Companies keep business records for regulatory and legal reasons, with IT departments and records managers typically holding the keys to the records kingdom, sometimes assisted by outside vendors. In financial services, records are frequently examined for compliance purposes, and comprehensive record keeping is a specialty of its own. In addition, protecting proprietary and business IP is vital, as is safeguarding confidential customer information.
But when employees use their mobile devices for personal and business communications, danger lurks. Text messages are the fast-growing source of business record risk.
Nearly all employees text, and many mix business and personal messages. A business record may be created every time an employee taps out a text, and the records can quickly multiply when the text is answered, shared, forwarded, revised, or deleted.
What happens to all these texts?
It’s hard to say because text message record keeping policies and procedures are in their infancy.
However, companies that don’t incorporate text messages into their business record archiving systems are squarely in harm’s way.
Text message archiving sounds daunting, and with good reason. Most messaging systems lack functions for message capture, search and retrieval, identification and preservation. And there are many different devices, service providers, and text messaging systems (some promising disappearing messages, anonymity or encryption), with unique features and operations. Adding to the challenge, record keeping rules aren’t uniform — their applicability depends on the type of record, type of business, regulatory agency involved and other factors. User privacy is also a thorny records management issue.
How do you know if texts are business records?
Rule of thumb: If a text message includes information about business activities or functions, it’s usually an official business record. A 2015 court case involving government employees’ text messages provides a good example of this rule. The Washington Supreme Court said business-related texts on private cell phones were public records under the Washington Public Records Act: “Records can qualify as public records if they contain any information that refers to or impacts the actions, processes, and functions of government.”
If a company can’t produce its business records, it can’t defend legal claims against the organization, or prove lawful conduct in a supervisory exam. Inability to produce text message records can undermine corporate claims and defenses. In some courtrooms, judges reject claims of “lost” mobile device records, and allow negative inferences to be drawn about what incriminating evidence may have been in the missing electronic communications.
There are other risks, too. Experts say most mobile-based security breaches are caused by employees. Compounding this, employees using their own mobile devices don’t feel particularly responsible for loss of company data on those devices. Some employees disable company-required security on their phones. A 2016 Verizon Data Breach Investigations Report also notes few organizations prioritize securing mobile devices.
Companies can no longer pretend they don’t know their employees use text messaging for business communications. However, they can reduce the risks by adopting text message policies and enforcement guidelines. Here are some first steps that companies can take to begin the process:
- Train employees on business record keeping responsibilities, so they understand what business records are and why they must be kept.
- Establish business texting policies and guidelines. May business be done by texting to or from an employee’s personal accounts? What restrictions apply? Examples: No deleting business text messages from devices without permission; no encryption apps or burner phones may be used to hide business messages;
- Establish and communicate consequences for employee text message violations.
- Implement the policies, audit for compliance, apply sanctions when necessary.
Here are two very recent tales of unmanaged risk catching up with firms, and the response of regulators who are watching the way companies like these handle those risks very, very closely.
Last week, Platinum Partners executives were charged in a $1 billion, eight-count securities fraud indictment. According to Brooklyn U.S. Attorney Robert Casper, communications and other company documents revealed fraudulent and deceitful practices from the hedge-fund managers. As described by federal prosecutors and the Securities and Exchange Commission, communications also show a trend of “relentless” redemption requests from concerned investors who wanted their money back¹.
Over the years, Platinum Partners earned more than $100 million in fees during the conspiracy. However, hints of financial troubles began to arise in 2012, eventually leading the alleged conspirators to use loans and payments from new investors to pay existing investors, similar to the infamous Madoff Ponzi scheme.
In another case, the Financial Industry Regulatory Authority (FINRA) fined 12 firms a total of $14.4 million for “significant deficiencies” in the storage of electronic broker-dealer and customer records. More specifically, FINRA found that records were not stored in the required, “write once, read many,” or WORM, format. Federal securities law and FINRA require the WORM format to prevent electronic business-related communications from being altered. In this case, each of the fined firms demonstrated deficiencies that affected millions—to hundreds of millions—of records “pivotal to the firms’ brokerage businesses, spanning multiple systems, and categories of records.²”
Risk for firms comes in many forms—legal, regulatory, financial, and reputational—and these types of risk often travel together. Organizations need to take a proactive approach to finding and addressing risk as part of an overall, firm-wide culture of compliance. This includes, as in the FINRA WORM case, meeting specific regulatory obligations surrounding the immutable retention of electronic records.
