Priivacy for Financial Services
The data inside your firm is more regulated than the products you sell.
Client KYC packs. Beneficial ownership records. Account statements. Tax file numbers and Social Security numbers. Investment instructions. Loan files. Insurance applications. They sit in mailboxes, SharePoint sites, file shares, and adviser laptops — and every one of them is a regulator exposure waiting for an audit, a DSAR, or a breach.
Priivacy finds the sensitive data hiding across your firm, maps who can access it, and gives you the controls to clean it up. $12,000 for a 60-day license. Full platform. Done on your infrastructure.
Built by the Umlaut Solutions team — ten years of data governance and compliance work across Australian banks and AFSL licensees, including major engagements during Australia's Hayne Royal Commission (the Australian equivalent of a full Senate inquiry into US financial services). APRA, APP, GLBA, GDPR, FCA, DORA, NYDFS — the controls work wherever you operate. ISO 27001 certified.
Umlaut Solutions, the parent group behind USC Data, has been doing data governance and compliance work since 2016. Core team has worked together longer than that.
Major engagements with Australian banks and AFSL-licensed wealth firms during the 2017–2019 Hayne Royal Commission. For US readers: think of it as a full Senate inquiry into the entire financial services industry, with every advisor required to retrospectively prove best-interest duty across ten years of advice. We did the work that proved what defensible data governance actually looks like under that level of regulator scrutiny.
Cross-jurisdictional delivery from day one. ISO 27001 certified data governance and privacy program.
Built for firms that hold sensitive client data — and have to defend it.
Most of our financial-services customers are wealth, advisory, and dealer groups — the firms where data is the entire product and the regulator never sleeps. But Priivacy applies just as cleanly across banking, brokerage, lending, and insurance — same data sprawl, different regulators.
Wealth management firms
Multi-family offices, RIAs, AFSL-licensed advisers, financial planners.
Brokerage and dealer groups
Broker-dealers, securities firms, insurance brokers.
Boutique asset managers
Fund managers, super funds, investment companies.
Banks and credit unions
Community and regional banks, building societies, credit unions.
Lending and insurance
Small lenders, mortgage brokers, finance companies, insurance carriers and brokers.
Financial advisory practices
Accountants offering SMSF, financial planning, tax advice.
Whether you're a 12-person AFSL practice, a 200-person multi-state RIA, a community bank with 30 branches, or a mortgage broker holding ten years of client KYC packs, the data sprawl problem is the same shape. What changes is which regulators are watching and how big the audit window is.
One platform. Every framework your team reports against.
Priivacy maps findings directly to the frameworks your compliance team has to defend. Pre-built compliance reports for each, jurisdiction-aware DSAR workflows, evidence-grade audit logs.
United States
- •GLBA Safeguards Rule
- •NYDFS 23 NYCRR 500
- •SEC Reg S-P
- •FINRA recordkeeping (Rule 4511 / 17a-4)
- •CCPA / CPRA + state privacy laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA)
- •SOX 404 / ITGC for public companies
- •State insurance privacy (NAIC Model Law)
Australia
- •APRA CPS 234 (information security)
- •APRA CPS 230 (operational risk)
- •Australian Privacy Principles (APP)
- •Privacy Act 1988 (including Notifiable Data Breaches)
- •AUSTRAC AML/CTF reporting
- •AFSL record-keeping obligations
- •Consumer Data Right (CDR / Open Banking)
- •SOCI Act for critical infrastructure entities
United Kingdom & EU
- •UK GDPR + Data Protection Act 2018
- •FCA SYSC 9 (record-keeping)
- •DORA (Digital Operational Resilience Act)
- •GDPR Article 9 (special categories)
- •MiFID II record-keeping
- •Senior Managers and Certification Regime (SMCR) evidence
Operating cross-border? The DSAR workflow handles jurisdiction-locked responses, so a request from an EU client gets a GDPR-shaped response and an AU client gets an APP-shaped one — same product, same workflow, different legal frame.
You probably have more exposure than you think.
A typical financial-services firm — bank, advisory, broker, lender — has the following lurking in shared file stores, mailboxes, and old SharePoint sites:
KYC bundles
Driver licenses, passports, utility bills, signed forms scanned and saved across advisers and branches, often duplicated.
Beneficial ownership records
Trust deeds, family member identifiers, related-party documents spanning multiple people in a single file.
