Lenders are already managing a long list of other industry rules and regulations, so these extra cycles of website and social media monitoring can have a significant time and cost impact on a business, if not managed efficiently with smart policies, and some help from technology.
With no room for error, how can you keep your marketing engines revving while you stay on course with the regulations? The key to success is automation.
- Why it’s important to set up policies and training for social media and websites
- How to use technology to automate the supervision of your digital presence
- Keys to refining you monitoring process over time
FINRA has just released its 2017 Regulatory and Examination Priorities Letter, which points out key areas member firms need to focus on to protect investors, market integrity, and their own business.
This year, the regulator plans to be particularly diligent on firms that hire repeated rule-breakers and high-risk registered brokers. FINRA also continues to task firms with improving their overall protection of vulnerable senior investors, tightening cybersecurity programs and controls, and shoring up other core issues related to compliance, supervision, and risk management.
Firms can use the letter to review and strengthen their compliance, supervisory and risk management programs, and to define their internal training related to FINRA priorities. Here are seven takeaways from the FINRA letter that firms can use to navigate through examinations in 2017:
- High-risk brokers, beware.
FINRA will continue to focus on high-risk brokers this year, especially those with repeated offenses or allegations of wrongdoing. Firms that hire or seek to hire recidivist brokers can expect “rigorous regulatory attention” and will need to perform due diligence when employing and monitoring representatives in this category.
FINRA has recently established a dedicated examination unit that will identify and examine brokers who may pose a high risk to investors. This specific unit will review high-risk brokers and their interactions with customers, compliance with rules regarding suitability, outside business activities, private securities transactions, and more.
The regulator will also assess whether firms develop and implement a supervisory plan that’s reasonably built to detect and prevent misconduct by a broker if that broker has a history of misconduct. Firms that have a concentration of brokers with misconduct histories (or several sales practice complaints and arbitrations) will also be looked at closely.
- Financial advice must be suitable for the customer.
FINRA is concerned because it continues to see situations where a broker recommends financial products that aren’t suited to their customers. This is particularly applicable and alarming when elderly investors receive recommendations that aren’t right for them. Firms are asked to take specific measures to protect senior citizens from financial exploitation. It’s recommended that firms double-check orders, and monitor their brokers’ outside ‘business’ activities and interaction with seniors. FINRA plans to follow up with assessment of firms’ controls to protect seniors from fraud, abuse and improper advice, and has several suggestions regarding the steps firms must take to prepare included in its letter.
- Social media and electronic communications retention and supervision systems are now magnified.
FINRA will continue to closely review firms’ compliance with their supervisory and record-retention obligations related to social media and other electronic communications, because these digital records have an increasingly critical role to play in the securities business. The regulator stresses these obligations apply to business communications irrespective of the medium or device used to communicate. That means that under U.S. Securities and Exchange Commission (SEC) and FINRA record-retention requirements, firms must ensure the capture of business-related communications no matter what devices or networks are used by an organization and its employees. Firms must capture and maintain all business-related communications so they can be reviewed for inappropriate business conduct.
- Cybersecurity continues to alarm firms and FINRA alike.
Cybersecurity threats remain one of the most significant risks firms face. This year, FINRA will continue to assess firms’ programs to manage risks, while acknowledging there’s no one-size-fits-all approach to cybersecurity. FINRA will tailor its assessment of cybersecurity programs to each firm based on a variety of factors, including business model, size and risk profile.
FINRA points firms to two areas in cybersecurity that have shown “repeated shortcomings in controls.” First, the regulator has noticed cybersecurity controls at a firm’s branch offices tend to be weaker than those at the home office, and calls for firms to improve upon that problem. (See more about broker offices, below.)
Second, FINRA notes many firms have failed to fulfill their obligations under the SEC Rule 17a-4(f) which requires firms to preserve records in a non-rewritable, non-erasable format (write once/read many, a.k.a. WORM). This is a significant problem that firms must correct, since FINRA recently announced enforcement actions against 12 firms for failure to preserve broker-dealer and customer records in WORM format. FINRA has made it clear this issue will see continued scrutiny in 2017, and advises firms to use review and retention systems and services for email and other electronic communications that fulfill the specific 17a-4(f) requirements.
- Firms are asked to buckle down on their branch office supervisory systems.
