“Just” Archiving Isn’t Enough – Is Your Business Really Compliant?
Financial services organizations are required by various governing bodies to review digital correspondence to ensure that risks are mitigated, and they are adhering to supervisory obligations. Many of these governing bodies require that firms adopt, implement, and enforce written supervisory and compliance policies and procedures in retaining these records for books and records purposes.
It’s challenging to keep up with the complexity of the financial industry, different regulatory agencies' oversight responsibilities, and evolving technology trends. The idea of a uniform supervision procedure just does not exist. Each firm must set its own policies that need to be reasonably designed to identify risk, applicable to their situation.
Subsequently, many organizations are looking for guidance on industry best practices to achieve a sufficient and effective review. The answer may be closer than they think. Here are our top four recommendations for setting up active communications supervision at your organization.
Establish supervisory practices
Archiving and supervision technology helps automate the collection, storage and monitoring of electronic correspondence. The review of problematic content, and enforcement of the process itself, however, are the responsibility of the firm. Many firms will purchase a technology solution to collect, store and enable the review of electronic correspondence, and then do little to update the review process or the technology itself – what you might call a “set it and forget it” approach. The review process should not only be reactive; it should also be proactive to detect potential issues before they happen.
Firms assume that this will be adequate, even as the technology landscape, business objectives and regulations evolve. They implement policies and procedures, but once the system is working, many fail to evaluate, improve or enhance processes over time.
The top organizations in the industry take the time to set up policies for their business to follow and schedule regular checks for the communications they archive to ensure they are following these policies. The areas of focus evolve. The supervisory policy, processes, and procedures should be a live initiative. This process becomes even more important as the number of collaboration tools, messaging applications, social media platforms and devices continues to grow.
Apply lexicons to filter communications
The use of lexicons (filtering electronic communications against a list of keywords or phrases) helps firms cull correspondence to more manageable levels. An example would be a lexicon tailored topically for high-risk communications or anti-money laundering, where only messages that meet specific criteria are surfaced for review. Lexicons, however, are only as good as the keywords in the system.
Unsophisticated lexicons are often accompanied by high rates of false-positive search results. Messages with little to no risk are triggered for review because they contain language that matches a lexicon. Wasting time reviewing false-positive electronic communications is unfortunately way too common.
Whether firms develop their own lexicons or use those developed by vendors, it is extremely important to address the regulatory activity and internal risks specific to the firm and its business. Setting up and managing lexicons will save time and help with supervising employee activities.
Document, test, and report on supervisory processes
It’s important for regulated firms to review the adequacy of digital communications policies and supervisory systems themselves. At a minimum, written supervisory procedures (WSPs) should outline:
- Names and titles of reviewers
- The process reviewers will follow to conduct each review
- Timing and frequency of review
- How the reviewers will evidence that the required supervisory steps were taken (including provisions for the escalation of regulatory issues to the designated supervisor or other appropriate departments)
WSPs should be updated not only to reflect regulatory changes but also when changes are made to the firm’s supervisory process. All firms should have regularly scheduled formal testing plans for all WSPs and their overall processes. Testing will ensure processes are being followed and any gaps are quickly identified and addressed. These strategies will help with timely supervisory control reviews and avoid the “set it and forget it” approach.
Reporting is another tool for ensuring an effective compliance program and lexicon maintenance. Reports are helpful tools to review the number of searches and audit history. They should provide a detailed history of how your lexicons interact with messages ingested in your archive. They can also help minimize false positives and unnecessary reviews which place a considerable burden on time and resources.
Regularly reviewing content reduces the need to examine giant swathes of data at wider intervals. It also increases the opportunity to identify problems early and often. Content review cycles should be weekly, but no less than once a month. We recommend performing a risk analysis to determine the frequency of your review cycles and the percentage of correspondence to surveil. And don’t forget to revisit these parameters as part of your annual review of the process.
Don’t be afraid to ask for expert help
The review process can be overwhelming for compliance professionals. Reviewing every aspect of communications data generated within a company may not be a productive use of time. Small firms may perceive that they don’t have adequate resources to implement a regular cadence of communications review. In addition, the resources that have the time to do regular reviews may not be privy to certain C-staff emails.
However, regulators generally expect all financial firms to review communications content monthly (at a minimum). It likely won’t be considered timely if the review is performed months after the interactions occurred, and important details could be missed.
Developing and fine-tuning lexicons and exclusion policies takes time and effort. Expert assistance from the right technology vendor can bridge that gap. Along with an intelligence supervision solution, they can help set up review processes, lexicon policies, and reporting and training, with the added benefit of receiving advice from an expert who is always on top of changing regulations.
Manage compliance, simply and effectively
Supervising archived communications can be confusing to navigate. But with the right processes in place, businesses can reduce risk and ensure compliance. Whether this is through setting up internal policies, lexicons and review processes or outsourcing this role to an expert team, there are ways to manage supervision that can help organizations ensure compliance.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.