2020: Extending the Vision of Supervisory Review
The new year and next decade have arrived – along with an endless series of prediction posts that will connect the terms “2020” and “vision.” So, let me contribute mine to the fray.
The start of 2020 does have significance, albeit symbolic, for the field of supervision – otherwise known as regulatory-driven supervisory review. One could argue that it is an inflection point where those faced with the historical challenges of addressing FINRA, SEC, and CFTC rules for the review of communications are all asking similar questions about 2020 and beyond, such as:
- How can we more efficiently review increasingly unique content sources, such as those created on mobile apps and collaboration tools?
- How can we use advanced ML and surveillance technologies to spot patterns and unknown risks?
- How should we adjust our compliance processes to comply with CCPA and other new privacy requirements around the world?
For those in the midst of these challenges, stay tuned to this channel. We will focus on these topics throughout the course of 2020, starting with our annual review of the upcoming FINRA Annual Risk Monitoring and Examination Priorities letter when it is released later this month.
For those who do not have an explicit regulatory-driven supervision requirement, practices for inspecting employee communications for potential policy violations vary widely, and often entail simple ad-hoc search and review or the use of data loss prevention (DLP) tools to look for specific words or phrases. It is within this group that we expect to see big changes in 2020, with cases such as these driving the increase in demand:
These examples show why 2020 will be the year that will extend the vision of supervisory review, primarily due to three reasons: a seemingly endless amount of new communications tools, many of which are released to employees without policy controls or user training that establish clear usage guardrails; unique tools with differing abilities to capture and control content that can be interactive and ephemeral; and because review now must include any employee whose actions can result in the loss of information that has business value or introduces the company to privacy, security, or other business risk.
So, what can firms who do not have specific regulatory-driven mandates for formal supervisory programs learn from those that do? Here are five key lessons:
1. Assume risk and value can live anywhere: Messaging apps, Microsoft Teams, and Slack can all look like places to socialize with chat buddies. But every organization using these technologies should take to heart what regulators and the courts are saying consistently: It is the content and context within a conversation that is determinative, not the specific tool or technology that one is using.
2. Know your networks: Just when you thought you were gaining the upper hand on shadow IT and dark data locations, we start 2020 with a new generation of employees and clients who demand to do business with the tools they are familiar with. Maintaining an active inventory of acceptable messaging and collaborative apps is not getting any easier, but has never been more important.
3. Establish a regular inspection cadence: Every organization should establish an ongoing process to review employee communications, starting with inspection of keywords, message fragments indicating use of prohibited networks (e.g., WeChat, WhatsApp, Snap), and phrases that may indicate channel hopping (e.g., LDL [let’s discuss live], TOL [talk offline]). More frequent inspection can be provided for higher-risk employees, client-facing staff, and executives, and uncovered patterns can be fed back into supervisory policies to help stay ahead of areas of highest risk.
4. Train, train, and retrain: Identifying areas of potential exposure should start with clear, explicit training programs that illustrate acceptable and prohibited uses of each communications tool. As tool preferences often differ by department, working directly with users to understand how each technology enables that area of the business is a good starting point.
5. Ask AI for help: Identifying inappropriate behavior across 100+ communications sources (and, for global firms, significantly more) is as easy as finding needles that can move across multiple haystacks, some of which are better organized than others. AI and content surveillance technologies are well suited to uncover patterns and anomalies in behavior to complement policy-based inspection.
Welcome to 2020. The new era of supervisory review has arrived.
Share this post!
Archiving and Compliance Blog
Our Blog explores the news, trends and best practices in electronic recordkeeping. It’s about managing and getting value from your electronic communications data. It’s about satisfying legal and regulatory obligations. It’s all about turning compliance liability into business insight.