Compliance

Your Firm Doesn’t Need to Compromise Compliance to Modernize Collaboration — or Vice-versa

by Smarsh

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

It’s a competitive advantage for companies to ensure faster and more efficient collaboration by integrating the latest communication technologies into their business processes. However, staying current with evolving communication technologies can be a challenge for financial services firms, who must maintain and retain various types of communications to ensure they meet their compliance obligations.

In our recent webinar, our experts shared how firms can use the latest technologies while meeting regulatory requirements, as well as strategies to streamline compliance.

Reconciling allowed communication channels with regulatory obligations

While it may seem challenging, firms don’t need to feel that they have to choose one or the other when it comes to using the technologies they want or following regulatory rules. “Everybody has to be vigilant about the new emerging communication technologies out there, and they have to make sure that the risks are covered,” said Stephen Boyd, director and head of the Miami office of Optima Partners Consulting.

In practical terms, reconciling communication technology with regulations requires key stakeholders to come together. This isn’t solely an IT issue. It will also require support from compliance and operational leaders. “These are the people who really need to come together and put together appropriate policies for the business,” said Boyd.

Policies should address areas that pose the most risk to the firm — such as where somebody can get around certain technologies or certain avenues of communication — and try to address and mitigate those risks.

“There are so many actual platforms out there for people to communicate that you’re never going to be able to have something that’s foolproof,” said Boyd. “Be proactive in trying to address the risks upfront but be reactive when you realize that something doesn’t work and change your policy or shift your policy to something that might work a little bit better or give you more coverage and less exposure to that risk.”

Mobile device management is another key consideration, whether you have a bring-your-own-device policy or a corporate-owned-device policy. Consider the communication channels that the business prefers to use and develop customized policies and procedures from there.

A cross-functional approach is key to a compliant communications program

The key takeaway here is to take a business approach with a regulatory angle. Boyd explained that the way to combine those two sometimes-conflicting obligations is to get key stakeholders — including the chief compliance officer, chief operating officer, and the chief technology or the chief information and security officer (CISO) — together to design an effective communication program that is going to work for the business.

“Make sure you have everybody at the table when you’re talking through these issues,” said Tiffany Magri, senior compliance officer at Smarsh. “Otherwise, you could get halfway through it and then find out you have a huge problem that takes you back to the drawing board, and nobody wants to duplicate the effort.”

Know that there are hefty consequences for recordkeeping violations

Failing to maintain and preserve electronic communications in violation of recordkeeping obligations can result in huge fines. In a recent SEC report, a registered investment adviser (RIA) reached a $6 million settlement with the SEC for “widespread and longstanding failures to maintain and preserve certain electronic communications,” and for “failing to enforce its code of ethics.”

According to the SEC, from at least January 2019 through December 2021, The RIA’s employees communicated about company business internally and externally using personal texting platforms and other non-approved messaging applications in violation of the firm’s policies and procedures. The firm also failed to maintain or preserve business communications as required under the federal securities laws and its own policies and procedures.

“In one instance, three senior employees engaged in off-channel communications on personal devices that were set to automatically delete messages after 30 days,” according to the SEC order. “Additionally, the order finds that certain [firm] employees failed to adhere to provisions of the firm’s code of ethics requiring them to obtain pre-clearance for all securities transactions in their personal accounts.”

The settlement amount alone should serve as a warning to other smaller RIAs and private fund managers to take their recordkeeping obligations seriously. Smaller financial services firms cannot absorb some of these significant penalties like the bigger industry players can.

“And even if they have a smaller fine, it still could be large enough to put them out of business,” said Boyd. “It’s really important that people are aware of this, they’re educated on it, and they know what the consequences could be.”

The RIA agreed to improve its compliance policies and procedures as part of that settlement.

Don’t neglect records management and supervision

Among the many recordkeeping rules that firms should have on their radar include FINRA’s books and recordkeeping rules, as well as Rule 204-2 of the Advisors Act, which describes what a book or record is, what records must be kept, and how long they must be kept.

Boyd noted that another key aspect of recordkeeping compliance is substantiation, being able to demonstrate to a regulator that the firm:

  • Has the processes in place that it says it does
  • Policies are being followed
  • Can mitigate issues if issues are discovered

“At the end of the day, if you have it on your archive, it’s subject to review,” said Boyd.

Another important compliance element is supervision, making sure that what is being archived and reviewed is in line with the firm’s policies, procedures, laws, rules and HR practices. Employees should be trained on keeping business communications separate from their own personal communications.

Every firm has a Code of Ethics, and all employees are supposed to conduct themselves in an ethical way. “At the end of the day, it does fall on the compliance folks to make sure that if there are problems, even if they are HR problems, that they do get addressed,” said Boyd.

Strategies for integrating technology and streamlining compliance

Manual processes can lead to potential gaps in compliance and can create risks for compliance staff. To streamline technology to automate oversight around compliance channels, Boyd recommends evaluating the archive system.

“You’re going to want to make sure that all the communications that are for business are making it into one place. Centralizing it is pretty important,” added Boyd

Managing all the firm’s records in a centralized location is not just important for maintaining business communication records, but it’s also important for maintaining other documents, like the Code of Conduct or marketing materials.

What is most important here is that the firm’s records are easily accessible for when an examination takes place.

Artificial intelligence recordkeeping: the next frontier

Another type of record that regulators may increasingly require firms to keep is records created by artificial intelligence (AI). In fact, FINRA recently issued a regulatory notice reminding member firms that FINRA’s technology-neutral rules still apply when firms use generative AI and large language models (LLMs) in the course of doing business.

“The rules applicable to generative AI use will depend on how a member firm deploys the technology,” FINRA stated.

One guidance document issued by FINRA, for example, clarified that the content standards of Rule 2210 (Communications with the Public) “apply whether member firms’ communications are generated by a human or technology tool.”

As more and more firms begin to integrate AI into their business processes, it will become increasingly important for firms to ask key questions like:

  • Is this a record?
  • Am I going to retain it?
  • How am I going to supervise it?

Currently, the industry is still finding out the best use cases for AI. For firms that have already begun incorporating AI into their processes, it needs to be disclosed properly.

Also, beware of claims made about AI capabilities that the firm does not provide. Such conduct is commonly referred to as “AI washing” and constitutes a violation of federal securities laws.

“You must ensure that your representations regarding your use of AI are not materially false or misleading,” said Gurbir Grewal, SEC enforcement division director.

Both the technology and regulatory landscape will continue to evolve rapidly, including as it pertains to AI.

“As these things change, as the technology changes, I think it's more important for us as compliance officers to keep up with those changes. And make sure we're integrating them and being more reactive in our compliance policies, and procedures and supervision, as we move forward into the next six months of this year,” concluded Magri.

Share this post!

Smarsh
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.