Off-Channel Communications: Debunking the Myths
From the webinar: Mythbusting Prohibition: Is it really less work? by Stacie Craddock, Founder & Senior Consultant, Integrated Compliance Advisors and Tiffany Magri, Senior Regulatory Advisor, Smarsh.
Preventing employees from carrying out business-related communications over unapproved channels is critical to avoiding regulatory violations and fines, but there are a few misconceptions that can put a financial services firm at risk. In a recent Smarsh webinar, experts discussed these myths and how to mitigate the risk of these “off-channel communications” so that firms can avoid compliance gaps.
Myth #1: A prohibition policy is enough
“The reality is that general prohibition policies are no longer enough,” said Tiffany Magri, a senior regulatory advisor at Smarsh.
Advisers continue to rapidly adopt new ways of communicating with clients, but if these communications are occurring on prohibited channels, that puts the firm at risk of regulatory violations and fines if they are not being properly captured and preserved.
The SEC has been clear that firms must adopt a proactive risk management posture to prevent employees from engaging in off-channel communications or using unapproved personal devices for business purposes if they are to meet their recordkeeping and supervisory obligations.
It starts with the “tone from the top,” as the SEC has emphasized in its recent enforcement sweep against firms resulting from senior management and compliance teams using prohibited channels for business purposes. In addition to the SEC, FINRA similarly indicated during its 2023 annual conference that its examination priorities will also focus on off-channel communications.
Senior management and compliance teams should do more than just talk the talk — they need to walk the walk. Rather than preaching about the risks of off-channel communications and taking no action, they must find ways to ensure employees are following the firm's e-communication policy and procedures.
For firms that don't yet have an off-channel communications policy or supervisory procedures, "what I would first do is review the SEC risk alerts," said Stacie Craddock, senior consultant and founder of Integrated Compliance Advisors. "See what the regulators are seeing. Review those enforcement actions."
Senior management and the firm’s compliance team should decide which communication channels the firm approves and implement a clearly defined e-communication policy and procedures. Once the compliance controls are in place, firms should enlist a records-retention vendor or decide how the firm will monitor communications themselves.
Regularly take inventory of all the communication channels that the firm’s employees and advisers use. “We suggest reviewing those on a quarterly basis for larger firms and then a semi-annual basis, or as needed as more channels come out and advisers are coming to you with questions on whether they can use [certain communication channels] or not,” Craddock said.
It’s also important to understand what business records the firm must keep to meet its record-keeping requirements and where to keep those records, Magri said.
Myth #2: Annual training is sufficient
Annual training is not sufficient to keep pace with new communication channels and ever-evolving regulatory requirements concerning off-channel communications. It’s necessary to hold refresher courses to keep employees up-to-date. Training should be viewed as a continuous process.
Employees should know what communication channels the firm approves as well as prohibits. “Reinforce that message regularly,” Magri said.
One way to do that is to issue an email newsletter that addresses, for example, any new regulations or enforcement actions resulting from violations of off-channel communications. Then, firms ought to integrate those into employee training as well.
As part of their training, employees should know what to do in the event they inadvertently engage in off-channel communications — such as a text message from a client. In this instance, the message or conversation goes completely undocumented. Firms should prep employees on answers to questions such as, “Who do I call? How do I manage that? How do I document for that?”
One best practice is for the firm’s Chief Compliance Officer (CCO) to have an open-door policy. “You definitely want to make sure people feel like they can come to the CCO or whoever is in charge of these policies and procedures should that action happen,” Magri said.
Post-employee training, employees should be required to attest that they understand the firm’s e-communications policy. To take those attestations one step further, if something is uncovered during a risk assessment, consider having employees acknowledge, “‘If you violate the policy, we’re allowed to look at your device to ensure that you're not [engaging in off-channel communications].’ That’s really what the regulators expect — how are you controlling that environment?” Craddock said.
Magri also noted that firms should have a handle on what disciplinary actions to take, or what escalation procedures should be in place, in the event of a policy violation. Examples include:
- Issuing a disciplinary warning
- Clawing back executive compensation or bonuses
- Terminating individuals at the center of the misconduct
Myth #3: It’s impossible to reasonably monitor for off-channel communications
“Policies and procedures, training, and reasonable supervision of off-channel communications should be part of your compliance framework,” Magri said. When monitoring for off-channel communications, regulators expect firms to watch for red flags and follow up on them.
Lexicon searches are just one way to proactively detect potential misconduct, looking for keywords and phrases and potential off-channel communications in the datasets that the firm is already capturing. Firms should use lexicons to their advantage.
Additionally, firms should adjust their lexicons and monitoring practices to detect channel-hopping, which occurs when conversations transition from approved channels to off-channel communications. For example, a firm could institute the lexicons “Let’s take this conversation offline,” or “Text me.”
“If you’re doing a lexicon-based search, which I think is best within your archiving solution, update those words,” Craddock advised. As new off-channel communications arise, it’s important to keep those lexicons fluid, she said.
It’s also a good idea to adapt the firm’s lexicon search to accurately capture communications beyond text, to include emojis, GIFs, videos, and voice-to-text features that could also point to misconduct. Keep in mind, however, “in the eyes of the SEC, a text is a text,” Craddock said. “It doesn’t matter what’s in it.”
If a text is taking place over approved channels, “how is it being archived and reviewed and monitored? And if it’s happening over an unapproved channel, and it’s not being captured, “you’re out of compliance,” Craddock said.
Oftentimes, too, employees aren’t capturing internal communications taking place on approved platforms within their archiving processes — and not just communications with clients, but any internal business communications, Craddock said. So, another best practice is to have a review process in place to look for off-channel communications within permitted channels.
For example, FINRA has indicated that using visual aids — such as whiteboards, or a chat or instant messaging feature during a live, unscripted online presentation — could have consequences for the firm if those aspects of the presentation are not being supervised correctly. Magri advised that, “it’s crucial you're capturing all those communications within your supervision framework.”
Firms should think about whether to go through older communications to see if there may be compliance gaps elsewhere. “Maybe take a look back and see how that’s going to affect what the firm is going to do with its policies and procedures going forward,” Magri said. It will also let the compliance team know that remedial measures need to take place.
Don’t ignore compliance gaps
Keep in mind, your firm might be required to self-report potential violations to regulators. While self-reporting a violation could still lead to a fine, you could find yourself in a more favorable situation going into an exam in the future. Regulators expect companies to mitigate that risk before they find out about a problem, so it will pay off to be proactive. Fixing the problem will always be a better option than ignoring it.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.