A firm’s archive of electronic communications—unstructured electronic records that include email, social media, text messaging, instant messaging, and more—is a major repository for risk, and it requires proactive governance. These oversight efforts can help identify the (risk) needles in the haystacks (messages), and set in motion the actions necessary to safeguard a firm and its investors.
Firms that are proactive and automate their electronic communications supervision processes with documented policies and systems to help supervise and enforce them, also help protect their investors from the results of fraudulent behaviors. With the Smarsh comprehensive archiving solution, for instance, firms leverage specific and intelligent policies to proactively flag potential regulatory violations and risky behaviors (ex. fraud, money laundering) across every channel of their electronic communications. Beyond its ability to help strengthen a firm’s capacity to identify and mitigate risk, adoption of a solution set like this can be seen by regulators and investors alike as a huge selling point; investors will inherently feel more confident entrusting their assets with firms that regularly monitor communications and address risk this way.
While scandals and legal cases centering on email, social media and text messages make headlines nearly every day, most companies are unprepared to deal with a situation where communications data is missing or hard to find, has been tampered with, or presents unfavorable evidence. Even today’s smartest organizations find themselves playing the game of catch-up.
In a recent Compliance Week piece by Tim Sprinkle, Mike Pagani from Smarsh highlighted how the challenge for compliance officers, specifically in the financial services industry, is getting their arms around all of the messages that come from their companies across different social and digital platforms.
Mike noted, “If your existing compliance perimeter focuses only on e-mail and you’re automating that, people these days are smart. They know that e-mail is being supervised, so they’re not going to communicate about anything that’s risky in there. So we’re seeing a lot more instant messages. A lot more mobile text messaging. I like to say: When you look at the whole spectrum of communications options that are available today, there are a lot of blind spots in a lot of organizations.”
Tools including social media, instant messaging and text messaging, are necessary to stay competitive and relevant. However, they bring with them risks and challenges. Automating the process of checking all social media communications against established policies for approved use, especially when personal accounts and networks are in play, is critical to mitigating risks while empowering the right balance of speed, agility, and reach.
Smarsh believes that supervising communications with solutions that enable real-time monitoring and automated policy checking is the right approach to balance governance with business and communications agility. When archiving content, companies should select a platform that can handle all relevant content types, not just email or social media. It’s also important to capture social media feeds in their native formats, so content can be reviewed in its proper context (you can see if content originated from Facebook, LinkedIn, Twitter, etc.).
Join the many thousands of Smarsh customers in regulated industries that benefit from a unified, search-ready archive for email, instant messaging, text, web, video and social media communications. For more information please visit http://www.smarsh.com/archiving-and-compliance/.
When this blogpost appears, the Presidential campaign will be history, but the sensational email hacks involving public figures like John Podesta and Colin Powell will live on to be dissected again and again. For the umpteenth time, we’ve learned that insecure electronic messaging can cause damage. In some circles, there’s heightened anxiety about hacking and disclosure of private messages. Those who feel themselves at risk are exploring how to keep their communications private. A raft of privacy advisors, privacy advocates, and new technologies are ready to help them.
What does this focus on privacy mean for companies obligated to track and monitor employee messages? In highly regulated industries, such as financial services, companies have a duty to review and manage business-related communications, to promote legal compliance. Individual attempts to shield, hide, or destroy messages—or remove them from supervisory oversight—can create enterprise liability.
Here’s the paradox facing financial companies: Despite rising regulatory expectations for monitoring employee communications and the availability of improved monitoring tools, individuals are increasingly uncomfortable with corporate electronic oversight. Some are resisting what they perceive as over-reaching corporate surveillance. The Information Technology and Innovation Foundation (ITIF) uses the term “privacy panic cycle” to describe negative public reaction to technologies thought to be inconsistent with personal privacy. Widely reported email hacks could lead to a new round in this panic cycle, with employer-employee skirmishes on the communications monitoring front. These skirmishes will likely be short-lived; ITIF notes that privacy panic cycles usually subside when people understand that the benefits of innovative technologies outweigh their privacy drawbacks.
