Supervisory review of employee communications has been an escalating topic as of late. And for good reason: Recent actions from the SEC and FINRA were topped off by news last Friday that the SEC is taking action against 10 firms for a pump-and-dump scheme that netted $27M in fraudulent stock sales. So, financial crimes are topically front-and-center, and many firms are currently re-examining their programs for supervisory oversight.

What has been made clear from this recent news, as well as from the discussions we’ve had with firms over the past several months, is that we’ve reached the end of an era in supervisory technologies and processes. There is a way of thinking of communications supervision as a business tax that is no longer valid. And, there is a viewpoint that supervision is a niche discipline owned by a single function and relevant to only one industry that has been invalidated by everyone outside of those groups who are struggling to manage information risk.

Here are some things to memorialize what Supervision used to be:

1. Supervision focuses only on registered reps: By its strictest definition, supervisory review is only a must-do for individuals that fall within the guidelines of FINRA 3110 (or similar SEC, IIROC, or FCA regulations elsewhere) that outline the requirements for those licensed to sell financial products to investors. As the regulation also requires the deployment of a supervisory system and ongoing proof of supervision, many firms have attempted to control the expense of supervision to the must-haves, resulting in a supervisory pool in the tens amongst an employee base in the thousands. In retrospect, we can see what’s missing in this equation: the fact that information risk can be generated by anyone.
2. Supervision is relevant only to financial services’ compliance teams: A quick Google search of supervisory review yields “supervisory review process … encourages banks to develop and use better risk management techniques in monitoring and managing their risks”. In fact, the first several pages of search results speak only to banking and financial services, helping the term to be stuck with a vertically-specific niche label. What was wrong with this vocabulary? The fact that better risk management techniques are a priority for firms in all industries and functions beyond compliance.
3. Supervision is primarily about email and IM: First generation supervisory systems required a significant amount of hand holding, tuning, and cajoling – which have made those systems sticky over time (see: CA Data Protection/Orchestria). The problem with stickiness is that you become stuck with a system designed for the communication tools in use at that time, namely email and early public messaging tools (Yahoo, AOL, etc.). In fact, the overwhelming majority of supervisory tools in use today are built to evaluate items structured as individual messages and must resort to stripping down rich, dynamic content sources to fit that metaphor. What limits the usability of this approach? The fact that you can’t optimally address today’s communications risks with solutions designed for how people communicated in the past.
4. Supervision focuses on known risks that can be expressed with lexicons and phrases: Supervisory review has long been about content: inspecting combinations of terms used in communications that signal a potential policy infraction, such as the use of inappropriate language. However, some infractions can more complex, can be observed only by looking at communication patterns over time, and may be more carefully disguised by those intent on wrongdoing. In fact, FINRA recently issued a report highlighting how firms should be looking toward technologies (RegTech) to address this increasingly complex dimension of risk. What is the message? Supervision must encompass known and unknown risks, and that understanding conduct should encompass review of communications as well as behaviors and activities.

The new era of supervision requires pragmatic innovation. It should embrace advances in analytics, but should also improve the efficiency in covering the basics. It should be shared across functions in addressing known and unknown risks, and not just looking at a function in isolation at a moment in time. You should look to partner with organizations whose sole innovative focus is on helping firms to more effectively manage risk, as opposed to those who are preoccupied with finding the latest flavor of polymorphic spam. Those exploring this new era should consider the following:

1. Expand your Supervisory Circle: Given the fluid, dynamic nature of today’s communications networks, firms should consider looking beyond the registered base to encompass any employee that might have access to high risk or high value content. Specific policies can be defined for non-registered users, and inspected on a less frequent basis. At the very minimum, supervisory systems should not limit your ability to expand the review of a potential infraction from the supervisory pool to the broader employee base.
2. Don’t get hung up on the “supervisory” label: Terminology aside, supervision is a relevant business process for or any firm that is concerned about enforcing regulatory and governance policies. Pharmaceutical firms need to inspect content for potential FDA rules violations in areas such as drug approval processes. Health care firms need to examine whether instances of PHI may be leaking through new communications networks. High technology and other high value manufacturing firms need to ensure that intellectual property is being properly managed through new collaboration tools like Microsoft Teams. Each of these scenarios highlights that information risk management encompasses security, data privacy, as well as regulatory – and that each could benefit from the technologies and workflow that has traditionally been the domain of financial services’ compliance teams.
3. Go where your employees and clients are: The days of email being the predominant tool for communications and collaboration are over. The next generation of supervision must respect the unique characteristics of all the communications channels and collaborative tools that employees use to do their jobs today. The supervisory review process should no longer be focused on inspecting messages, it should be designed to understand the context of conversations happening on rich, dynamic collaborative platforms.
4. Embraces surveillance in order to identify unknown risks and link communications to behavior: Machine learning, artificial intelligence, and surveillance are rapidly evolving, highly specialized technology domains, but they do not address the basic, blocking and tackling of compliance review. One will not replace the other. Think of communications archiving and supervisory systems as the heart, body, and skeletal sub-structures that feed whatever AI/ML brain you chose to invest in. Look for technology that provides the openness, throughput, and extensibility to deliver the communications workload at the scale and richness required by your organization to understand risky conduct and activities. This is the power of Superveillance – providing the holistic insight into conduct across activities and communications channels, with pre-defined rules (Supervision) and identification of anomalous behavior (Surveillance).

The next generation of supervision is here. Are you ready?