2020: Extending the Vision of Supervisory Review

January 14, 2020by Robert Cruz

Subscribe

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

The new year and next decade have arrived – along with an endless series of prediction posts that will connect the terms “2020” and “vision.” So, let me contribute mine to the fray.

The start of 2020 does have significance, albeit symbolic, for the field of supervision – otherwise known as regulatory-driven supervisory review. One could argue that it is an inflection point where those faced with the historical challenges of addressing FINRA, SEC, and CFTC rules for the review of communications are all asking similar questions about 2020 and beyond, such as:

  1. How can we more efficiently review increasingly unique content sources, such as those created on mobile apps and collaboration tools?
  2. How can we use advanced ML and surveillance technologies to spot patterns and unknown risks?
  3. How should we adjust our compliance processes to comply with CCPA and other new privacy requirements around the world?

For those in the midst of these challenges, stay tuned to this channel. We will focus on these topics throughout the course of 2020, starting with our annual review of the upcoming FINRA Annual Risk Monitoring and Examination Priorities letter when it is released later this month.

For those who do not have an explicit regulatory-driven supervision requirement, practices for inspecting employee communications for potential policy violations vary widely, and often entail simple ad-hoc search and review or the use of data loss prevention (DLP) tools to look for specific words or phrases. It is within this group that we expect to see big changes in 2020, with cases such as these driving the increase in demand:

1. Away CEO resigns after “Slack bullying” is revealed

2. The Wall Street Journal warns of the risk of text misfires

3. Apple warns employees about leaking information to media via LinkedIn and Twitter

4. Telsa also warns against information leaks and fires an employee for sharing confidential information with journalists on Twitter

5. Emojis are increasingly becoming swept up in workplace harassment issues

6. Antonio Brown fired from NFL team for intimidating text messages

These examples show why 2020 will be the year that will extend the vision of supervisory review, primarily due to three reasons: a seemingly endless amount of new communications tools, many of which are released to employees without policy controls or user training that establish clear usage guardrails; unique tools with differing abilities to capture and control content that can be interactive and ephemeral; and because review now must include any employee whose actions can result in the loss of information that has business value or introduces the company to privacy, security, or other business risk.

So, what can firms who do not have specific regulatory-driven mandates for formal supervisory programs learn from those that do? Here are five key lessons:

1. Assume risk and value can live anywhere: Messaging apps, Microsoft Teams, and Slack can all look like places to socialize with chat buddies. But every organization using these technologies should take to heart what regulators and the courts are saying consistently: It is the content and context within a conversation that is determinative, not the specific tool or technology that one is using.

2. Know your networks: Just when you thought you were gaining the upper hand on shadow IT and dark data locations, we start 2020 with a new generation of employees and clients who demand to do business with the tools they are familiar with. Maintaining an active inventory of acceptable messaging and collaborative apps is not getting any easier, but has never been more important.

3. Establish a regular inspection cadence: Every organization should establish an ongoing process to review employee communications, starting with inspection of keywords, message fragments indicating use of prohibited networks (e.g., WeChat, WhatsApp, Snap), and phrases that may indicate channel hopping (e.g., LDL [let’s discuss live], TOL [talk offline]). More frequent inspection can be provided for higher-risk employees, client-facing staff, and executives, and uncovered patterns can be fed back into supervisory policies to help stay ahead of areas of highest risk.

4. Train, train, and retrain: Identifying areas of potential exposure should start with clear, explicit training programs that illustrate acceptable and prohibited uses of each communications tool. As tool preferences often differ by department, working directly with users to understand how each technology enables that area of the business is a good starting point.

5. Ask AI for help: Identifying inappropriate behavior across 100+ communications sources (and, for global firms, significantly more) is as easy as finding needles that can move across multiple haystacks, some of which are better organized than others. AI and content surveillance technologies are well suited to uncover patterns and anomalies in behavior to complement policy-based inspection.

Welcome to 2020. The new era of supervisory review has arrived.

Share this post!

Robert Cruz

Robert Cruz

Senior Director of Information Governance at Smarsh
Robert Cruz is Senior Director of Information Governance for Smarsh. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and discovery cost and risk reduction.
Robert Cruz
Archiving and Compliance Blog

Our Blog explores the news, trends and best practices in electronic recordkeeping. It’s about managing and getting value from your electronic communications data. It’s about satisfying legal and regulatory obligations. It’s all about turning compliance liability into business insight.

More Resources

Regulatory Updates
Key Takeaways from SEC and FINRA 2020 Priorities Letters: Technology Leads Area of Focus
Read more
compliance violation compass review right path featured img
Changing Times – Five Compliance Cornerstones for 2020
Read more
advanced search compliance review supervision featured img
2020: Extending the Vision of Supervisory Review
Read more

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.