FINRA said it will continue to evaluate firms’ branch office inspection programs and supervisory systems including, but not limited to, independent contractor branches. FINRA’s focus for these reviews will include an evaluation of:
- Account activity supervision
- Advertising and communications, including the potential use of unapproved email addresses for business
- Communications with customers through social media, seminars, radio shows or podcasts
- Registered representatives’ websites
- Outside business activities
Along the same lines, FINRA will assess firms’ testing of their overall internal supervisory controls, which enable firms to identify and fix gaps or inadequate controls in their compliance systems. While problems may appear first in a firm’s daily operations, FINRA has noticed issues become more prevalent when a firm increases its business scale or scope, or jumps from a legacy compliance system to a new one. Control problems may include record-retention omissions and failure to deliver proper documents and communication to clients.
- New electronic, off-site reviews are on their way.
This year, FINRA will start using electronic, off-site reviews to supplement its regular on-site examinations. It’s expected this will help FINRA review selected areas that are typically covered in its priorities letters, without the need to appear on-site at a firm. The regulator will make “targeted and limited” information requests to firms and then review responses off-site, for a select group of firms not scheduled for a regular exam in 2017. This implies that the regulator will be able to conduct more reviews, faster than ever before.
- Firms will soon have new insight into the industry’s exam results.
FINRA has heard frequently from firms and other stakeholders that they want to know more about what the regulator finds in its examinations. In response, FINRA will start publishing a summary report that outlines key findings from examinations in selected areas, on a national level. The results are expected to inform firms of deficiencies FINRA has observed, including in its areas of priority. This will also firms that haven’t been examined yet to fix any similar deficiencies in their business, or strengthen their controls.
FINRA will also develop a “compliance calendar” and a directory of compliance service tools, resources, and providers, to be shared with smaller firms that have asked for this guidance.
Smarsh recommends that firms review the FINRA letter in its entirety, as there are many other highlights that outline what broker-dealers should expect this year, with practical examples given.
If you’d like to learn more about how you can use The Archiving Platform from Smarsh to prepare your firm for many of the electronic communications archiving requirements set forth by FINRA and other regulators, visit http://www.smarsh.com/watch-it-work/.
By now, most members of the financial and mortgage banking industries know they must retain and archive electronic communications. But some companies don’t yet realize that social media communications are included in this mix. And among those that do realize the requirements, archiving efforts are far from complete.
Why don’t more companies archive social media communications? There are several reasons. Some think archiving will add too much content to their document review processes. Others fear it will increase the cost of data storage. And some firms prefer a wait-and-see approach, doing nothing until rules for archiving social media are clarified and finalized.
The risk of a hands-off approach to social media archiving is that financial regulators are keenly aware of social media use, and they expect to be able to review social messages upon request, in response to customer complaints or during examinations. When they can’t, they impose fines and sanctions associated with noncompliant recordkeeping.
Regardless of the rationale for not preserving social communications, failure to do so is risky business. Deloitte has highlighted the risk of an enterprise’s inability to produce social media records in litigation. Deloitte reports that social media information is frequently used by regulated companies in investigations that support litigation, with more than 50 percent of law firms working on cases that involve social media communications.
Missing or incomplete records of social communications can lead to trial losses and adverse judicial decisions if a defendant can neither prove nor disprove a claim. E-discovery is a major cost factor in the escalating costs of litigation. E-discovery sanctions are increasing, primarily for these three reasons: failure to preserve communications, failure to produce communications, and delaying the production of requested communications. Simply put, inconsistent or nonexistent recordkeeping is a litigation risk that can also lead to higher legal costs and sanctions against a firm.
If you aren’t yet archiving social media content and communications, a few best-practice tips can make the process less daunting:
- All social content and communications are not created equal. In the mortgage industry, messages involving customer-facing employees are more likely to be subject to retention rules and discovery requests than administrative messages. Tip: Recordkeeping and archiving programs and policies can—and should—prioritize different record types and sources within an organization.
- Not every message needs be kept forever. Some messages are redundant, obsolete, and trivial (ROT). Keeping too much information—or keeping it too long—consumes corporate resources. Retrieval costs can spiral while staff sorts through mountains of information to find requested content. Tip: Recordkeeping policies should differentiate between what must be retained and what can be destroyed. Destruction schedules and policies are an essential component of effective recordkeeping policies.
- Content is king. It’s not the social media platform (or the communication device used) that determines whether communications should be archived. An instant message conversation about loan rates can be as relevant a business record as a phone call or paper documentation. Likewise, an app-based appointment-setting button facilitating borrower meetings with loan officers could be considered a solicitation record. Tip: When creating guidelines for communication records archiving, the focus should be on the content of the communication, rather than how it was generated.
Do you often wonder how prepared your business is for a planned or unplanned audit or regulatory examination?
Or, are you curious to find out how you stack up against your peers, who are also faced with compliance challenges in an ever-changing regulatory environment?
