The review of employee communications for possible compliance policy violations has never been more important – and more complex. The complexity is being driven by the adoption of new communications tools that offer richer, more dynamic, and more effective means of collaborating with embedded voice, messaging, and app sharing capabilities. The days of attempting to block their use are clearly numbered as your customers, partners, and employees will continue to demand access. In fact, we have worked with customers who today are supporting between 40-50 different communications sources – and that number representing only the sources that they are aware of being in use.

For compliance teams, a new reality quickly sets in: sales people providing price quotes on WeChat. Product teams sharing road map information with partners on Microsoft Teams. Customer support updates delivered on voice-enabled applications. The compliance questions begin: how can these new communications sources be captured? How can these multi-modal networks be reviewed with our current tools that were designed for email? How can I understand where a compliance violation exists if the communication is a series of Tweets?

For financial services firms, the supervisory review of employee communications is not new. Firms regulated by FINRA, the SEC, IIROC (Canada), and under MiFID II (EU) (along with Energy traders regulated by the CFTC) all have explicit requirements to periodically supervise communications. Many do this by reviewing a random sample of communications, or by defining a policy that is comprised of a series of keywords that are periodically reviewed by compliance staff. The lessons they have learned in attempting to remain in control of these new heterogenous communications sources with their existing supervisory review technologies and processes are compelling – and can be leveraged by any other firm attempting to manage this growing sphere of information risk.

The complexity is real

For the past 10+ years, supervisory review has been mostly consumed by messaging, whether email or IM. Despite its nature as flat, static, and monotone, firms have nonetheless struggled with its sheer volume which has often kept supervisory review staff buried under 300-400 items in their review queues.

But the era of rich, dynamic, multi-modal communications is changing this dynamic. Take, for example, Workplace by Facebook, that brings functionality including chat, file sharing, video and audio conferencing, and connection with other common tools, such as Dropbox, Google and Microsoft Office. These features further muddy the supervisory waters by obscuring context in a complex web of individual chat messages, file shares and emails. Getting a reasonable view of the actual meaning of this soup of communication is nearly impossible with supervisory tools designed for messaging.

The risks are material

Like communication technology, regulations have also evolved. Today, the problems in the crosshairs of today’s regulations—privacy, security and meeting the challenges of new technology—are much broader, and the regulations designed to address them have bigger, sharper teeth. New and soon-to-be enabled regulations like MiFID II and GDPR are levying huge penalties, with GDPR allowing for a maximum fine of 4% of global annual turnover.

And risk is not just a consideration for regulated firms. Reputational and brand damage, the potential loss of sensitive data, and the inability to meet court-imposed deadlines can bring measurable harm to any organization.

Policy violations can hide from your review policies

Financial services firms have all made significant investments in tuning their supervisory review policies, yet many continue to struggle with false positive rates that far exceed 95 percent. Compliance teams are consumed in chasing down meaningless items while more significant risks go undetected by current lexicon and random sampling approaches. When new content sources are added, the risk surface area increases. The lesson for all firms is that you cannot effectively address today’s compliance review challenge with tools designed 10-15 years ago.
 

Supervisory review is not just about registered reps

Every organization has their version of individuals who are more inclined to get mixed up in activities that draw scrutiny (“high risk brokers”), or whose job entails having access to information that is of high value to the business. In financial services we have seen the supervisory lens expand from focusing solely on registered representatives to a broader set of individuals who are more prominent players on the information risk/value spectrum. Adopting this broader definition to which employee communications should be supervised is simply good information governance practice.

Moving toward next-generation content surveillance

Capturing and untangling the mess of discrete messages, video chats, file shares, and so on is a tall task on its own, and doing so to spot high risk activities that may have evaded current supervisory processes requires next-generation technology. To meet this challenge, organizations should consider approaches that:

• Capture all communications and create a central point of control. Piecemeal capture may have worked when IT didn’t handle anything much more complicated than instant messaging, but with complex metadata—including third-party content, images, threaded comments, and user details that are relevant to investigations—unified capture and a central point for review across content sources is essential.
• Offer automation tools that reveal context. Making sense of a conversation composed of myriad tiny pieces spread across multiple communication channels is as impractical as a manual task as it is essential. Automation in the form of content surveillance can shine the light on communications and behavioral patterns to help uncover who communicated with whom and why. Regulators, including the SEC and FINRA, are adopting these technologies for their exam activities – firms should be doing the same.
• Interoperate with advanced analytics to decipher increasingly inscrutable communication automatically. The volume and variety of data generated by all organizations today can quickly become too much for traditional human-driven methods of supervision. Firms should instead be examining machine learning and analytics tools that can leverage communications information to identify and enable action against information security, compliance, and governance risks that can arise anywhere across the company.

Financial services firms have learned many hard-earned lessons in supervisory review that can greatly benefit all organizations. Accepting the reality of today’s new communications sources means that information risk and value can reside anywhere – and technologies and processes must be re-examined to ensure that your ability to protect your firm, spot the key risks, and enable effective response can keep up.

Originally published on Actiance.com, March 22, 2018