Financial enterprises must continue to monitor, archive, protect, analyze, and produce employee messages for regulatory compliance purposes and litigation. This task becomes more complicated if workers try to evade observation.
For instance, employees may turn to text messaging on their personal phones to avoid the watchful eye of employers, or use specific communications apps to shield their messages from view.
Some of these apps are based on encryption, but others are being developed specifically to provide off-the-record messaging for social platforms such as Facebook Chat or Yahoo Messenger.
Employees web-browsing in incognito mode can also shield their browsing data and file transfer activity.
Those who don’t want their employers to see content or retention of cell phone activity records can either install apps to hide mobile browsing data, or use burner prepaid phones without providing ID information to the carrier, preventing meaningful tracking of cell phone coordinates. And some employees, mindful of web and message monitoring, are going off the social media grid, or using social apps less often. Information on how to use privacy-enhancing options is readily available on the web. In fact, an entire industry has emerged to disseminate information about these options.
Financial companies might do well to approach this issue head-on, incorporating into social media policies their express expectations that employees will not try to hide, delete or obscure their social messaging activity when it is relevant to business. While “expectations” are more ambiguous than “lines in the sand,” diligent employees will understand such policy statements to mean that obscuring communications is unacceptable to their employers. An approach with more teeth might require employees to periodically certify – with risk of discipline — that they have not hidden messages or avoided social media monitoring of their business-related communications.
The news-making email hacks raised awareness—and resistance—to corporate communications monitoring and preservation of individuals’ online and social activity. But financial companies have no choice about whether to monitor and preserve these records. They have a legal responsibility to keep relevant business records, regardless of the privacy panic cycle or individual attempts to avoid detection. With employees becoming increasingly anxious about being surveilled online, companies must dig deeper, and work harder and smarter to find and preserve all relevant records.
Compliance and eDiscovery are essential activities for any organization, regardless of its size, the industry that it serves or the jurisdictions in which it operates.
To be sure, “heavily” regulated organizations – such as those in the financial services, government, healthcare, life sciences, energy and certain other markets – face higher levels of compliance obligation than their less heavily regulated counterparts.
However, every organization must factor eDiscovery and compliance considerations into its communications strategy.
This white paper will examine the following key takeaways:
- The increasingly complex recordkeeping needs for both eDiscovery and regulatory compliance
- What capabilities are natively included in Office 365® to meet recordkeeping requirements
- How to overcome the limitations and close Office 365® compliance and eDiscovery gaps
What is one of the major benefits of The Archiving Platform™ from Smarsh?
Customers tell us time and again that it helps them dramatically save time on supervision efforts. The Archiving Platform is all you need to review and oversee all of your electronic communications, in one place. It helps automate much of the review workload, so you can reclaim those late nights and weekends that used to be spent poring over hundreds or thousands of messages.
4 ways you can reclaim your evenings and weekends using the Supervision Module with The Archiving Platform:
- Get into a routine. Many firms schedule message review as a monthly task, or only do it on an ‘as-needed’ basis. However, making it a priority to conduct more frequent supervision can make a big difference in streamlining your efforts. Although it may sound like more frequent review will add time to your already maxed-out schedule, it will help you avoid a pile-up of messages, keeping your Review Queue to a minimum. Within The Archiving Platform, you have the ability to customize how often your Review Q
ueue is populated. Depending on your preferences, you can choose daily or weekly reviews. (Monthly review is still available for the times when you aren’t able to review more frequently.)
- Take action. Save time on your review process and leave the office a little earlier by quickly marking and assigning messages that need additional review with the Supervision Module’s . Using this panel helps eliminate confusion and simplify supervision efforts across your team, while Review Queues let everyone know which review activities they’re responsible for. Any message that needs urgent attention can be moved into an Escalation Queue to be assessed by a designated reviewer.
- Get a closer look. You can narrow down your review process by choosing to see messages by specific content type or network when needed, helping you get to the content you’re looking for with added flexibility and functionality.
- Eliminate noise. Cut down to only the messages that actually need review by using Policies to automatically classify and cross-check for content that may violate regulatory or internal guidelines for acceptable communication. You can use pre-existing templates created by Smarsh experts, or create custom Policies tailored to your organization’s requirements. Policies can also be fine-tuned over time to further weed out messages that don’t require attention, giving your team more time to focus on priority projects.