A new Smarsh tool, The Electronic Communications Compliance Maturity Assessment, is designed to give you specific insights into your level proficiency related to electronic communications retention and supervision for compliance and legal purposes.
When you take the easy-to-follow online assessment, you’ll find out:
- How prepared your business is to respond to planned or unplanned FINRA and SEC examinations and requests related to electronic communications oversight
- Whether you are reliably retaining and supervising the electronic communications content types that regulators now require
- Where you can make key advances in your electronic communications compliance procedures so you can become more efficient and effective in your overall compliance program
To take the self-assessment and get a free copy of your report, tailored to your business, click here.
You can also learn more about the Electronic Communications Compliance Maturity Assessment by taking a look at the video below.
Over the past 15 years, Smarsh has urged financial services firms to retain all of their electronic communications for compliance purposes – no matter what devices, applications or channels a firm uses to talk with customers and prospects, or even internally. Email, social media, text messages, website content and internal collaboration platforms are all fair game for regulatory scrutiny, so firms must keep them in check.
Unfortunately, when talking with compliance professionals, many tell us they are already overburdened by the communications supervision tasks at hand. As they continue to perform the same ol’ supervision processes they’ve used for years, they don’t adapt to the changing risks in their organizations. So, while struggling to do what worked a decade ago under today’s digital deluge, they fail to recognize or supervise what’s really most risky. To put it bluntly, supervision is broken. (But it can be fixed).
Here’s why. Firms know they must perform regular supervision of communications. The catch is that compliance must carry out this ongoing mission while dealing with an ever-widening set of content, rushing forward from a sea of social media channels, collaboration platforms and text messages. All of these are perceived to place additional strain on a firm that may not conduct message review often enough to truly identify and mitigate risk, or that buckles under the time and resource commitment needed to review email.
According to the 2016 Electronic Communications Compliance Survey Report, many smaller firms (1–5 employees) say they can only review electronic messages on an ‘as needed’ basis, usually when a regulatory exam or internal audit seems imminent. Small firms may want to do more, but this ‘retain and respond’ scenario is common because they often lack people and resources, and employees may wear many hats, including compliance responsibilities. This puts a small firm in a risky situation where it plays the odds, hoping the consequences of non-compliance are lesser than the need to channel resources into other activities besides systematic supervision. However, hope is not a sound business or compliance strategy.
For larger firms, supervision problems usually manifest in a different way. Most have more resources and time devoted to the review of electronic communications, but they may look at risk in all the wrong places. Long-established surveillance procedures tend to primarily target email, albeit rather ineffectively, as the volume of email a firm exchanges continues to grow. However, it’s probably not in email where the greatest risk exists.
Despite their specific supervision challenges, small and large firms share the following issue: they neglect the thorough supervision of newer forms of digital communication, which present the most risk. Social media, text messages and other forms of content remain unsupervised while compliance employees continue to spend countless hours reviewing only email and older communication types. Meanwhile, we’ve seen time and time again that nefarious actors converse on newer, less-supervised channels like chat and mobile devices.
To deal with communications channels besides email, firms may attempt to do one of the following:
- Prohibit the use of newer, non-email communications channels. This rarely works, because firms still must prove to regulators that their system of prohibition is adhered to and enforced. Meanwhile, investors want to interact with their financial advisors in new and different ways, and forward-thinking reps push their firms to provide them with the tools necessary to keep growing the business.
- Put their head in the sand, and fail to acknowledge that new communications channels are used by firm employees and customers. Chances are that several new channels are being used (without compliance oversight), and regulators will find out about it.
- Extend email supervision tactics already in place. This isn’t a viable approach, because outdated supervision solutions and processes that center on email aren’t likely to adapt well to new communications channels, which are far more dynamic and complex. And if firms already rely on inefficient existing procedures – like random samples or lexicons that haven’t been updated – applying these to email PLUS new content means firms ultimately create more inefficiency for more people.
It’s clear that what got firms here won’t get them where they need to go in this highly regulated environment.
At the same time, here’s what’s promising: a comprehensive archive platform represents a technology disruption that will drive the efficiencies necessary to scale supervision initiatives, for small and large firms.
The comprehensive archive platform category by definition begins with the ability to store all content types in a single repository. The true value emerges when it comes to what can be done with the data in the archive.
By using a comprehensive archive and leveraging an automated policy engine to reflect a firm’s governance policies, review teams can upgrade antiquated random samples and lexicons with policies designed to find specific risk, such as complaints or anti-money laundering. Using the best practices of the financial services industry and the power of automation, compliance teams can also introduce intelligent exclusions to their policies to reduce the amount of false-positive messages to review. In addition, teams can review, report on and tune policy effectiveness, and automate the prioritization of content that merits more scrutiny.
