if telephone, email, or fax service is available, our registered persons will take client orders or instructions and contact our Clearing Firms on their behalf; and if our Web access is available, clients may access their funds and securities by contacting their Custodian directly. Envestnet will provide alternative phone numbers and will make the Custodian contact information available to clients as required.
 

Data Backup and Recovery (Hard Copy and Electronic)

Our firm maintains its primary copy of books and records at its Berwyn, PA; Chicago, IL; Denver, CO; and Redwood City, CA and Seattle, WA offices. Our firm maintains the documents required by Rule 204-2, SEC Rule 17a-3 and SEC Rule 17a-4.

Our firm maintains its backup hard copy books and records through various third-party storage vendors. Hard copy records are sent to offsite storage semi-annually or more frequently if needed.

Our firm maintains its backup electronic books and records through strategic partnerships with various parties for our platform technology and backup vendors. The data vaulting / managed backup service and data center providers, which house our production and disaster recovery sites, are hosted in the United States and do not have direct access to Envestnet data or client PII. Data center providers only provide physical space, security, and environmental controls; Envestnet owns and manages the equipment within our secured cage. Backup vendors only store data on behalf of Envestnet; Envestnet encrypts data before transmission, vendors do not have access to encryption keys. We have a defined data protection strategy to cyclically back up our electronic records to meet the recovery time objectives of our various mission critical systems.

In the event of an internal or external SBD that causes the loss of our paper records, we will access electronic versions of these records in our various systems and platforms. If our primary site is inoperable, we will continue operations from our backup site or an alternate location. For the loss of electronic records, we will recover the electronic data from our backup records stored in the disaster recovery site, or, if our primary site is inoperable, continue operations from our backup site.

 

Financial and Operational Risk Assessments

Envestnet has an established Risk Management initiative with which we manage our proprietary risk inventory, related controls, mitigation plans, and risk treatment consistent with industry best practices and that complies with applicable regulatory requirements. The risks are reviewed and assessed within multiple venues on an ongoing basis within the organization to support various initiatives and compliance programs including, but not limited to ISO 23001; Sarbanes-Oxley Act (SOX); SEC Rule 206(4)-7; Internal Audit; Business Continuity; and Risk Management.

Envestnet has a Risk Management program that is facilitated by a cross-functional Risk Management Committee (RMC) responsible for supervising the Enterprise Risk Framework of the Company. The RMC, chaired by the Chief Compliance Officer, is comprised of over 20 senior-level management representatives from various disciplines within the firm that meet formally no fewer than four times a year to review, assess and discuss any significant risks or exposure and steps taken to minimize identified risks or exposures. The Risk Management program is managed using a corporate risk management tool and facilitated through established policies, procedures, and training that raise awareness and provide a means of reporting and addressing potential problem and risk areas within the organization.

Further, Envestnet has mechanisms in place to help raise awareness of potential problem and risk areas. Through established policies, procedures, and training that include the means for taking actions Envestnet addresses risks associated with the processing of client information and securing it from improper access or use.

As a public company, Envestnet is required to produce a 10-K each year and file it with the U.S. Securities and Exchange Commission (SEC). Risks related to our business are disclosed within the ‘Risk Factors’ section of the 10-K. In practice, this section focuses on the risks themselves, not how Envestnet addresses those risks.

Envestnet’s risk assessments, risk inventory, meeting minutes, and other Committee materials are considered confidential and may not be shared externally.

Envestnet’s Risk Management Program includes the following:

 

Operational Risk

Our firm recognizes that operational risk includes the firm’s ability to maintain communications with clients and to retrieve key activity records through its mission critical systems. In the event of an SBD, we will immediately identify what means will permit us to communicate with our clients, employees, critical business constituents, critical banks, critical counterparties, and regulators. Although the effects of an SBD will determine the means of alternative communication, the communications options we will employ will include our web site, telephone, voicemail, and secure email. In addition, we will retrieve our key activity records as described in the section above, Data Backup and Recovery (Hard Copy and Electronic).
 

Financial and Credit Risk

In the event of an SBD, we will determine the value and liquidity of our investments and other assets to evaluate our ability to continue to fund our operations and remain in capital compliance. To the extent that we have financing requirements at the time of an SBD above and beyond considerations that are already contemplated through insurance coverage, we will request additional financing from our bank or other credit sources in order to remain in compliance with any applicable capital requirements. If we cannot remedy a capital deficiency, we will file appropriate notices with our regulators and immediately take the appropriate steps.
 