In business, time translates into dollars. Imagine how much you could save by eliminating inefficiencies and employee overhead and overtime to get through a backlog of messages for review. See for yourself. Learn more about The Archiving Platform and the Supervision Module, and other time– and cost-saving options at www.smarsh.com.
By now, most members of the financial and mortgage banking industries know they must retain and archive electronic communications. But some companies don’t yet realize that social media communications are included in this mix. And among those that do realize the requirements, archiving efforts are far from complete.
Why don’t more companies archive social media communications? There are several reasons. Some think archiving will add too much content to their document review processes. Others fear it will increase the cost of data storage. And some firms prefer a wait-and-see approach, doing nothing until rules for archiving social media are clarified and finalized.
The risk of a hands-off approach to social media archiving is that financial regulators are keenly aware of social media use, and they expect to be able to review social messages upon request, in response to customer complaints or during examinations. When they can’t, they impose fines and sanctions associated with noncompliant recordkeeping.
Regardless of the rationale for not preserving social communications, failure to do so is risky business. Deloitte has highlighted the risk of an enterprise’s inability to produce social media records in litigation. Deloitte reports that social media information is frequently used by regulated companies in investigations that support litigation, with more than 50 percent of law firms working on cases that involve social media communications.
Missing or incomplete records of social communications can lead to trial losses and adverse judicial decisions if a defendant can neither prove nor disprove a claim. E-discovery is a major cost factor in the escalating costs of litigation. E-discovery sanctions are increasing, primarily for these three reasons: failure to preserve communications, failure to produce communications, and delaying the production of requested communications. Simply put, inconsistent or nonexistent recordkeeping is a litigation risk that can also lead to higher legal costs and sanctions against a firm.
If you aren’t yet archiving social media content and communications, a few best-practice tips can make the process less daunting:
- All social content and communications are not created equal. In the mortgage industry, messages involving customer-facing employees are more likely to be subject to retention rules and discovery requests than administrative messages. Tip: Recordkeeping and archiving programs and policies can—and should—prioritize different record types and sources within an organization.
- Not every message needs be kept forever. Some messages are redundant, obsolete, and trivial (ROT). Keeping too much information—or keeping it too long—consumes corporate resources. Retrieval costs can spiral while staff sorts through mountains of information to find requested content. Tip: Recordkeeping policies should differentiate between what must be retained and what can be destroyed. Destruction schedules and policies are an essential component of effective recordkeeping policies.
- Content is king. It’s not the social media platform (or the communication device used) that determines whether communications should be archived. An instant message conversation about loan rates can be as relevant a business record as a phone call or paper documentation. Likewise, an app-based appointment-setting button facilitating borrower meetings with loan officers could be considered a solicitation record. Tip: When creating guidelines for communication records archiving, the focus should be on the content of the communication, rather than how it was generated.
Do you often wonder how prepared your business is for a planned or unplanned audit or regulatory examination?
Or, are you curious to find out how you stack up against your peers, who are also faced with compliance challenges in an ever-changing regulatory environment?
A new Smarsh tool, The Electronic Communications Compliance Maturity Assessment, is designed to give you specific insights into your level proficiency related to electronic communications retention and supervision for compliance and legal purposes.
When you take the easy-to-follow online assessment, you’ll find out:
- How prepared your business is to respond to planned or unplanned FINRA and SEC examinations and requests related to electronic communications oversight
- Whether you are reliably retaining and supervising the electronic communications content types that regulators now require
- Where you can make key advances in your electronic communications compliance procedures so you can become more efficient and effective in your overall compliance program
To take the self-assessment and get a free copy of your report, tailored to your business, click here.
You can also learn more about the Electronic Communications Compliance Maturity Assessment by taking a look at the video below.
In the face of ballooning financial and labor costs for supervision, many firms are either banning new types of communication (e.g. social media, text messaging), or pretending they don’t exist.
This paper outlines the immediate actions firms can take to correct outdated and costly supervision procedures.
Inside, you’ll learn:
- Why supervision strategies that used to work fine are failing as technology changes
- What options exist for firms to close their compliance gaps
- How to use the right tools and technology to streamline your supervision and review
Learn more about the current state of supervision here.
Want to see how your supervision program fares against your peers? Take the Electronic Communications Compliance Maturity Assessment and find out!