Selected case submission into the 2013 Institute of Internal Audit Case Competition. The case study introduces a new mobile platform that would integrate company's communication strategy. Each team had to identify a solution to a process and to identify the risks involved. Competed with UPenn, Villanova, University of Delaware, Temple, and others.

1. IIA & PICPA Case Competition 2013
Team: Real Time Advisory
John Cao | Tho A. Hoang | Khoa Huynh | Ryan S. Wood
CASE BRIEF: DEVELOPING A MOBILE DEVICE STRATEGY
This report is created by Real Time Advisory Group in order to provide Fairfield Trust Company a mobile device
strategy which recommends an innovative Bring-Your-Own-Devices (BYOD) program for Fairfield personnel and
online trading program for Fairfield customers, identifies risks involved within the programs, and build effective
controls in order to manage the addressed risks. With the recommended programs, Real Time Advisory Group is
confident to bring a solution for Fairfield that will help the company not only save costs, retain key personnel,
provide comprehensive customer service, but also enhance Fairfield’s competitive advantages to maintain its future
growth.

2. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 2
Table of Contents
FAIRFIELD
TRUST
COMPANY
-­‐
BACKGROUND
&
ISSUE
..........................................................................
3
INTERNAL
STRATEGY
–
IMPLEMENT
A
BYOD
PROGRAM
.......................................................................
3
SIX
RISKS
OF
IMPLEMENTING
BYOD
................................................................................................................
3
INTERNAL
SOLUTIONS
–
BYOD
PROGRAM
.......................................................................................................
4
COMPARISON
OF
A
BYOD
AND
BLACKBERRY
PROGRAM
.....................................................................................
4
TO-­‐BE
DIAGRAM
INTRODUCTION
....................................................................................................................
6
DATA
ACCESS
AND
PROTECTION
CONTROL
FOR
BYOD
PROGRAM
........................................................................
6
PAYMENT
AND
ADMINISTRATION
OF
EMPLOYEE
EXPENSES
RELATED
TO
MOBILE
DEVICES
........................................
8
EXTERNAL
STRATEGY
–
EXECUTING
TRADES
BY
ELECTRONIC
DEVICES
..................................................
9
CUSTOMER
SERVICE
BACKGROUND
.................................................................................................................
9
ISSUE
.........................................................................................................................................................
9
FOUR
RISKS
OF
IMPLEMENTING
TRADES
BY
ELECTRONIC
DEVICES
...........................................................................
9
CONSIDERATIONS
AND
RECOMMENDATION
....................................................................................................
11
ETHICS
&
COMPLIANCE
......................................................................................................................
12
APPENDIX
..........................................................................................................................................
14
SAMPLE
POLICIES
.......................................................................................................................................
14
WORK
CITED
......................................................................................................................................
15

3. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 3
Fairfield Trust Company - Background & Issue
The Fairfield Trust Company (“Fairfield”) is an independent investment and wealth management firm headquartered
in Philadelphia, PA. It offers formal investment services to various entities and provides wealth advisory services to
complement their primary services of investment management and trust administration. Fairfield Investment
Management (“FIM”) has $3 billion of assets under management for Fairfield’s proprietary family of mutual funds.
As of 2012, Fairfield is a national trust company with 12 offices throughout the US, including offices in New York,
Delaware, Illinois, and California, employing 210 people, and serving more than 2,500 clients. The company has
three categories of employees: management, investment advisors and administrative support (HR, Compliance,
Accounting, and IT). With the company’s rapid grow, the expansive use of these devices results in significant costs
associated with paying for the infrastructure and supporting users.
Changes in technology led to some issues dealing with mobile device usage. The BlackBerry service contract will
end within the next three months, and the infrastructure is due to be replaced. BlackBerry service will cost ten
percent more for the new contract and no longer offer unlimited data usage. Employees request to use devices that
are not currently supported by the IT department. Some of them have to go back and forth between BlackBerry and
personal mobile devices. Some also want to bring their personal tablets to assist with presentations to their
customers. The BlackBerry devices can only access to company mail, and no external access to the company’s
network other than through VPN on company-issued laptops. Although the majority of data stored on the company’s
servers is low risk, those data are highly confidential. On the customer side, they do not allow for online trading via
the Internet or via a mobile device-based app. Customers can only check on their portfolio by contacting their
investment advisors, but they themselves can’t access the information on demand. Fairfield management is currently
looking for ways to save costs, retain key personnel and provide comprehensive customer service. The management
team is working on the project about development of mobile device strategy. They are seeking recommendations on
whether to remain with their current corporate-liable BlackBerry program or move to a BYOD program, which
allows employees use their own devices for business purposes.
Internal Strategy – Implement a BYOD Program
Six Risks of Implementing BYOD
Based on the definition and identification of BYOD program, the management team needs to consider the following
risks related to this program:
1. Malware and Spyware:
Although in the past, malicious software and malware activities mainly affected personal computers, in recent
years the mobile industry has seen an increase in the number of malware and spyware programs which cause
serious harm or loss of confidential information from individual users and companies. BYOD program
especially, which supports a variety of mobile operating systems (OSs), there will be higher chance to be
effected by malware and spyware activities. According to an article “A Survey of Mobile Malware in the Wild”
published by Internal Journal of Computer Aided Engineering and Technology, there were six predictions for
the trends of mobile malware in 2012 including the following:
a. Mobile Pickpocketing: This type of malware activity will lure users into applications that will charge
money through text messaging and calling of premium services. One of the first to surface in June 2011
was called GGTracker and the most recent attack was called RuFraud.
b. Botnets: A botnet is a program used to send spam emails or participate in DDoS attacks. Although mobile
botnets have not been fully deployed, it is expected to grow and develop very fast in the near future.
c. Vulnerable Smart Devices: Nearly every Android smartphone has some kind of security pitfalls in it.
Complex systems have security bugs found in both Android and iOS, which can be easily taken advantages
of by malware activities.
d. Automated Repackaging: Hackers are not only taking money out of developers’ pockets but also
consumers when repackaged applications are loaded with malware.
e. Malvertising: Malvertising is an activity, which creates a genuine looking advertisement that link to
fraudulent sites. Malvertising can lead to malware downloaded to a device without user awareness.

4. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 4
f. Browser attacks: Malware activities using browsers are increasing rapidly.
Additionally, BYOD is also a target of hacking activities. By exploiting a system’s or network’s weaknesses,
hackers can gain access to confidential data to disclose, steal, or damage the information in the mobile
infrastructure.
2. Encryption and Information Protection:
When confidential data is authorized to be accessed and downloaded to personal devices, the data will contain a
risk of not being encrypted properly and vulnerable to malware or hacking activities.
3. Data Loss:
Implementing a BYOD program can increase the risk of mobile devices stolen or lost. Since the program allows
employees to bring their own devices to work, without specific polices, corporate data can be disclosed easily.
Furthermore, personal devices are not likely to have appropriate backup programs which help restore data after
data loss due to significant damages to the devices.
4. Mobile Device Access Control:
Personal devices are not required to have complex password configured, thus they are more vulnerable to
external attacks and may lead to exposure of confidential information to hackers.
5. Jail Breaking (iOS) or Rooting (Android):
Many mobile users choose to modify the original operating system to expand the capabilities of iOS and
Android devices for their personal use. Such modifications can make their devices more vulnerable to external
attacks and may expose confidential information stored on these devices to hackers.
6. Management Risks:
A focus on applications rather than on corporate strategy may limit a complete corporate view of the
deployment, maintenance, and security of a mobile platform. A BYOD program may also prevent a centralized
approach to the management of applications and devices due to different operating systems and different
modifications from the users. It also leads to difficult scalability due to lack of a unified mobile strategy and
little to no mobile governance for a BYOD program.
Internal Solutions – BYOD Program
Although there are many risks involved with a BYOD program, the fact that Fairfield Trust Company is searching
for ways to save costs, retain key personnel and provide comprehensive customer service leads to our
recommendation of a BYOD program with a combination of a mobility platform, an Enterprise Mobility
Management (EMM) system, and new Bring-Your-Own-Device (BYOD) policies as a solution for Fairfield’s
Mobile Strategy.
Comparison of a BYOD and Blackberry Program
Our recommendation for replacing the Blackberry Program with a BYOD program to Fairfield is based on the
following comparisons:
1. Cost Savings:
With the BlackBerry program ending in three months, the infrastructure is due to be replaced with one that will
hold significant cost increase by approximately ten percent. Also, Blackberry will no longer offer unlimited data
plans. Therefore, renewing a BlackBerry program is not a cost saving strategy for Fairfield. On the other hand,
a BYOD program is cost efficient to the company because telecommunication service plans are now the
responsibility of the employees. Also, Fairfield can save additional money when it does not have to purchase
new devices and pay maintenance fees for the employees. A BYOD program can help Fairfield save costs in
conjunction with implementing a mobility platform, and an Enterprise Mobile Management (EMM) system. To
solve the problem of data plan, it is recommend Fairfield include a requirement to register for unlimited data
plan in order to participate in a BYOD program. Implementing this requirement will save cost on identifying
which data downloaded from the devices are for business use to reimburse.

5. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 5
2. Key Personnel Retention:
Based on the case study, employees in Fairfield are becoming more familiar with new technologies and would
like to use them at work. Furthermore, changes in technology and personal mobile use have made some
employees to request for bringing other devices that are not currently supported by the BlackBerry program.
Especially investment advisors and management who have to travel most of the time and meet clients, variety of
mobile devices needs are higher for them. BlackBerry Program has limited capability to support a variety of
devices and with BlackBerry devices; employees can only check their business emails. With a very competitive
business environment, turn-over rates may increase if the company does not adapt quickly with new technology
in the work place. A BYOD program not only gives the employees the freedom to use any devices available out
of the market, but it also allows them to advance the devices based on their needs.
3. Comprehensive Customer Service:
Personal customer service is a competitive advantage of the company’s culture, which differentiates them from
other larger competitors. However, the company is dealing with higher customer services demands since the
company is serving more than 2,500 clients across the country but it only employed 210 people. Furthermore,
the management team and investment advisors travel frequently to meet clients. They need access to market
information from the exchanges around the world in order to provide advisory services to the clients. Current
BlackBerry program limits the personnel from providing services to the clients anywhere at any time due to the
fact that the program only offers the ability to check corporate emails and will not offer unlimited data plan in
the future. With BYOD, management and investment advisors will be able to access to market information from
all exchanges around the world in order to offer 24/7 advisory services for the clients. Furthermore,
communication with current clients and presentations to potential clients will be advanced by a variety of
devices brought by the personnel. It is also recommend that Fairfield offer the management and investment
advisors incentives to bring new technology to business because it will help strengthen personal customer
services strategy.

6. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 6
To-Be Diagram Introduction
To-Be diagram is a visualized tool for us to introduce to you our solution implementing a BYOD, Mobile Device
Platform, and Enterprise Mobility Management System. The diagram contains four main components: Database,
Mobile Device Platform, Enterprise Mobility Management (EMM) System, and Mobile Devices. The first
component is the database, which includes an ERP database, any legacy databases, third party databases, and the
Internet. The second component is the Mobile Device Platform, which is used as the base for connectivity, certified
mobile applications (both in-house and third party applications), and Operation System adapters. The mobile
applications can be developed for both internal and external parties. The third component is EMM system used to
monitor the platform, and the last component is mobile devices owned by employees.
Data Access and Protection Control for BYOD Program
Knowing that data is one of an organization’s most important intangible assets and implementing a BYOD program
can raise potential risks of data loss or exposure, it is important to take mobile security into considerations at
different level.
1. At The Source:
“Source” indicates any components within the company’s firewall, especially confidential data residing in the
databases. The “source” data must be protected by implementing user policies and strategies to grant, limit, or
prohibit access to the corporate network. To address this, it is recommended that Fairfield implements specific

7. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 7
mobile virtual private network (VPN) tunnels or a secure mobile network operation center (NOC) so that every
time the employees need to get access into the source, they need to get authorization from the company network
center. Anytime data is pulled from the databases, a control will be in place to require personnel’s identification
and passwords. Please refer to indicator 1 in the diagram. Furthermore, the authentication should be given to
the employees based on their job titles and company ranking. Management and investment advisors should have
the authorization to get access to view and edit clients’ confidential information, while administrative support
employees should have limited access to this type of information.
2. During Transmission:
The transmission of information over a wireless network should also be secured. Securing transmission includes
verification and authentication of the sender as well as the use of additional processes such as data encryption.
Within the BYOD diagram, security is not only in place between the databases and connectivity, but it is also in
place between the connectivity and mobile applications, and between applications sitting in different adapters
and the devices. Please refer to indicator 2a, 3 in the diagram. To secure the information transmission from
the connectivity to the application, EMM System will only allow corporate data to go through applications that
are certified by the corporation’s IT department to ascertain that the applications do not include virus, malware,
and they are used for business purposes. All of these applications can be downloaded through an online store
(2b) residing within the EMM system and the employees are required to use only the applications available here
for business. To manage security of information transmission between the application and the mobile devices
using different adapters, it is recommended that the company should have a policy to require employees have
their devices configured with complex passwords in the Operating System Interface, which may include 8
characters, contain characters and number and special sign, as well as requiring the employees to change their
passwords every 90 days. Furthermore, three important elements at this stage should be taken into
considerations: sending, reception, and transit. The activities falling within these three elements should be
monitored properly by the IT department in order to recognize and resolve any potential data loss or stolen.
3. At Target (Internal Devices):
Due to variety of devices employees may bring to work under a BYOD program, Fairfield will anticipate more
risks of exposure of confidential data through theft, loss, or malware and spyware activities. Therefore, EMM
system is designed with Lock & Wipe function (4) in order to automatically lock the devices and erase all
confidential information through wireless signal or first connection to Fairfield’s network once they are reported
lost or stolen. Besides requiring employees to configure complex passwords in the devices, new policies also
require employees report loss, stolen, or any malware activities occur to the mobile devices immediately to IT
department in order to activate the Lock & Wipe process on time. Monitoring function (5) in EMM system also
plays a role in tracking the location, reporting the activities, and terminating any illegal transactions on the lost
or stolen devices. The information obtained from this function can be used to help find the devices and prevent
any exposure of confidential information.
4. Authentication, Firewalls, and Jail Breaking or Rooting Policies:
In order to qualify for a BYOD program, all personnel must be approved for authentication and permissions by
the managers based on their job titles. A report will be operated automatically every month by a function named
Profile & Roles (6) in the EMM system. The report then will be sent out through emails to appropriate
managers or HR Department and requires them to ascertain that all job titles of personnel using a BYOD
matched with the authentication and authority they possess. Key managers and HR Department have to notify
any terminated employees, transferred employees, or new hires to IT department within three business day in
order to remove, update, and add new access respectively. Firewalls are required to be constructed within each
database and in Fairfield networks, under management of the IT Department, to prevent any spyware or virus
attacks. Furthermore, standard anti-malware software is required to install and update to the latest version in the
mobile device under a BYOD. The software must be from a trusted corporation that Fairfield feels confident
about their services. New policies must require employees not intentionally jail break or root their devices once
registered under the a BYOD program. If they do so, Monitoring function within the EMM system will notify
IT department, then IT will lock the devices right away and send a warning message to the personnel.
5. Data at Rest Protection:
Data residing within databases must get backup using tapes every month and using software every week. Tape
backups then must be sent out to Fairfield’s safe for protection. The tapes are renewable every year in order to

8. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 8
be reused. Backup software must be from a trusted corporation that Fairfield is confident about their services.
Backup using software must be performed within Fairfield’s databases, as well as within each mobile device.
Personnel are required to start backup in their devices every day at a specific time, and they have the option to
whether backup their personal data or not. If they choose to back up their personal data, Fairfield must have a
commitment not to utilize this data for any purposes. Backup process will be run and monitored automatically
by Backup & Restore function (7) within EMM system. The backup software will be automatically installed
and configured in mobile devices when they are registered for the BYOD program.
6. Training and Risk Awareness Promotion:
Fairfield is recommended to require its employees to attend mandatory training sessions about Mobile Devices
Usage on a yearly basis in order to help employees understand their rights and responsibility using their devices
under a BYOD program. Furthermore, it is recommended that the company should have an awareness
promotion campaign to encourage employees to protect the corporate’s confidential information and report any
suspicious activities related to malware, spyware activities, and exposure of confidential data.
Payment and Administration of Employee Expenses Related to Mobile Devices
One way many companies manage the telecommunication expenses for multiple devices is to implement a
Telecommunication Expense Management (TEM) system. Please refer to indicator 8 in the diagram. To have an
effective TEM system, Fairfield must identify proper management functions and to analyze the cost and benefit of
TEM. Visibility of mobile device usage is the first step in effective EMM system. A company can and should be
tracking the various device uses that drive up expenses. Beyond basic voice, data, and text services, an expanded
lifecycle management platform can point to the source of charges for other activities that rapidly multiply expenses.
A full-featured platform should also let IT set limits for usage and tailor the limits to job function or the user's
position in the organization. Thresholds and alerts can enforce company usage policies, and reports can help
departments budget more accurately.
Advanced management functions
• The goal is to help the business monitor and optimize expenses and policies over the entire lifespan of each
device.
• Starting with purchases, a device lifecycle management platform can introduce and automate a hierarchical
approval process for devices and service plans. Employees' options and reimbursement policies can be tailored
to departments and user profiles, and devices and plans can be bundled and offered to lower spending.
• Businesses also need the ability to track and correlate employee, device and service plan status. The
introduction of a full-featured device management solution inevitably uncovers service plan payments being
made for devices no longer in use, or reimbursements coming out of a department's budget for employees who
have left the company or changed jobs.
• Real-time visibility makes it possible to identify and flag devices that do not meet the company's requirements
in terms of minimum hardware and software levels, or those devices that are eligible for upgrades or plan
adjustments. Automated functions can also include history logs for users and groups, giving IT and finance
teams valuable information for trend analysis and accurate expense forecasting.
• These types of capabilities are key differentiators for the platforms offered on the market today. And the levels
of automation also vary from vendor to vendor. While a small business might be able to regularly review
reports, a large enterprise should carefully consider the time required to manually review summaries of device
status and use, and look for a solution that automatically generates change orders to service providers in the
event of any detected changes in device or employee status.
Investment Valuation
While it is true that some of the EMM and TEM solutions require substantial getting-started investments, both for
the software and for the required server platforms, there are cost-effective software-as-a-service (SaaS) offerings
available at price points that offer very attractive ROI to businesses of all sizes. Businesses should also look for a
solution with lightweight agents for the devices being managed. This is essential for extending the life of the MDM
solution, in terms of its scalability as the company grows. Users are also much more likely to accept a solution that
has a small device footprint, especially in the case of a BYOD.

9. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 9
Return On Investments
For example, the insights that can be gained about device use behaviors can enhance budgeting, and also enable
more accurate forecasts for infrastructure capacity planning. And businesses can identify opportunities for cost
reductions, and lower telecom expenses by as much as 40% by choosing carriers and plans that ideally suit the
company budgets. Tracking real-time patterns ultimately shifts device management from a reactive to a proactive
activity, and enables immediate changes that can avoid over-spending in a fast-growing expense category. With the
automatic alerts and advanced features such as automatic change-order generation, the advanced lifecycle
management platforms further drive down total cost of ownership for the solution and maximize the effective
savings relating to the managed devices.
External Strategy – Executing Trades by Electronic Devices
Customer Service Background
Since its inception in 1994, online trading has boomed with almost every investment firm having an online trading
platform. With the boom of computer technology and the mobile takeover, online trading has become more
important than ever for traders. According to Forrester Research’s 2011 study, 11% of US online adults with
investment accounts say that they are mobile investors. 27% of those mobile investors are also mobile traders who
bought or sold stocks, bonds, mutual funds, or ETFs (Akamai Industry Factsheet, 2012). Online trading has given
anyone who has a computer, enough money to open an account and a reasonably good financial history the ability to
invest in the market. You do not have to have a personal broker or a disposable fortune to trade online. The
difference between an online stock brokerage firm and a full-service stock brokerage firm is the entirety of the
service. Full-service brokerage firms provide the aid of a highly skilled stockbroker or investment planner to
management your investments. Online stock brokerage firms, or discount stock brokerage firms, do not provide any
broker’s or investment planner’s help. Depending on the expertise and knowledge of a customer, online stock
brokerage firms can be risky for newer users. However, over the years, online stock brokerage firms have become
more competitive by offering many free analytical tools and services as traditional full-service brokerages provides.
Currently, Fairfield does not allow online trading for their customers either through the Internet or through a mobile
device based app. Customers check their investment portfolio by contacting their investment advisor, but they do
not have immediate access to their information. Fairfield would be classified as a full-service brokerage firm with
no online integration. Almost all of Fairfield’s competitors in the market have adapted online trading. Most stock
brokerage firms have implemented the availability of online trading. Amongst the firms with online trading, another
differentiating factor is whether they are a discount stock brokerage firm or not. Discount brokerage offers a
discount fee for making a stock transaction, and financial advising services come with the order as an additional fees
ranging from $32 to $45-which portrays market prices.
Issue
With Fairfield’s interest in demonstrate their “leading edge” as a large investment firm, Fairfield must be
competitive with the market by allowing its firm to execute trades by electronic devices. However, due to their
limitations by their use of technology and by their current business practice, they are at risk by fully implementing
all trades by electronic devices. They are limited by their use of phones only for order transactions by the customers
and by public online research for market information from various exchanges around the world. With the
integration electronic devices to execute trades, an online trade system must be developed like the one for E*Trade
or Scottrade first before implementing an electronic device system.
Four risks of implementing trades by electronic devices
Fairfield should worry about four risks involved in implementing trades by electronic device –of which includes
mobile, tablet, and computer devices. These four risks, which effect both Fairfield and its customers, are heavy
reliance on technology, vulnerability of the customers’ personal devices, fraud, and financial.
Risk of heavily relying on technology
The Internet will be heavily relied upon to conduct much of the trading activities. This can be subjected to

10. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 10
interruptions and network instability. The technologies operations can be vulnerable to disruptions from human
error, natural disasters, power loss, computer viruses, spam attacks, unauthorized access and other similar events.
Disruptions to or instability of the technology or external technology that allows the customers to use the products
and services could harm the firm’s business and its reputation. In addition, the technology systems, whether they be
its own proprietary systems or the systems of third parties on whom Fairfield rely to conduct portions of the
operations, are potentially vulnerable to security breaches and unauthorized usage. An actual or perceived breach of
the security of the technology could harm the firm’s business and its reputation.
Financial Risk
Choosing to be an online trading firm or being a traditional full-service trading firm can have a major impact on the
revenue. An online platform will demand Fairfield to become a discount brokerage firm, as the market is very
competitive. Online firms like E*Trade and Scottrade can offer customers fees ranging from $7 to $9.99 per stock
order. However, traders are independent from brokers’ help. Full-service firms like UBS have very high
commission fees and investment requirement for their customers. A typical full-service firm like UBS can cost a
person with at least $25,000 investments of fees ranging from $110.87 to $1,250.00. Fairfield must decide what
platform to go with. Choosing to change from a full-service brokerage firm to an online discount firm could lower
their current revenue due to the steep price change.
Risk of vulnerability of our customers’ personal devices
Vulnerability of the customers’ mobile, tablet and computer devices could lead to significant losses related to
identity theft or other fraud and it could harm the firm’s reputation and financial performance. Because this business
model will relies heavily on its customers’ use of their own personal computers, mobile devices and the Internet, the
firm’s business and reputation could be harmed by security breaches of the customers and third parties. Computer
viruses and other attacks on the customers’ personal computer systems and mobile devices could create losses for
the customers even without any breach in the security of our systems, and could thereby harm the firm’s business
and its reputation.
Risk of fraud to the customers
Investors who engage with online trading- even though research and stock analyses are readily available via the
web- will be at risk of fraud without the help of a broker or investment planner. The chances are much higher for
fraud if the investor conducts independent online trades with a lack of knowledge and experience in finance needed
to be aware of fraud. Fraudsters have taken advantage of this, leading to several notable methods of defrauding
investors. These include:
• Pump-and-dump schemes - People spread the word about a supposedly good stock via online message boards,
online stock newsletters, email and other methods. The resulting interest in the stock drives up the price. The
organizers of the scheme sell their stocks for a huge profit, and then stop promoting it. The price plummets, and
investors lose money.
• Fraudulent IPOs - Some investors like IPOs because they provide a chance for an early-mover’s advantage
and to make a substantial profit. Some scammers, though, spread the word about an upcoming IPO for
companies that never intend to go public or that don't exist. Then, they abscond with the investor's money.
• Fraudulent Over-The-Counter (OTC) stocks – Con artists promote stock in companies that do not exist or
start a pump-and-dump scheme for an OTC stock. After investors buy stock in non-existent companies,
scammers simply take the money and run.
• Fraudulent company information - Publicly traded companies have to release information about financial
performance. Overstating or misrepresenting a company's goals and achievements can drive up the stock price.

11. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 11
Considerations and Recommendation
Trade By Electronics Considerations
Commissions and Fees
The online trade industry is very competitive. Companies like E*Trade or Scottrade spell out their commission and
various fees on their website. This industry-wide practice makes online trading very competitive. Fairfield will
have to disclose its commission and fees in order to compete with the top online trading firms.
Customer Service
Customers may request the help of an expert once in awhile, whether it’s asking a question about ADR fees, how to
place a specific type of trade, or figuring out an icon function within a toolbar. Many brokerage firms typically offer
a variety of support channels including phone, email, online knowledge bases, FAQ’s, customer forums, and online
chat. Customer support representatives must keep in mind that unhappy customers are more likely to complain than
happy customers who give praises, therefore representatives must ensure proper wait time, attitude, and
effectiveness of the responses within the support channels.
Platform Tools
Every online trading platform offers its own unique set of functionality. Whether it is a new trader or a long-time
veteran, make sure that the trading platform streamlines the tasks that the trader performs most often. If a customer
trades a lot of option spreads, it’s much easier for the customer to right-click a specific contract and select “Sell Iron
Condor” than it is to buy and sell the four legs individually. Release notes can be especially helpful in pointing new
functionalities, but are also a good gauge of how much effort the development team is putting into adding new
features versus fixing bugs from previous releases.
News & Research Data
Even if a customer’s approach to trading is primarily technical in nature, it can be helpful to have easy access to
current news articles, company fundamentals, and other data beyond price and volume.
Integration with Tax Software
One of the most burdensome aspects of trading frequently is dealing with the tax consequences. For a customer who
prepares his or her own taxes using a package such as TurboTax, he or she can save an enormous amount of time if
the platform is able to export all of his or her trading activities as a CSV or TXF file that can be imported into the
tax package.
Recommendations For Executing Trades By Electronic Devices
Real Time Advisory suggests to Fairfield that it is allowable to execute trades using electronic devices. Fairfield
must keep in mind that trading using electronic devices, which requires the use of an online platform, is riskier in its
pure form than its current traditional trading system. By implementing risk reducing and risk eliminating controls in
place, Fairfield can mitigate its risk appetite. Also, proper management of these external controls is needed as well
to ensure secure operation.
Risk of heavily relying on technology
Leading institutions recognize that an appropriate defense requires a coordinated effort among corporate groups,
with a focus on security, privacy, fraud prevention, and records management (PwC Mobile Banking App Security,
2012). Integrating security in the application development process will significantly reduce the overall likelihood of
identify thefts and data breaches. During the application development process, developers must ensure secure
coding practices are in place. As well periodical testing should be performed on the technology to identify
vulnerability in the system.
Financial Risk
Allowing customer accounts and assistance flexibility is the first step in minimizing financial risk. Fairfield is at
high risk by switching to a complete online trading system. Revenue from fees and commission earned on trade

12. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 12
purchases with the current traditional system will significantly decrease by implementing the market-influenced
price of online trade firms. Fairfield can mitigate this financial risk by allowing certain account types to be online
based and other accounts to stay traditional serviced. A prime example of this business model is Charles Schwab,
which is a hybrid online trade firm. They implemented stock trades with an online platform, but certain investment
accounts they kept as advisor assisted such as foreign exchange accounts.
Risk of vulnerability of our customers’ personal devices
There are three technical safe guards –should support all major platforms for mobile devices- that will help to
eliminate or reduce vulnerability of the customers’ mobile devices. Customers should be aware of cell service and
secure network connectivity such as WiFi. Safeguard one is encryption, which requires creating a third party email
only encryption solutions to support devices that cannot enable full device encryption. Safeguard two is a reset
function for phones and tablets when a foreign response occurs on the device such as fail login attempts and remote
commands. Safeguard three is that Fairfield’s EMM systems should facilitate a central control of device security
policy such as password and device encryption. Fairfield must look into having a loss reimbursement guarantee,
which reimburses the customers for losses caused by a breach of security of the customers’ own personal systems.
Such reimbursements could have a material impact on our financial performance.
Risk of fraud to the customers
There are many ways that a fraudster can be dangerous. Fraud can occur on any platform which aggregate news.
Popular online tools such as spam emails, social media, and uncertified and replicated websites are ways that fraud
can happen. Fairfield can prevent the four types of online trading fraud listed in the risk section of this report by
providing a secure means of news within their mobile device functionality or provide the customer with a resource
list to trusted news streams. A separate resource list can be in the form of listed items on a webpage of Fairfield’s
site or Fairfield can establish an independent forum where customers can share opinions and resources with constant
monitoring for fraud advices or unsecure links to other sites.
Ethics & Compliance
Ethical considerations
There are several ethical considerations that Fairfield needs to pay attention when dealing with mobile devices
including company to employee perspectives and company to client perspectives. At Fairfield, employee privacy
sometimes can become an ethical dilemma, especially under a BYOD strategy. Due to the nature of the financial
industry, financial firms, especially Fairfield handle numerous confidential information about the customer.
Therefore, companies need to implement a way to make sure that the client information is still confidential.
However, sometimes if the client data protection program goes overboard, the company can uncontrollably intercept
into employees’ personal information. It can intrude employees’ privacy unintentionally. Also, when the company
changes its direction completely from Blackberry program to 100 percent BYOD, it will cause a problem to some
employees, who do not want to follow a BYOD policy or cannot afford a mobile device that the company
management system can support. Therefore, even though the company probably can save the cost with the new
strategy, keeping employees’ retention is also another key point to consider when implementing the new strategy.
Since employees use mobile devices for both business and personal purposes, it is essential for the company to be
aware of the mobile device abuse of usage. Because the devices are personal, it can be overuse for personal
purposes. When the strategy is proposed to make work easier for employees and increase productivity, the strategy
can potentially raise an ethical consideration about employees’ usage for personal purposes. It will be a dilemma to
ask the question how much it is considered appropriate for personal use. It really depends on the employees’ work
ethics when it comes to how much time they should be used for personal issues using their own mobile devices.
When confidential information is extremely important for a heavily regulated industry Fairfield is in, sometimes
employees may accidentally perform malware activities that can leak, even destroy the company’s confidential
information. Also, with unclear structures, when employees unintentionally download some malware applications,
they may fail to report the incident, which can create any anticipated threats or hazards to the security or integrity of

13. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 13
customer records and information. With all of that, it can eventually negatively affect the company’s reputation.
Moreover, the jail breaking devices sometimes can be more vulnerable to hackers and viruses.
Compliance Issues
We recognize two types of compliance that Fairfield should address when implementing the new BYOD strategy:
organizational and financial compliance.
Organizational Compliance
For the organizational compliance, we consider these specific ones: governance, network security, personal privacy,
logical access and device security. When talking about governance, it is important to keep in mind about how
adequate the policies are within the company to define acceptable usage. It is the employee compliance to make sure
that there are controls in place internally to prevent the misuse or loss of corporate information and there are internal
groups that monitor and oversee enforcement of corporate controls. Network security and personal privacy are more
on the information system side. They are concerned on how the information system as well as confidential
information is protected. It is the issue about how the IT strategy and security policies are designed and implemented
in order to align all user needs and business requirements. Even though client data is important, the company also
needs to consider their own employees’ privacy. It is important to have compliance in term of how to be able to
identify business and personal data. Responsible personnel need to perform due diligence to make sure that the
employees’ privacy is respected. When the company requires the control over employees’ activities, there should be
a fine line between controlling and intrusion. For logical access and device security, it all comes down to the
physical devices that employees bring to work. It is a concern about the devices not in compliance with the access to
the network, internal application or database. It is also a question about what need to be done when the physical
devices get stolen or lost. These organizational compliance efforts should focus on data encryption, user
authentication and user-rights validation.
Financial Compliance
For Fairfield, in the financial industry, there are several critical regulations that they need to pay attention to when
applying the BYOD strategy. They need to look into privacy, compliance program, supervision, record keeping, and
advertising regulations.
Firstly, it is required under Rule 206(4)-7 and Rule 38a-1 of the Investment Company Act of 1940, investment
advisors and companies respectively are required to adopt and implement written policies and procedures reasonably
for safeguarding and keeping private client records and information. For supervision, NASD Rule 3010 requires
firms to establish and maintain a system to supervise the activities of each associated person that is reasonably
designed to achieve compliance with applicable federal securities laws and FINRA rules. These rules also go hand
in hand with the Gramm-Leach-Bliley Act and Rule 30 of Regulation S-P that apply to any company or organization
that collects consumer financial data and require that the data must be protected via effective internal controls. All
the regulations make sure there is a control or set of structured policies established to protect the clients. With an
investment management company like Fairfield, the BYOD strategy will give the employees more freedom to
access confidential client information. If the controls are not strong enough, the company will face a really high fine,
which sometimes can cause the bankruptcy. It is the case of Lincoln Financial Securities, Inc. and Lincoln Financial
Advisors Corporation when they had to pay $600,000 for just a lack of simple control (“Compliance Solutions for
Mobile Device Computing: A Practical Guide for Compliance Officers”, 2012). They failed to implement a
password management and anti-virus protection program. One important regulation is Sarbanes-Oxley Act, which
requires chief executives of publicly traded companies to validate the accuracy and reliability of financial statements
and other information. With the mobile devices, employees can manipulate the data, which can later affect the
company’s public trust. When considering Sarbanes-Oxley Act, Fairfield will need to have internal controls govern
the creation and documentation of information in financial statements.
According to Advisers Act, Rule 204-2(a)-7, investment advisors need to maintain certain written communications
including originals of all communications received and copies of all communications sent relating to its business.
NASD Rule 3010(d)(3) requires retention of the business-related correspondence of registered representatives.
According to the SEC, it is the content of an electronic communication that determines whether it must be
preserved. These rules have been stated even before the technology has changed the way companies do their
business and communicate with clients. Mobile devices, especially smartphones, are being used to retrieve and send

14. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 14
emails and text to clients. Therefore, even when technology involves in every aspect of the business, these rules are
still there and businesses needs to have a careful look at how implementation of the new mobile device strategy can
affect their compliance position with these record-keeping rules. Regarding the fact that employees, especially
advisors would want to bring their own tablets for presentations to clients, the companies need to pay attention to
relevant advertising regulations, NASD Rule 2210(b)(2), NASD Rule 2211(b)(2), and Advisers Act Rule 204-
2(a)(11). These rules generally require firms to maintain records of institutional sales material for a period of time.
Fairfield needs to ensure that advisors use these presentations based on correct information to prevent the false
impression that can affect clients’ decision.
Furthermore, Fairfield’s compliance officers should be mindful that states might have adopted other applicable laws
as well. For Fairfield office in California, it should consider the California SB 1386, which requires entities or
individuals doing business in California to notify state residents when unencrypted personal information is
reasonably believed to have been compromised. With this specific requirement, Fairfield needs to focus on the
policies to protect the data and control how the data is used on personal devices. With the company like Fairfield,
which is growing and opening so many offices nationally, it will be beneficial for them to keep in mind all the state
regulations that may affect the business tremendously.
Appendix
Sample Policies
The use of a Mobile Devices for Fairfield business is a privilege granted to employees through approval of their
management. Fairfield reserves the right to revoke these privileges in the event that users do not abide by the
policies and procedures set forth below.
To qualify for BYOD program, the employee must register for a verified phone service which offers unlimited data
plan, and the devices must pass the background check performed by Fairfield’s IT department.
Once the device is registered for Fairfield BYOD program, the owner of the device must comply with the following
rules:
1. Complex passwords must be configured in the device’s interface. The password must be a minimum of six
characters, which contain at least one letter or number.
2. Passwords are required to change every 90 days. The new password must not be the same as the previous
four passwords.
3. All jail breaking, rooting, or malware activities towards the device registered under BYOD program are
strictly prohibited. Failing to do so may result in immediate termination.
4. The owners of devices under BYOD program have the responsibility to report immediately when the
devices are lost, stolen, or under malware and spyware attacks.
5. The owners of devices under BYOD program must allow backup program to process in their devices every
day, and report any error occurring during the process in a timely manner.
6. The owners of devices under BYOD program are not allowed to sell their devices without permissions of
the management. Under any decision to sell BYOD devices, the owners must notify IT department and get
approval from their managers. The devices must go through total restoration and get certified by IT
department that no other business related data is maintained.
Online Trading Policy:
1. During any kind of online transactions made by Fairfield’s clients, they must e-sign to agree that actions
performed by them will be under their responsibility and therefore, Fairfield is not responsible for any
results caused by the clients’ trading actions.
2. Clients are responsible for reporting any malware, spyware, or fraudulent activities to Fairfield’s IT
Department immediately.
3. Any fraudulent activities are strictly prohibited. Being committed to fraudulent activities will be filed under
related Civil and Criminal regulations, and will not be tolerated.

15. REAL TIME ADVISORY FAIRFIELD TRUST COMPANY
REAL TIME ADVISORY 4/5/2013 Page 15
Work Cited
"2012 Investment Company Fact Book." 2012 Investment Company Fact Book. N.p., n.d. Web. 05 Apr. 2013.
<http://www.icifactbook.org/fb_ch6.html>.
"A Survey of Mobile Malware in the Wild." International Journal of Computer Aided Engineering and
Technology (n.d.): n. pag. Web.
Chu, Kenny. "Consumer Mobile Device Security Management October 2011." AAMC Group. N.p., Oct. 2011. Web.
4 May 2013. <https://www.aamc.org/download/262240/data/>.
Ernst & Young, LLP. Bring Your Own Device: Trends and Audit Considerations. Publication. Sifma.org, 4 Oct.
2012. Web. 15 Mar. 2013.
<http://www.sifma.org/uploadedfiles/societies/sifma_internal_auditors_society/bring%20your%20own%20devi
ce%20trends%20and%20audit%20considerations.pdf>.
Garcia, Jorge. "Mobility, Security Concerns, and Avoidance."Www.technologyevaluation.com. Technology
Evaluation Centers, n.d. Web. 05 Apr. 2013.
IT Policy Compliance Group. Managing the Benefits and Risks of Mobile Computing. Rep. ISACA.org, Dec. 2011.
Web. 20 Mar. 2013. <http://www.isaca.org/Knowledge-Center/Documents/Managing-the-Benefits-and-Risks-
of-Mobile-Computing-ITPCG-Dec2011.pdf>.
"Online Stock Trading Review." 2013. N.p., 2013. Web. 05 Apr. 2013. <http://online-stock-trading-
review.toptenreviews.com/>.
PwC. "PwC Mobile Banking App Security." PwC. N.p., Apr. 2012. Web. 3 May 2013.
<http://www.pwc.com/us/en/financial-services/publications/viewpoints/assets/pwc-mobile-banking-app-
security.pdf>.
UBS Financial Services. "Equity Commission Amounts." UBS. N.p., n.d. Web. 3 May 2013.
<http://www.ubs.com/content/dam/static/wmamericas/commission_schedules.pdf>.
Wilson, Tracy V. "How Online Trading Works." HowStuffWorks. N.p., 2013. Web. 05 Apr. 2013.
<http://money.howstuffworks.com/personal-finance/online-banking/online-trading1.htm>.
Zipfel, Krista S. Compliance Solutions for Mobile Device Computing: A Practical Guide for Compliance Officers.
Rep. Advisorsolutionsgroup.com, Jan.-Feb. 2012. Web. 18 Mar. 2013.
<http://www.advisorsolutionsgroup.com%2FDocuments%2FCompliance_Solutions_Mobile_Devices.pdf&ei=0
ZFfUdXnNunA0gGmtYGwCw&usg=AFQjCNGOtrwBXSXVFC8T78THWEvMAiqgVw&sig2=qs0YXdyJv_
2_wsedUfoznQ>.