Smarsh Cautions FINRA on Work-From-Home Challenges & Compliance Best Practices

June 02, 2020by Robert Cruz

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

As we continue forward in the work-from-home new normal, we have (hopefully) arrived at an inflection point. We can briefly pause to reflect on what we’ve been through and begin to think about what lies ahead. Most firms have made it through emergency procedures and can now consider the unforeseen challenges they faced. This includes the best practices they can carry forward with what will likely be a perpetually distributed workforce.

Data supporting the magnitude of this disruption is surfacing. According to an April 2020 report by Osterman Research:

  • Before COVID-19, 18% of employees in surveyed firms were working from home. Today that figure is more than 80% (and even higher according to other studies)
  • Four out of five firms indicated that they were NOT “very well prepared” for the crisis

Preparation for New Communications Risks

The issues cited by those responding as less than “somewhat prepared” are complex and disparate. They range from the ability of their remote access solutions to scale and meet the load required (54%), to security concerns (48%), to recovery from malicious activity (45%). Yet, in spite of the challenges, nearly 30% of respondents indicated that they will either implement new work-from-home policies or simply prefer that the majority of their staff remain remote.

This data aligns very well with the feedback we have received from FINRA member firms, large and small. Our customers have emphasized the shift toward collaboration, conferencing and mobile apps, and are concerned about the new risks that each can expose.

We believe this data and market feedback is important to aggregate and share with the financial services industry to enhance their perspective of the unique risks that suddenly remote workforces are encountering. Raised red flags can be mitigated by sharing lessons learned with member firms and leveraging best practices.

Discussion With FINRA on Remote Work Challenges

Our discussion with FINRA included representatives from across Enforcement, Member Relations, Legal, as well as Supervisory Review. Here are few high points of the discussion:

Home networking
We discussed comments about the use of home computers, insecure Wi-Fi networks, and out-of-date security protections. Clearly, most firms are now sorting these fundamentals. The ability for employees to get jobs done while everyone is sharing resources from home remains a concern.

Unauthorized tools and free downloads
The reactive posture that many firms were placed in led some employees to pick up the tools that are either the most familiar or easiest to obtain. Perhaps that is a consumer-oriented chat application, or a free version of a popular collaboration app. In either case, neither may be designed to address the demands of regulated firms to capture, store, and supervise communications of the business.

The collaborative explosion
The spike in adoption of Microsoft Teams and Slack has a number of implications, some of which may be visible now at regulatory executive level  but will undoubtedly be impacting supervisory processes in the next exam cycle. These include:

  • The fact that the native features to capture content varies dramatically by platform, which will complicate the process of meeting regulatory record keeping requirements.
  • The interactive and dynamic nature of each. These require that firms have the ability to capture and supervise persistent chats, file and app sharing, and other "multi-modal" features.
  • The reality that each has become a target destination for cyber risks, such as ransomware, account high jacking, and advanced targeted threats (supporting the alert that FINRA recently posted on this topic).

The mobile compliance gap exists
We highlighted the fact that mobility represented the largest compliance gap in our 2019 electronic communications compliance survey. More than 60% of firms have policies prohibiting the business use of texting and other mobile apps while acknowledging that those capabilities are in fact being used. Let’s face it  the first move by a rep unfamiliar with a new collaborative tool will be to call their client. This is happening today and not every firm was equipped with the appropriate corporate-owned or BYOD solution.

More encrypted apps are being used
WeChat and WhatsApp have also been beneficiaries of the work-from-home dynamic, with WhatsApp reporting a 40% increase in usage in the first quarter of Q1. The compliance risks of these apps are well known. We indicated that we are actively working on approaches to help firms mitigate these risks. This led to several questions and positive discussions around what has been a difficult problem with only imperfect solutions. However, the risks extend beyond capture, as was highlighted by the recent news of monitoring activities by the Chinese government.

To Zoom or not to Zoom
Participating on a video conference evolved from an infrequent occurrence to one that so frequent that Zoom fatigue is now a common ailment. This is not lost on firms attempting to use Zoom or other conferencing tools, each of which is unique in terms of enabling content to be captured. This creates a bit of a predicament. Firms are now increasingly viewing conferencing not just as a virtual meeting space, but one where business records can be created, shared, or potentially misused. The need for additional guidance from regulators on the use of conferencing technologies has been a recurring theme and one that hit with emphasis (while using a video conferencing technology).

Smarsh Advocacy and FINRA Compliance Guidance

Sharing our viewpoint on the risks of new communications and collaborative tools led to a discussion of our advocacy efforts via our blog and other external outreach. It was also followed by FINRA Notice 20-16: FINRA Shares Practices Implemented by Firms to Transition to, and Supervise in, a Remote work Environment During the COVID-19 Pandemic. These efforts will help FINRA member firms avoid common pitfalls and more skillfully navigate the steps toward a new new normal.

We thank FINRA for a productive discussion and commend them on the guidance the organization is providing to firms in managing through this crisis. We also appreciate FINRA's commitment to gathering information to help educate membership, which is dealing with a set of new risks as a result of the pandemic.

Share this post!

Robert Cruz
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.