5 Communication Lessons Every Regulated Industry Can Learn from the Financial Services Industry
The SEC spent the latter part of 2022 issuing a series of exceptionally large enforcement actions against financial services firms over unapproved communications tools. Most of these actions stemmed from recordkeeping violations. Because broker-dealers and investment advisers were using unapproved tools, firms couldn’t capture and preserve any business communications.
The enforcement actions sent a very loud message that the SEC is focused on digital communications. The increased regulator attention on digital communications in the financial services industry can be a taste of what’s to come for other financial segments or regulated industries, including insurance, energy, utilities, and pharma.
Learn how to turn your regulatory obligations into proactive risk management.
Although they may not face the same scrutiny or degree of rigor as those who have employees in the securities market, organizations in other regulated industries have recordkeeping obligations that require preserving business records. For those firms, the line between personal and business can be much blurrier, raising a variety of challenging personal data privacy questions.
Nevertheless, there are several key takeaways that all firms should learn.
1. Have visibility into the tools that your employees are using to conduct firm business
The recent regulatory actions are not about WhatsApp or mobile devices. They illustrate the need for compliance and governance practices to stay in step with how employees and clients communicate.
The business benefits of using new communications tools shouldn’t be lost in the regulatory headlines. Every business must find a path to new clients (as well as employees) who are digital natives and demand to use tools that are familiar and accessible.
As a start, firms should assess existing governance processes for supporting new tools – and re-evaluate the ROI for existing tools:
- Are clients looking to reach you via text messages?
- Are they likely to engage on LinkedIn?
- Do you really need to support three different conferencing solutions?
Recent events provide an excellent reason to examine those individual business cases.
2. Risk can take on many shapes and forms
A compliance gap is the difference between what tools the business uses in practice and the current breadth of a firm’s compliance and governance controls. Every firm will always have some form of compliance gap.
What firms should now examine is the potential adverse outcomes produced by those gaps, which go well beyond possible regulatory compliance issues. Consider the following recent events:
- A court imposes adverse inference sanctions for failure to preserve marketing videos and related social engagement data in a copyright dispute
- Twitter and Netflix illustrate how Slack has become a prime destination for office meltdowns
- Myers Container immediately fires employees for sending racist tweets
- Email anti-spam provider sues departed employees for downloading trade secrets onto USB drives and personal email accounts
As part of the effort to harden governance counsels, firms should ensure that any initial assessment of the benefit vs. risk of new technologies includes a holistic view of risk. These evaluations should include the active participation of those who can assess regulatory, intellectual property, security, privacy, and discovery risks.
Understanding the features, the existence and availability of unsupported versions of the tool, and the identification of alternatives to prohibited tools should all be baked into the policy analysis.
3. Revisit your definition of ‘business records’
Long gone are the days when business records were easily identified and tagged by certified records managers, confined to email, or securely under management within an enterprise content management system. Information value and risk now live everywhere in a sea of disparate data sources growing at epic proportions.
What the plethora of mobile, social, voice, video, and AI-enabled collaborative content has elevated is the critical nature of retention policies. The long-standing fear of over-retention is always a topic of debate. However, hyper-scalable public cloud options have overcome most technological limitations of storing more data for longer periods of time on dated on-premises.
Storage cost and fast retrieval of retained records should now be evaluated against one overriding consideration: the time, cost, risk, and uncertainty of relying on the alternative approach to collect records on-demand.
Each communications tool is different, with unique syntax, nomenclature, and access methods (API based or otherwise). Firms now face the added risk that some of that contextual information may:
- Not be retrievable
- Have changed since the last time they checked
- Have limits on the look-back period for retrieval – or that the content source provider has no understanding or processes to meet records, discovery, regulatory or other obligations
The recent WhatsApp fines are perfect examples of the trade-offs between proactive retention vs. reactive collection strategies.
4. Maintain and preserve the fidelity of those communications
Beyond the retention decision, the preservation and playback of multi-modal social and collaborative content are also significantly impacted by choice of technology. With many different technology vendors available, meeting records, discovery, or investigative demands can be easy — or next to impossible.
Most firms share some notion of the need to preserve “complete and accurate” historical records and the discovery duty to preserve all material that may be relevant to litigation. The ability to decipher context from multi-modal tools that potentially include likes, shares, edited content, emojis, and modern attachments is vital to meeting those obligations.
Firms must stay apprised of market developments to inform migration decisions from email and document-centric legacy solutions. Virtually every e-discovery, archive, and compliance tool is frantically attempting to re-architect their solutions to understand and playback today’s collaborative content.
5. Expand your supervisory and oversight circle
Firms with regulated employees have a first-mover advantage in having established processes to supervise employee communications and meet explicit regulatory requirements. Most are updating policies and lexicons to spot off-network or change-of-venue activities to spot potential violations. They are also expanding the use of natural language processing-based solutions to help identify other prohibited tool usage hiding amongst the approved network communications.
Organizations outside of wealth management can benefit from that experience. Supervisory workflows can be leveraged to inspect stored communications periodically for potential red flags. There are also proven models that can inspect for instances of WhatsApp, WeChat, Signal, Discord, Mastodon — or whatever tool where your risk management team needs greater visibility into employee behavior.
Investments in policy, training, and technology are equal pillars in the off-channel management equation and provide a good foundation for safeguarding your firm against employee misconduct. Recent regulatory actions further solidify the importance of that investment: leverage all available resources to help shrink your communications compliance gaps.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.