Compliance and Technology: 4 Key Takeaways From a Supervision Survey of Industry Professionals
FINRA and SEC-regulated industries are required to review business-related electronic correspondence to ensure compliance. However, there aren’t standardized supervisory procedures as the methods are left up to the firms and businesses.
Smarsh recently conducted a joint survey with Elinphant, a financial services risk management and compliance consulting firm, to learn more about the supervision of electronic communications. A broad mix of FINRA and SEC-regulated professionals including RIAs, broker-dealers and insurance advisors responded and provided insight on:
- The policies and procedures firms are evaluating
- What methods are being used to evaluate policies and procedures
- Common supervision practices
- Trends and concerns related to supervision
- Technology-based compliance
Here are four key takeaways from the survey:
1. Avoid the “Set it and forget it” approach to supervision
The most-reported approach to supervision was “set it and forget it.” It is common for firms to implement policies and procedures but rarely update those policies — despite the continuing evolution of communication technology and practices in the workplace.
“It appears that once lexicons, exclusions, policies and procedures are set, the firm will operate for years without adjusting them,” said Elin Cherry, Elinphant founder and CEO. “It's essential for [compliance] technology to evolve as business objectives and regulations evolve, so there's significant risk to ‘setting and forgetting.’”
However, this approach goes beyond exclusions and lexicons. It also includes:
- Frequency of review
- Percentage of content reviewed
- How to perform reviews
“Unfortunately, the ‘set it and forget it’ model will most likely continue until regulators begin fining firms,” said Marianna Shafir, Smarsh Regulatory Advisor. “But this doesn’t need to be the case. The technology used for archiving and reviewing electronic communications makes it easier for firms to implement new tools to stay updated on policies and regulatory changes.”
2. Review the process and document written supervisory procedures
FINRA-regulated firms are required to test and verify supervisory procedures for electronic correspondence. The survey results show that many firms don’t follow this guidance:
- 23% of those surveyed have never reviewed their supervisory process, or do not have a set timeframe for a review (Figure A)
- 42% of those surveyed said they only do an ad hoc lexicon review (Figure B)
Failure to review the supervisory process itself puts firms at risk for penalties. And firms are frequently fined for this misstep. In fact, some of the largest regulatory fines are for failing to implement supervision.
Cherry said that a solid supervisory process review should consider the following:
- Is the firm reviewing and implementing new releases or patches from their archiving vendor or service provider?
- Are lexicons up to date?
- Are exclusions up to date?
- Is there documentation of the supervisory review process?
Additionally, the SEC’s Regulation Best Interest (Reg BI) went into effect on June 30 of this year. The new regulation is designed to bring legal requirements and mandated disclosures in line with reasonable investor expectations while preserving access to a variety of investment services and products.
“Reg BI is a perfect example where you want to avoid the set it and forget it approach,” said Shafir. “You don’t just leave your lexicons alone. You need to update the lexicons and implement new keywords into the supervision process to show regulators you’re complying with the latest rules.”
3. The frequency of reviews and the quantity of communications reviewed should be adjusted
One interesting insight from the survey was that firms, depending on their size, review content differently. Smaller firms (those with 1-5 employees) can be more efficient by following the approaches of larger firms, that review a smaller percentage of email (Figure E), but they do it more frequently (Figure F).
Smaller firms tend to review 100% of all electronic correspondence while larger firms are reviewing 0.05% to 2%. However, while they are reviewing 100% of the content, small firms don’t review frequently enough.
“Just because you're small and don't have much electronic correspondence, you can't wait once a month or once a quarter to review your electronic correspondence,” says Cherry. “It really needs to be timely. If something happened in that electronic correspondence, you can't wait a month to act on it. Regulators will have an issue with that.”
Reviewing messages in a timely manner reveals what's going on in the firm and gives them the agility to adjust processes and reduce supervisory fines. They can leverage compliance technology to narrow in on messages that require reviews.
Unfortunately, 39% of those surveyed suggest that they have a manual process to review electronic correspondence, which can be risky. Regulators expect to see a proper system in place — especially as more people work from home.
4. Use archiving and supervision technology to stay agile
Archiving and supervision technologies have come a long way and can help firms review content more efficiently. With an increasingly remote workforce, it’s critical to have a supervision process that allows for the review of a high quantity of content more quickly.
“FINRA recently indicated that it’s gotten approval to adopt advanced technologies to use in their exam process,” said Robert Cruz, Smarsh Vice President of Information Governance. “I think FINRA’s expectation will be that firms are doing the same.”
Using modern technology to help your firm retain, supervise and review electronic communications is key.
“It's likely you won't remember every message you've reviewed a year from now,” said Shafir. “If there’s an audit and the regulator asks, ‘Did you review this message?’ you can confirm and provide the documentation.”
This blog is based on the recent webinar, "Compliance and Technology: A Supervision Survey from Industry Professionals." You can watch the full webinar here. Get the survey report here.
Share this post!
Smarsh
Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.
Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit www.smarsh.com.
Latest posts by Smarsh (see all)
- Strategic Partnerships Highlighted at SmarshCONNECT 2024 - April 15, 2024
- What Are Financial Firms Saying About 2023’s Regulatory Squeeze? - January 10, 2024
- Form ADV Amendments: Frequently Asked Questions (FAQ) for RIAs - December 6, 2023
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US