From there, specialized review workflow capabilities in a comprehensive archive enable compliance teams to focus high-priced professionals on the most pressing e-communications compliance risks.
Options to supplement or redeploy existing staff to more valuable tasks can then be evaluated, to help allocate the right amount and knowledge level of people required to conduct reviews. In this way, the human bandwidth gained from the more efficient use of a firm’s reviewer resources can be directed at a broader set of content types to reduce risks within the expanded compliance perimeter.
That’s just the beginning. Many firms also already use content from their archive for purposes outside of compliance and risk management. Those on the cutting edge use behavioral analytics, relationship mapping, predictive logic, and correlate data sets and data types to provide even more power to surface information efficiently from the archive. To leverage this innovation today and in the future, however, the content needs to be available for the machine to learn from – in other words, it needs to be archived.
Creating a sustainable, scalable and holistic approach needed for effective electronic communications supervision is elusive but surprisingly simple. A philosophical shift away from the incremental addition of new content types and supervision tasks toward a more comprehensive yet efficient approach might be all that’s needed. Once firms can understand that the world of electronic communications is not going to slow down, they can then shift their approach away from denial and prohibition toward embracing and enabling. Wouldn’t it be great if compliance was ready to support and supervise any new communication tool the business wanted to use almost immediately? To do this, however, we recognize that compliance can’t be overburdened by each and every one of them.
The solution boils down to being able to capture and store all types of content, in one place and then exploiting the many efficiency tools that are available to continuously speed up and automate routine tasks. Ultimately, this allows a limited amount of compliance resources to have much better supervision as they look across all content – including the riskier, newer types – while not increasing their workload along the way.
As the leading broker-dealer servicing the credit union industry, CUNA Brokerage Services must adhere to regulations designed to ensure fair practices in its investment, insurance and retirement planning offerings. To keep pace with technology and meet regulatory demands for the financial services industry, CUNA Brokerage Services needed to find an archiving solution that would help the organization achieve its compliance goals.
Finding the right partner was just as important to CUNA Brokerage Services as finding the right archiving solution. After evaluating several vendors, CUNA Brokerage Services selected Smarsh and The Archiving Platform based on specific criteria, such as the platform’s user-friendliness, ease of implementation, and cost-competitiveness ─ as well as the company’s reputation for excellent service and support.
Read the success story, CUNA Brokerage Services Chooses Smarsh, to learn how Smarsh helps CUNA Brokerage Services prepare for the road ahead in regulatory compliance.
[Author’s note: This blogpost is about business, not politics.]
The Office of the Inspector General (OIG) made a big splash recently with its report evaluating email records management at the State Department. Financial companies would do well to study the OIG report, because it lays out a useful roadmap that identifies potholes and other hazards associated with the inability to retrieve and access electronic records not retained and archived in accordance with established records management practices.
The OIG’s recommendations are generally applicable to all sorts of organizations, not just government agencies. Securities firms, mortgage companies, banks, online lenders, real estate brokers, and many other financial enterprises should review and adopt these recommendations to avoid the risk of reputation-busting headlines.
Let’s start with a few of the OIG’s recommendations, noting organizations should:
- Issue enhanced and frequent guidance on the permissible use of personal email accounts to conduct official business.
- Amend their policies to include penalties for noncompliance with records preservation and cybersecurity requirements.
- Adopt Quality and Assessment plans to address vulnerabilities in records management and preservation.
The laws governing records preservation at the State Department (and applicable to government in general) are different from those that apply to financial companies, but the key requirement for any records preservation program is compliance with applicable law.
Where mortgage companies are concerned, as I have stated in my previous blogposts and in Smarsh webinars, both federal and state laws identify what must be kept, and how long it must be kept. That’s the starting block.
One thing that the Federal Records Act and mortgage document retention laws have in common is that electronic messages (including social media messages) can fall within the definition of “records.” Another is that business records must be preserved, just like records of communications concerning the business of government. So far, so good.
Problems at the State Department, as identified by the OIG, mirror record keeping lapses in the commercial sector. For instance, employees are prone to::
- Choose not to use existing record retention systems
- Regard record-keeping as a burden
- Feel record-keeping is difficult to use and is inefficient
- Erroneously mix personal communications with official business communications, while hoping to keep one or the other type of messages private
- Disregard their employer’s records retention policies and protocols
Regardless of the reasons for noncompliance with record retention laws, management is usually responsible when things go wrong. Indeed, the OIG report states “management weaknesses contribute[d] to loss of email records,” and that the overwhelming proportion of federal agencies (80%) are at elevated risk for improper management of electronic records.