Mission Critical Systems

Our firm’s mission critical systems are those that ensure prompt and accurate reporting of securities holdings and the processing of securities transactions, including order implementation, reconciliation, comparison, allocation, clearance and settlement of securities transactions, the maintenance of client accounts and the delivery of funds and securities. More specifically, these systems include the custom platforms that support our core business offerings. In addition, our mission critical systems include any corporate applications that support our communication needs surrounding internet, phone, and email.

We have primary responsibility for establishing and maintaining our business relationships with our clients and have sole responsibility for our mission critical functions of order implementation, reporting, billing, reconciliation, comparison and allocation. In addition, we provide execution, clearance and settlement of securities transactions. Our Custodians provide through contract execution, clearance, settlement of securities transactions and the delivery of funds and securities.

Clearing Firms utilized by our client maintain a business continuity plan and the capacity to execute that plan. The Clearing Firms represent that they will advise us of any material changes to plans that might affect our ability to maintain our business and they have presented us with an executive summary of their plans. In the event any of the Clearing Firms execute their plan, the firms represent that they will notify us of such execution and provide equal access to services as its other clients. If we reasonably determine that the Clearing Firm has not or cannot put its plan in place quickly enough to meet our needs, or is otherwise unable to provide access to such services, the Clearing Firm represents that it will assist us in seeking services from an alternative source. The Clearing Firms represent that backup of our records are taken at a remote site. Each Clearing Firm represents that it operates a backup operating facility in a geographically separate area with the capability to conduct the same volume of business as its primary site. Each Clearing Firm has also confirmed the effectiveness of its back-up arrangements to recover from a wide scale disruption by testing.

Recovery time objectives provide concrete goals to plan for and test against. They are not, however, hard and fast deadlines that must be met in every emergency situation, and various external factors surrounding a disruption, such as time of day, scope of disruption, and status of critical infrastructure— particularly telecommunications—can affect actual recovery times. Recovery refers to the restoration of clearing and settlement activities after a wide-scale disruption; resumption refers to the capacity to accept and process new transactions and payments after a wide scale disruption.

 

Business Impact Analysis

As a part of Envestnet’s annual review and update of our the BCP Program and Plans, Envestnet performs a Business Impact Analysis (BIA) to account for any changes in our operations, structure, business, or locations. The BIA process is supported through our Business Continuity Management Tool, Fusion Risk Management and assists the firm in analyzing the following criteria for each critical business process performed:

 

Our Firm’s Mission Critical Systems

Order Implementation
Currently, our firm receives orders from clients via the Envestnet Trading platform, email, phone and fax. During either an internal or external SBD we will continue to take orders through any of these methods that are available and reliable, and in addition, as communications permit, we will inform our clients when communications become available to tell them what alternatives they have to send their orders to us.

Clients will be informed of alternatives by email, Envestnet website and/or telephone. If necessary, we will advise our clients to place orders directly with their Clearing Firm or an alternative.

We currently implement orders by sending them to the clients’ Clearing Firm.

Other Services Currently Provided to Customers
In addition to those services listed above in this section we also provide our clients with rebalancing, reconciliation, portfolio management, reporting, overall account information, and the ability to withdraw or deposit funds into their accounts. In the event of an internal or external SBD, we would continue to provide these services through unaffected locations or through our Clearing Firms.

Mission Critical Systems Provided by Our Clearing Firms
Our firm relies, by contract, on our Clearing Firms to provide order execution, order comparison, order allocation, and the maintenance of client accounts and the delivery of funds and securities.
 

Alternate Communications between the Firm and Clients, Employees, and Regulators

Clients
We communicate with our clients using our platform technology, telephone, email, our web site, fax, U.S. mail, and in person visits at our firm or at the other locations. In the event of an SBD, we will assess which means of communication are still available to us and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party. For example, if we have communicated with a party by email, but the Internet is unavailable, we will call them on the telephone and follow up where a record is needed with paper copy in the U.S. mail. In addition, we may also utilize our automated notification system, EverBridge, as a means to reaching select contacts at our client home office locations quickly during an SBD to provide disruption notification, procedures, and contingency arrangements.

Employees
We communicate with our employees using the telephone, email, and in person. In the event of an SBD, we will assess which means of communication are still available to us and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party. We will also employ a call tree and/or our automated notification system, EverBridge, so that senior management can reach all employees quickly during an SBD to provide disruption notification, procedures, and contingency arrangements.

Key Service Providers / Strategic Partners
We communicate with our key service providers / strategic partners using the telephone, email, fax, U.S. mail. In the event of an SBD, we will assess which means of communication are still available to us and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party.

Regulators

We communicate with our regulators using the telephone, email, fax, and U.S. mail. In the event of an SBD, we will assess which means of communication are still available to us and use the communication closest to those we have used before the disruption.
 

