Regulatory Update

5 Financial Firms Hit With $1B in Fines for Compliance Gaps

July 22, 2022by Robert Cruz

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

July 14, 2022. It was a day to remember for digital communications and compliance. The day that removed any doubt of regulatory focus on the tools that financial services firms use to reach investors. It was the day U.S. regulators dropped $1 billion of fines on some of the largest investment banking institutions for failing to monitor the use of mobile texting apps to conduct business.

Listen to the story:

While headlines focus on the staggering monetary penalty for use of a specific messaging application — WhatsApp — the outcome should not be a complete surprise. In fact, the SEC signaled its intent to examine social media practices months ago.

However, the issue of communications compliance is not limited to WhatsApp and mobile devices. This Wall Street sweep’s impact will be felt across the entire financial services industry. It has already prompted firms to:

  • Reassess their processes for evaluating business communications tools
  • Reconsider their oversight programs for identifying the use of prohibited tools (often despite defined policies and employee training and attestations)

Financial services firms large and small, both in the U.S. and abroad, are at risk of regulatory action if their communications policies aren’t being adhered to or supervised appropriately.

Watch Robert Cruz, VP of Information Governance, explain how digital compliance gaps let this happen.

Just say no to mobile messaging?

As we’ve covered before, compliance is evolving. Even before the pandemic, financial services firms struggled to make prohibition policies for specific communications channels work — in an era when the top concern for compliance was personal email accounts.

Today, we have an enormous supply of social media, collaboration, and mobile apps — from Signal, Discord, and Telegram to WeChat and Instagram — that are much easier to access by remote workers.

A rapidly growing portion of firms’ employees and clients prefer to engage on these networks and have demonstrated good results. Whether it is increasing assets under management, driving deeper levels of client engagement with TikTok (which comes with its own set of worries), or engaging on Telegram to pursue crypto business, it is clear that the way financial services consumers choose to engage has been fundamentally changed.

Furthermore, this is not a simple “yes/no” decision for leadership in financial services. Even the most rigorous upfront process to approve a new communications tool, based upon an “acceptable” level of risk, can be ineffective. This is due to any, or all, of the following:

  1. Wide access to tools that are not addressed under a policy (which would typically imply “prohibited”)
  2. Accessibility and use of versions other than those which are approved (e.g., free or outdated vs. current enterprise versions)
  3. Failure to modify retention and supervisory policies (“WSP”) to require inspection for prohibited networks
  4. The inability of existing oversight tools to capture, preserve, or play back the unique features, modalities and conversational syntax of individual networks
  5. Actual inspection occurs too infrequently or ad hoc, only when an issue has surfaced

Ultimately, despite these policy and oversight safeguards and more high-profile fines, the issue is largely about employee conduct. Training, attestations, and a clear explanation of the consequences of violating policies are only the beginning of the oversight task.

webinar quarterly update mid year pitstop on demand 910x280

Do you have a "compliance gap?"

A compliance gap is a difference between the tools approved for use and defined within policies by your firm versus the tools that are actually used in practice. Given the nature of technology innovation, that gap can expand, contract, or move, but it doesn’t go away.

We’ve monitored compliance gaps over the years and have seen the trend point to text messaging as an area needing more focus from financial firms. Post-pandemic that has shifted to include mobile messaging applications as well.

So, how can firms — particularly the resource-constrained — improve visibility into where today’s communications risks may reside? Let's start with a few recommendations for assessment and action. 

Compliance Gap: Absence or misalignment of communications policies, supervisory procedures and technology, in relation to the channels employees use in practice to communicate.

Rethink your cost/risk/benefit equation

As regulatory fines have moved from $50K slaps-on-the-wrist to multi-million-dollar territory, every firm should ask themselves about the level of communications risk they are willing to accept.

This has often been gauged by expected benefits to the business (more effective pursuit of retail investors and growth markets) versus expected risk (likelihood of potential regulatory violation x average fine size).

With an increased risk level, this analysis is no longer just about approving communications tools with an acceptable benefit/risk ratio. It is about defining and prioritizing the investments to reduce risk levels from accepted and prohibited communications sources.

Increase frequency and systemic monitoring for use of prohibited networks

Many firms periodically inspect for the use of prohibited tools (i.e., looking for breadcrumbs indicating that a specific platform like Discord is being used), but practices remain ad-hoc and semi-automated.

The need to take a proactive posture in surveilling employee communications has never been greater, given the regulatory focus on the tools and other activities that can harm a firm's reputation and bottom line. This includes outside business activities (OBA) that are likely happening on unsupervised platforms. Those with bad intentions will go where they believe detection can be avoided.

Update acceptable use and retention policies

For most firms, communications policies are likely out of date now that employees are working from everywhere. When considering the unique feature sets that each social media platform utilizes (e.g., video recording, auto-generated transcripts, whiteboards, bots), policies should address not only specific modalities, but also how capabilities can be used by specific job functions.

Keep your eyes open

The second element of the compliance gap — which tools are being used in practice — is the most challenging aspect of the gap analysis. Most employees simply want to get their jobs done, but hybrid work and the proliferation of mobile apps that have crossed over from personal to business have created a visibility challenge that has never been seen (or unseen) before.

We recommend that you start by maintaining an automated inventory of:

  • Communications tools that are supported by your IT and compliance functions
  • The functionality available within each of the supported/approved tools
  • Your current method of communications capture
  • Your tools and practices for monitoring approved and prohibited channels to feed into surveillance programs for periodic inspection

Mind the gap

The issue of communication methods is dynamic and will continue to evolve. Talk to Gen-Z employees, engage social media influencers, track social media business adoption, and perhaps ask your teenage children and their friends about the apps they are using. The challenge is to stay ahead of what comes next. And the stakes have never been higher.

Share this post!

Robert Cruz
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.