Structuring a Best-in-Class Mobile Compliance Strategy
From the webinar: Reviewing and Revising Your Mobile Compliance Strategy by Robert Cruz, VP, Information Governance Solutions at Smarsh and Blane Warrene, VP of Product Management at Smarsh.
Regulators like the SEC and FINRA have made it clear they won’t be letting up on examinations any time soon and continue to sweep for off-channel communications violations. The CFTC, for example, continues to be hyper-focused on enforcement of mobile usage, continuing from their $250 million in off-channel regulatory enforcement actions earlier in August of 2023. With regulators watching closely, firms must have a mobile compliance strategy that helps mitigate risk and protect against fines and reputational damage.
In our recent webinar, Reviewing and Revising Your Mobile Compliance Strategy, our experts discussed best practices for creating a robust mobile compliance strategy that eliminates compliance gaps while enabling clients to use their preferred digital communication channels.
Key elements of a mobility compliance strategy
Organizations must consider multiple factors today when implementing a mobile compliance strategy or enhancing one that is currently in place. “One key factor to consider,” noted Smarsh Vice President of Information Governance Solutions Robert Cruz, “is the employees’ and clients’ use of multiple and various mobile communication channels and digital applications — such as Zoom, Teams, and Slack — and all the various features within those applications.”
When thinking about how to structure a robust mobile compliance strategy, Blane Warrene, vice president of product management at Smarsh, advises organizations to first think about all use cases. “Consider all the ways your employees and clients use digital communications,” said Warrene. Weighing your risk vs. reward should account for the reasonings behind using specific channels. For example, are your key finfluencers insisting on using a trending new channel, and starting business-related conversations with advisers on that channel? Are they cooperating when ushered onto an approved channel? Does that additional step before having an actual conversation cause any frustration?
Some other questions to consider include:
- Do we use Microsoft 365 or Google Workspace?
- Do we allow voice and text features on corporate phones or employee-owned phones?
- What do we do when our customers want to communicate with us on mediums they’re comfortable with — WhatsApp, WeChat, or other communications channels—that aren’t natively a part of the enterprise?
Warrene also recommends drawing a Venn diagram to find overlaps and better determine where to put focus around a mobile compliance strategy. “That Venn diagram exercise, while it sounds cliche, really does help us focus in on all of these things: What makes sense for us? What’s rational for us to implement and be able to meet our regulatory requirements?” he said.
Mobile communications oversight
When structuring policies and procedures related to mobile communications oversight, Cruz recommends one key consideration: decide whether to allow a particular communications device or how to enable a compliance strategy around that. As part of that decision, consider which firms with which to partner, Cruz added. “Companies are asking themselves … Do these providers understand what my regulatory obligations are? Are they providing access to APIs? Are they making it easy for me to create and preserve a historical record?”
Many organizations are now also starting to operationalize their governance processes around their mobile compliance strategy through multi-stakeholder discussions with their data security, data privacy, and IT teams to get a holistic view. “Ask yourself, ‘Do we really have a good read on the benefits and costs and risks of these various communication decisions?’” said Cruz.
Along the lines of a governance structure, it’s also a good idea to have a data retention policy and a code of conduct to put policies and procedures around “acceptable and prohibitive behaviors,” Cruz said.
“It’s not just outlining a policy, setting it, and forgetting it,” Cruz added. It’s also making sure that people understand clearly that there will be real consequences for policy violations, “whether that means suspension, termination of employment, et cetera,” he said.
On the flip side, consider the implications of not allowing certain mobile communications, Cruz advised. “Do you have the ability to enforce a prohibition strategy?” All that needs to be considered, he said.
Warrene stressed that having those governance controls complements the use of a Venn diagram strategy because it creates better policies and procedures “versus guesswork or trial and error,” he said.
Employee training is another critical component, Warrene noted. Training employees on what mobile communication channels they are allowed to use and how to do so in a compliant way helps mitigate risks for the company. Additionally, because mobile technologies are continually evolving and new features are added constantly, it’s important to refresh the training every year to keep pace with those changes.
There are many ways to evaluate the effectiveness of a mobile communications strategy, including annual reviews, attestations, validation of annual training, and even using things like artificial intelligence (AI) and machine learning to look across all the various communication mediums — from email to Microsoft Teams to social media chats to text messages — to analyze employees’ engagement with clients and behavior patterns.
Additional best practices
Below is a list of recommended best practices for structuring a robust mobile compliance strategy.
Focus on tone from the top
Regulators have made it very clear that tone from the top is critical. Are senior executives cascading down into the business what activities employees are allowed and not allowed to do on mobile communications? “That tone really sets everything in motion as far as how effective these policies, procedures, training and technologies that are deployed can help you and mitigate some of the risks,” Cruz said.
Capture emojis
Another important consideration is the growing use of emojis in business communications and how to capture those from a regulatory compliance perspective—such as the rocket ship, money bag, and stock chart emojis, which regulators have said constitute financial advice.
“Regulators are saying, in essence, that [emojis] could be used as their own language in replacement of words,” Warrene said. “It may seem silly to focus on emojis, but it is really valuable to understand. How are you getting this data, and can you actually supervise it?”
Monitor high-risk areas
Regulators also expect organizations to have their finger on the pulse of areas of higher risk, such as closely monitoring individuals who may have violated the company’s mobile compliance policy in the past. “That’s where you need to be emphasizing and doubling down your efforts,” Cruz said.
Regulators will also be paying attention to whether there are systemic behavior patterns of clients sending business communications over channels like WeChat, for example. “How are you addressing this across the business? Is it operationalized so that people understand what they can and cannot do related to these tools?” Cruz said.
Focus on the organization’s use cases
Establishing oversight controls and policies and procedures around a mobile communications strategy is a complex process by design due to the various ways employees and clients communicate today. Focusing on the organization’s specific use cases, using the Venn Diagram strategy, and putting structure around those will help the organization meet its regulatory compliance objectives. Concluded Warrene, “You really can tease out something that makes sense for your business versus it being quite so confusing.”
Share this post!
Smarsh
Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.
Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit www.smarsh.com.
Latest posts by Smarsh (see all)
- Strategic Partnerships Highlighted at SmarshCONNECT 2024 - April 15, 2024
- What Are Financial Firms Saying About 2023’s Regulatory Squeeze? - January 10, 2024
- Form ADV Amendments: Frequently Asked Questions (FAQ) for RIAs - December 6, 2023
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US