SIFMA C&L Conference Recap: Good Channel Governance is Top of Mind
We just wrapped up a very successful SIFMA C&L conference in San Diego. This event finishes off a series of great panels and conversations with customers and prospects on a front-line topic related to the ongoing enforcement activities and regulatory focus around off-channel communications. Despite everything happening in the financial markets within the past week, firms continue to focus on defining the proactive steps that regulators expect firms to take to remediate deficiencies and improve visibility into the use of prohibited communications tools.
This theme was clear from the beginning of the event with the opening remarks from SEC Division of Enforcement Head Gurbin Grewal, who indicated that the SEC continues to focus in this area with ongoing sweeps and activities that examine the practices surrounding social media finfluencers and digital engagement activities. In their view, the size of previous enforcement actions “were just about right” in sending the appropriate message of deterrence – which was something not lost amongst this audience of compliance and legal executives.
However, one noticeable aspect of off-channel discussions during the conference was the emphasis on the negative, specifically, what firms should do to spot infractions. What was not as thoroughly addressed was the inverse — how firms can adjust their decision-making processes to determine which communication channels to allow their employees to use.
As noted by Grewal in the opening remarks, “written policies and procedures alone are not enough” – which we will extend with the historical reality (of personal email accounts, personal cell phones and text messaging) that prohibition policies alone are rarely effective. Effectively governing digital communications today should clearly and explicitly define behaviors that employees can engage in before delving into the consequences of policy infractions.
We carried this governance theme into our lunch and learn session co-hosted with Anuj Puri from Ernst & Young. Here are some of the observations and takeaways we uncovered as part of that discussion.
It all starts with good governance
The first and best proactive step in dealing with off-channel communication is to examine how firms analyze the benefits and risks of various communication sources to determine which to allow and which to prohibit.
We are hearing that many firms are adjusting this front-end governance process so they can look more holistically at how their companies examine benefits and risks. For many firms, these evaluation processes are happening more frequently and with greater executive-level support. We have NOT heard that the arrival rate of new communications tools has slowed or that firms are making drastic changes in favor of prohibition policies.
The reason seems clear: organizations continue to see the benefit of using social and mobile applications to reach new audiences, connect with retail investors and provide greater engagement than they might have done through traditional communications sources. However, firms expect more evidence that the tool will be used in more than a one-off fashion, which entails greater due diligence of how specific job roles will use specific features and modalities.
More risks = more stakeholder engagement
Governance councils and processes look more holistically at the variety of risks that might arise if they adopt a communication tool. This change in risk analyses recognizes that new communications technologies are not just potential carriers of compliance risks. It's also the often top-of-mind infosec vulnerabilities, data privacy questions, and the potential of code of conduct issues such as Slack bullying or textual harassment.
Mobility: The corporate owned vs. BYOD debate
Speaking of texting, personal versus corporate-issued mobile device policies continue to be a primary off-channel concern, especially given the nature of the initial enforcement actions. Changes to policy here are a bit surprising, as we’ve not seen a wholesale move back to a corporate-owned strategy. The reluctancy is linked to the economics and overhead for larger firms, and the recognition that moving back to a world of two phones (if you ever left that world) doesn’t eliminate the off-channel risk if someone happens to pull out the wrong phone to talk to a client. Most surprisingly, awareness of BYOD and other 3rd party capture alternatives remains mixed (at least amongst senior level compliance and legal staff) as mobile device management and containerization approaches are mature and have been in use by regulated industries for multiple years.
The next network, and changes to those you already have
In contrast, we had very few conversations with this audience related explicitly to WhatsApp. That may be a visibility issue or recognition that enforcement actions are not just about a single messaging app. Decision-making about WhatsApp or TiKTok or Telegram or Mastodon or whatever new network, it’s the recognition that each of these communications sources is unique. Firms need to look at and inspect their ability to be able to understand, capture, and provide oversight into tools that may have persistent, multimodal, recorded conversations.
That process begins with a reliable method of capture, to which more firms recognize the complexity with the standard of “you can’t use what we can’t capture.” APIs may not be available, or change, or be something content providers adjust for monetization. Given recent actions by Microsoft, Twitter, and LinkedIn, evaluating methods of access is now a larger factor in assessing off-channel risks. The frequency of changes to both methods of access as well as with the deployment of new features was one of the largest challenges expressed in many of our discussions.
Our partners at E&Y have also raised an important consideration when evaluating tools: data size. Firms must verify whether tools can handle large data objects, such as recorded conversations or video files. These can be significantly large and difficult to transfer into a legal review tool or into a downstream surveillance tool. Firms need to understand that they're dealing with big data from multiple sources, and the systems they have in place must be able to handle the job adequately.
And, course, what is a conference without 142 mentions of ChatGPT and its use in financial services? There has been an explosion in the use of OpenAI by Microsoft, Salesforce, and Google. So naturally, questions were asked about how firms are setting policy to govern the use of OpenAI, and what can be done to preserve records and provide oversight for the use of AI-generated communications.Blog, part II: The off-channel impact on supervision and oversight
Governance and capture strategies were only the beginning of the off-channel discussions. Preservation, ongoing oversight, and steps to train and align internal teams were all topics requiring further exploration. Stay tuned for Part 2 of this blog.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US