As the broker-dealer world descends on DC for the Annual FINRA Conference this week, I wanted to retcurn to the discussion of FINRA’s new guidance on Heightened Supervision, first discussed here. Specifically, I’d like to click into the final point:
- “Embrace content surveillance: uncovering high-risk broker activities may very well exceed the limits of traditional lexicon and keyword-driven review policies. Content surveillance allows firms to dig deeper into the discovery of patterns, anomalies, and additional actors that may have avoided existing supervisory filters.”
The significance of this point is that throws the word “surveillance” into the discussion of heightened “supervision”. This raises a number of questions, including:
- Definitionally, what is the difference? Are these terms simply words to describe the same process?
- What, exactly, is “heightened” supervision? Is it simply turning the volume of existing supervisory tools up to 11?
- Can supervisory and surveillance processes co-exist or, ideally, feed one another?
We’ve talked with many firms – and their answers to these questions are all over the map. We’ve seen Requests for Proposals (RFPs) for “surveillance” projects, yet the majority of requirements outlined pertained directly to supervisory review. We’ve also seen many technologies designed for “surveillance” attempt to address projects with “supervision” requirements, in spite lacking some of the fundamental compliant capture, storage, and policy management capabilities. So, let’s first attempt to calibrate this discussion with some basic definitions.
Supervision versus Surveillance
Traditionally, supervisory review, or supervision, has referred to the review of communications of registered representatives to meet requirements in FINRA 3110 and elsewhere. Basically, a review of content to determine who has communicated with whom about what. Many firms have designed review processes to evaluate email using keyword-based lexicons assembled into policies, based upon their existing supervisory workflows to determine the appropriate escalation and action for potential policy violations. Most importantly, these systems are designed to address known policy infractions, as opposed to those that may be disguised by high-risk brokers who are attempting to evade compliance scrutiny. Well established supervisory tools, such as CA Data Protection (formerly known as Orchestria), are also designed to work best for flat, monolithic communication formats like email, and don’t do as well in processing rich, dynamic communications formats like unified communications or social media where conversational context can be harder to follow and analyze.
In contrast, Surveillance has been traditionally focused on the analysis of activity. It often uses behavior analysis or machine learning to identify anomalies without pre-defined rules. It has also undergone a recent surge of interest due to requirements of new regulations such as MiFID II (requiring that all communications be captured, inspected, and married against a transactional event), and as the fact that more firms are arriving at shared views of information risk across legal, compliance, and security departments as noted in this post.
Some of the unique differences are summarized in the table below:
What, exactly is “Heightened Supervision”?
Given the recently published FINRA Notice 18-15, many firms will soon be scratching their heads attempting to define new supervisory protocols that are appropriate for those with histories of wrong doing. With existing supervisory tools already buckling under the weight of review volumes and complexity created by new content types, simply turning up the dial to review more frequently is not an effective answer.
Fortunately, the need for Heightened Supervision bodes well with the fact that supervision and surveillance are not mutually exclusive. In fact, business requirements are often a mix of both, with the types of policy violations representing a continuum versus discrete end-points, as illustrated here:
Consequently, firms who have a mix of requirements should look for solutions that help to improve the efficiency of established supervisory processes, while providing the analytics to uncover the unknown. Rather than looking for products that address “Heightened Supervision”, I’ll offer an alternative phrase stolen from my colleague Gregory Breeze – Superveillance.
How Supervisory and Surveillance Solutions Can Co-Exist
As more firms seek solutions that address both supervision and surveillance requirements, firms should keep a few principles in mind: they must cover the compliance fundamentals as well as yielding new insights with analytics; they must address all communication sources in use by representatives; and they must be open and extensible to fit into the compliance, supervisory, and investigative fabric within an organization. We will cover these principles in more detail in a post to follow.
Latest posts by Robert Cruz (see all)
- SmarshCONNECT and Disrupted Communications: Mitigating Risk - May 14, 2019
- SmarshConnect and Disrupted Communications: Embracing Transformation - May 1, 2019
- Disrupted Communications and the Importance of Architecture - March 28, 2019