2023 FINRA Risk Management Priorities: The Year of Digital Communications
Listen to the article.
Note from the “author:”
This summary was produced by ChatGPT, with further editing representing 20% of the final copy. The impact of AI on financial services and communications with the public is enormous in light of recent announcements of the integration of OpenAI into Microsoft Teams and Google’s investment in its new Bard platform. More on that topic to come.
Smarsh recently hosted a webinar focused on FINRA's 2023 Exam and Risk Monitoring priorities, focusing on the digital communications implications of the report. Elin Cherry, the Global Head of Compliance Services for Elinphant, a Softek company, shared her expertise in implementing compliance programs and conducting electronic communication review. Tiffany Magri, Smarsh Regulatory Advisor, brought her experience in compliance, risk management, and regulatory and policy analysis to provide insights on the current financial-service regulatory environment. Robert Cruz, VP of Information Governance at Smarsh, moderated the discussion.
Given the density of the report, Elin Cherry recommended that every item be read and evaluated in terms of its relevance to a particular firm. She suggested asking two questions for each item in the report:
- Does this apply to my firm?
- If so, are we covered (i.e., have we managed it well, and do we need to test it or address any weaknesses)?
Cherry also emphasized the importance of documenting the findings and addressing the highest-risk items.
Furthering the conversation, Magri underlined the importance of focusing on what applies to a firm and prioritizing the highest risks as identified by FINRA. She suggested adjusting your firm’s risk matrix as needed, then putting the findings through a compliance risk assessment throughout the year to fill any gaps and improve best practices.
The panelists then turned to three topics that directly impact digital communications:
- Updated recordkeeping requirements
- Technology governance and cyber compliance
The Focus on Mobility
Mobility has become a front-and-center issue because of remote and hybrid work and recent enforcement actions for off-channel communications. Since individuals use their devices all day long, firms need to adjust their oversight strategies. Magri noted that the last two years accelerated the use of technology such as text messaging, social networks, and applications like WhatsApp, surfacing a key challenge of determining the gaps in a firm’s mobility strategy and ensuring that prohibited activities are not taking place. Regulators have taken a much more aggressive stance about being proactive in this area. Firms will need to address this by looking for prohibited activities, increasing their training, and redefining how they allow people to communicate.
Cherry shared that her clients are reacting by getting the ear of senior people, and the confiscation of phones from senior people at firms is sending the right message. However, attestations are not enough. Firms need to make sure they are proactive in protecting themselves from regulatory fines. In addition, senior levels need to understand the importance of ensuring that off-channel communications are not being used.
Given ongoing sweeps activities, both panelists agreed that all firms need to be on alert — from large to small and covering all segments of the industry — as noted by the recent SEC action taken against hedge fund firms.
Updated Recordkeeping Requirements
The updated recordkeeping requirements under SEC 17a-4 have led to changes in the way firms are thinking about records management. The update focuses on a principle-based approach and attempts to harmonize regulation with current technology. Cherry highlighted that the update had generated questions from her clients regarding revisions to Letters of Undertaking, as well as third-party downloader requirements and the due diligence that firms must undergo when using cloud-service providers. She also highlighted that one of the biggest concerns from an operational standpoint is the process of reviewing the records and recreating them during a supervisory obligation or audit. Firms should ensure that their vendors understand the books-and-records, and don’t impede the firm’s ability to meet their regulatory obligations.
All panelists agreed that a shift towards an audit trail would not be a simple process, as it requires a log of everything that takes place for each individual record for each day of the year — and for each time a different communication type is used. The operational aspects of this process are difficult, and firms may not be willing to take on the risk. This is especially true when it comes to the trade-settlement process and other areas where vendors are involved.
Webinar attendees also raised questions regarding regulatory guidance on using video communications and recordings, natural-language processing, and models in the financial industry.
Magri noted that there is additional guidance from FINRA on the use of video technologies and how they should be integrated into communications with the public. Video content is being considered as business record by more firms and Magri encourages all firms to evaluate their policies and procedures in this area.
Attendees were also curious about the use of machine learning in conduct surveillance and electronic communications review. Magri noted she is seeing a lot of interest in natural-language processing and its potential to reduce the number of false positives in reviews and identify red flags that a lexicon-based review system may miss.
Cruz also noted that regulatory guidance on the use of artificial intelligence and natural language processing is expected, and that FINRA has indicated that it will be vocal on the topic. Cruz also expects the use of these technologies to increase in the industry, as it provides a way to address the variety of information which can escape a lexicon or human reviewer's ability to understand.
Technology Governance and Cyber Compliance
Technology governance and cyber compliance is a crucial aspect of the financial industry, with organizations like FINRA increasing their department by 200% to deal with cybersecurity risks. The SEC has also put forth a yet-to-be-finalized cyber compliance rule that is expected to change the way companies approach technology governance and cyber compliance.
Magri highlighted that regulatory focus has shifted from solely the IT department. Compliance teams are being tasked with understanding third-party risk and the risk that may be present with cloud providers. The FINRA exam priority list highlights the importance of cyber and technology governance, focusing on the risk of financial crimes.
Cherry suggests vendor due diligence should be a top priority. At the same time, Magri adds that testing is crucial to identify areas of weakness and that it is essential to bring in outside sources for help with cybersecurity and IT, which can be intimidating for some. Both experts emphasized that technology governance and cyber compliance are increasingly important aspects of regulatory focus and that firms must take them seriously.
Considering the high visibility and focus on digital communications, firms must act in response to recent letters from FINRA and the SEC to implement a comprehensive plan for managing data and allocating the necessary resources to make it a success. Testing should also be ongoing, focusing on bringing outside sources of knowledge and collaboration, particularly in cybersecurity and IT.
It is also important for firms to increase their investment in keeping up with the latest technologies and tools, as the pace of change will only continue to accelerate. Firms must stay informed about new capabilities, social media platforms, and other trends that may impact their business to stay ahead of the curve.
As ChatGPT illustrates, the digital landscape is rapidly evolving, and firms must be diligent in their efforts to keep up. By prioritizing vendor due diligence, testing, and staying on top of technology, firms can harness the power of today’s digital communications while mitigating potential risks.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.