Critical Business Constituents and Counter-Parties

Through our parent company, Tamarac participates in Envestnet's Vendor Management Program. Envestnet follows a formalized a risk-based strategy for performing vendor due diligence and oversight. Envestnet performs due diligence on the vendor and their service offerings at the onset of the relationship. The due diligence review is tailored to the specific service provided by the vendor, and typically includes information and physical security, regulatory compliance, business continuity, and enterprise risk management.

For vendor onboarding, the Envestnet Legal department, along with Envestnet’s Information Security department, requires that all vendors are subject to strict confidentiality, non-use and non-disclosure restrictions, and that all contracts contain appropriate language to specifically address issues related to Information Security, Data Security, Confidentiality, and Service Level Agreements (as applicable to the specific vendor engagement). Envestnet categorically ranks service providers and performs due diligence using one or more vendor due diligence questionnaires, which Envestnet distributes to the service providers at various times throughout the year.

Tamarac uses a sub-service data center organization, Rackspace, for dedicated hosting of the Tamarac platform. Rackspace is responsible for managing the supporting infrastructure for Tamarac, which includes services such as managed backup, monitoring and storage, network security, and data center operations. Rackspace does not have access to client data. Rackspace does have access to the hardware where client data is stored.

Tamarac does use some on-site contractors to support software development.

 

Business Constituents

We have contacted our critical business constituents defined as those businesses with which we have an ongoing commercial relationship in support of our operating activities, such as vendors providing us critical services and have determined the extent to which we can continue our business relationship with them in light of the internal or external SBD. We will quickly establish alternate arrangements if a business constituent can no longer provide the needed goods or services when we need them because of an SBD to them or our firm.
 

Counterparties

We have contacted our critical counterparties, such as our disaster recovery providers, Clearing Firms, and Custodians to determine if we will be able to carry out our transactions with them in light of the internal or external SBD. Where the transactions cannot be completed, we will work with our Clearing Firm or contact those counterparties directly to make alternative arrangements to complete those transactions as soon as possible.
 

Regulatory Reporting

Our firm is subject to regulation by: SEC and the particular states in which we are registered. We file reports with our regulators using paper copies through the U.S. mail and electronically using fax, email, and the Internet. In the event of an SBD, we will check with the SEC and other regulators to determine which means of filing are still available to us and will use the means closest in speed and form (written or oral) to our previous filing method. In the event that we cannot contact our regulators, we will continue to file required reports using the communication means available to us.
 

Wealth Solutions Data & Analytics Solutions

Communications with Law Enforcement / FBI

In the event of a security-related incident which requires assistance from external agencies, Envestnet will communicate with local FBI authorities regarding the nature and extent of the incident.

Below is our contact information for the FBI Chicago and San Francisco Field Offices. The Envestnet Information Security Department will coordinate all communications.

Testing

Business Continuity tests are completed with critical business resources and BCP Teams at least annually to provide Envestnet Management and our stakeholders with the assurance that the business will successfully recover following a business disruption.

Below is an overview of Envestnet BCP Testing:

Maintenance

Our firm will maintain copies of its BCP plan, including the annual reviews and approvals in accordance with our Records Management policy, along with any changes that have been made to it for inspection. An electronic copy of our plan is located on the Fusion Risk Management platform with historical copies maintained on the Envestnet network shared drive within the Business Continuity directory. Additionally, hard copies are kept in each location and safely at BCP leaders’ homes.

Envestnet reviews plans on an annual basis with all owners to ensure plans are accurately maintained and fit for purpose. At the time of review, business changes and best practices are reviewed and reflected within plans.

Location-specific Business Resumption Plans are reviewed by location level owners and Department Business Resumption Plans are reviewed by department level owners. All Business Continuity Plans are reviewed by the Business Continuity Manager. It is the responsibility of the plan owners to ensure the plans have been reviewed, are accurate and complete.

All Business Continuity Plans are approved by the Chief Compliance Officer and signed off by the Chief Financial Officer, or their designee.
 

Updates and Annual Review

Our firm will update this plan whenever we have a material change to our operations, structure, business or location or to those of our Clearing Firms.

In addition to the outcome of the annual review process, key areas that trigger review and potential revisions to the BCP include:

Senior Manager Approval

I have approved this Summary BCP Disclosure as reasonably designed to enable our firm to meet its obligations to clients in the event of a significant business disruption.

By: Pete D'Arrigo
Title: Envestnet Asset Management Chief Financial Officer
Date: 06/19/2020
*original signature on file in main office

Copyright Envestnet | Tamarac All rights reserved.
www.tamaracinc.com is digitally verified by Starfield Secure Certification Authority.
Tamarac Trading
Sign In
Tamarac Reporting
Sign In