Tax identifiers
TFNs (AU), SSNs (US), NHS numbers (UK), ITINs, often in the same family-office or cross-border client files.
Investment account numbers
Wrap codes, brokerage references, fund administration IDs in spreadsheets and email signatures.
Loan and mortgage files
Full applications with income, credit, employment, asset data, often in dealer-group dropbox folders for years.
Insurance applications
Medical disclosures, beneficiary details, lifestyle data subject to GDPR Article 9 and equivalent special-category regimes.
Old adviser and banker mailboxes
Terminated employees whose inboxes still hold years of client correspondence with full PII.
AML/KYC retention archives
Five-to-ten-year statutory retention periods mean a single firm may hold KYC for thousands of clients who have long since moved on.
Discovery surfaces every one of these. The remediation tools — redact in place, quarantine, secure delete, access cleanup — let your team fix what matters without a six-month consulting engagement. Priivacy classifies wealth-specific document structures (KYC packs, trust deeds, BDBNs, Statements of Advice, capacity assessments) so findings come with context, not just content.
Differentiator
Wealth-specific detection, built into the platform.
The features below are part of the financial-services configuration deployed for advisory firms, RIAs, and AFSL-licensed practices. Other financial-services configurations (banking, insurance, brokerage) draw on the same engine with sector-specific tuning.
KYC bundle detection
Composite recognition of "complete KYC packs" (driver license + passport + utility bill + signed forms) as a single high-risk finding rather than four separate items.
Beneficial ownership graphs
Linking trust deeds, family member identities, and account holder identities into a unified person/entity view.
Trust and estate documents
Dedicated classifier for wills, powers of attorney, trust deeds, BDBNs, family constitutions, capacity assessments.
Investment account patterns
Wrap codes (Iress, XPLAN, Praemium, Netwealth, Macquarie), brokerage references, custodian account numbers.
AFSL recordkeeping templates
Adviser-specific file structures and Statement of Advice (SOA) templates with embedded client PII.
Cross-border client identifiers
Same client may appear with TFN (AU), SSN (US), and NHS number (UK) across related entity files; the identity resolver links them.
Three pressures converging in 2026.
Supervisory pressure tightened
APRA's CPS 230 (operational risk) takes effect July 2025 and CPS 234 enforcement has tightened materially. ASIC's INFO 256 cyber resilience reporting puts data exposure into the supervisor's quarterly conversation. In the US, the SEC has explicitly identified Reg S-P safeguards as an exam priority and NYDFS has expanded its cyber rule to require more granular incident reporting. Supervisors are asking "where is your sensitive client data?" in the first hour of every examination — not the last.
DSAR and breach-notification load
Notifiable Data Breaches (AU), GDPR (EU/UK), and the wave of US state privacy laws (CCPA/CPRA plus seven more) all create real obligations to know what data you hold about a person — fast. A DSAR with a 30-day clock is impossible to answer if you don't have a data map. Brokers and advisors are seeing DSAR volumes from former clients running 30%+ higher than two years ago.
AI and automation risk
Every advisory firm, bank, and broker is being pitched AI-driven tools — note-takers, summarisers, document generators, Copilot. Every one of them is only as safe as the data it can read. If your AI assistant can see a folder containing thirty client KYC packs or fifty mortgage applications, you've expanded your exposure surface in ways the regulator won't excuse and your cyber insurer may decline to cover.
Same offer. Every financial services segment. No "call us for pricing."
Start
60-day license
Full platform. Unlimited scanning. Every report. Every remediation tool.
Extend
Month-to-month
Keep the platform running while you work through remediation at your own pace.
Upgrade
Annual license upgrade
Roll your $12,000 Discovery into the annual license. Total annual: $30,000 if upgraded within 90 days.
Optional help
Professional services
Sized to the job, not to our quarter. If a half-day session fixes the problem, we charge for half a day.
Pricing applies to firms with up to 1,000 active users. Larger banks, group structures, and multi-entity wealth practices are scoped honestly on the first call.
Want to see what we'd find in your firm?
Forty-five minutes. Bring your compliance lead, your IT director, or both. We'll walk you through Priivacy installed against a sample financial-services environment — wealth, banking, or brokerage configuration depending on your sector — and show you the five reports a real engagement produces.
Email connect@uscdata.com | Call +1 844 988 1444 (US) or +61 1300 80 95 80 (AU)