The OIG says that even where records preservation programs are in place, requirements often go unenforced,electronic communications and files are not inventoried or indexed, electronic files are inaccessible or unavailable (and available records are often incomplete, mislabeled or missing key files), email addresses for departing employees are not captured and retained, and procedures for preventing employees from removing records from agency custody are not observed.
In its report, the OIG questions whether the State Department had an obligation to search personal email accounts for federal records. This question is just as relevant in the financial services sector as in government. Forward thinking financial companies are monitoring the electronic communications of their employees to achieve regulatory and legal compliance, and keep their reputations intact.
Long considered a thankless, administrative, backroom function, record capture, archiving, and analysis are complex and growing risk management issues that now require thoughtful strategies and C-suite involvement.
The consequences of ignoring record retention compliance laws and policies were brought into sharp focus by the Inspector General’s report. Read it, learn from it, consider its applicability to your organization, and most importantly, act on it if your records management ducks are not all in a row, because one sensational investigation tends to be followed by others.
For compliance professionals who want to find out how their peers meet regulatory responsibilities related to the retention and oversight of electronic communications (including social media, instant messages and SMS/text messages) the annual Smarsh Electronic Communications Compliance Survey Report has become a trusted source for the global financial services community.
Now in its sixth year, the survey identifies the trends, concerns and best practices of compliance professionals in financial services related to the retention and oversight of electronic communications. The report also highlights the compliance gaps that expose firms to the most risk.
This year, the report illustrates that firms have an urgent need to rethink their usual approach to the retention and oversight of electronic communications, especially as they strive to develop and demonstrate a culture of compliance.
The survey data clearly shows that too many firms aren’t retaining and supervising different types of electronic communication. In addition, they’re not conducting systematic supervision regularly, which is necessary in today’s regulatory environment. And, those firms that do have established supervision programs struggle to find efficiencies under the weight of an avalanche of electronic communications.
The report also addresses several other aspects of electronic compliance. Key findings show that:
- Social media is the communication channel representing the highest perceived level of risk, cited by almost 50 percent of respondents.
- Forty percent of survey respondents believe too many or way too many messages are flagged for their review as part of the supervision process, indicating firms either don’t have the resources needed to effectively keep up with reviews, or they see too many false-positive search results which take up valuable compliance team time.
- Nearly 90 percent of respondents expect the resources (time and/or money) dedicated to electronic message compliance will remain the same or increase only slightly in the next 12 months. Fewer than one in ten expect to receive a significant resource increase. Unsurprisingly, this concerns compliance professionals. More than one-fourth of respondents (28 percent) cited insufficient budgets as a top concern this year, up from 22 percent last year.
You can learn more about compliance and electronic communications trends and challenges in the Smarsh 2016 Electronic Communications Compliance Survey Report.
Download the report now at http://www.smarsh.com/whitepapers/2016-electronic-communications-compliance-survey-report/.
We’re excited to announce that Smarsh has been named a Top Player in The Radicati Group’s Information Archiving — Market Quadrant 2016 report. This is the sixth year in a row that Smarsh has received the Top Player ranking.
The Radicati Group’s market analysis of archiving solutions is a four-quadrant system that categorizes vendors as Top Players, Mature Players, Specialists or Trail Blazers, based on market share and functionality. This year, Smarsh was one of only seven providers recognized as a Top Player, defined as “the current market leaders with products that offer, both breadth and depth of functionality, as well as possess a solid vision for the future.”
The report notes Smarsh offers clients a consistent and comprehensive set of search and review, policy, production and reporting tools across their organization’s email, social media, instant messaging, mobile messaging and Web content. For financial firms and others in highly regulated industries that need to regularly monitor archived content for regulatory compliance, Smarsh provides a highly specialized Supervision workflow designed to enable policy-driven monitoring and efficient team-based content review.
The Radicati Group highlighted the intelligent archiving capabilities of the Smarsh Archiving Platform, where messages are ingested, indexed and retained in a search-ready state in their native format as opposed to having non-email content converted to email. This allows fast search and review by unique elements and objects of each message type. It also enables a real world contextual view, where, for example, a user searching for a Facebook post will see the full context of the conversation, including files and comments that may have been added at a later time.
We’re always working to stay ahead of the rapidly evolving electronic communications environment, with solutions that address your message archiving and supervision requirements for compliance and e-discovery. We’d like to thank all of our customers, partners and employees for your ongoing support as we strive to develop solutions that give companies the most effective and efficient archiving tools available on the market!