The Cost of Doing Nothing: A Compliance Perspective on Barriers to Upgrading Archiving Technology
The dynamic regulatory environment has recently hit a fever pitch with the introduction of the soon-to-be-implemented Reg BI, the varied attempts at data protection regulations and the flood of state, and potential federal, privacy legislation led by CCPA. This continued emphasis on financial services regulation has transformed what heretofore had been a relatively manual, expertise-driven financial services compliance discipline. The traditional department, even doubling or tripling its headcount, cannot develop processes to meet the new legislative requirements effectively. Enter a new generation of technology.
Regulatory Technology (RegTech) has transformed the capability by creating higher-value insights that actually reduce the amount of data requiring review. Systems use Artificial Intelligence (AI) to evaluate data from myriad sources, creating a holistic view of the firm’s business processes. The technology further identifies specific exceptions or trends that require follow up. Compliance officers are no longer buffeted by extensive manual review or researching scores of false positives. Moreover, by being hosted in the cloud, these systems require limited start-up investment and lower the overall cost of compliance.
But while RegTech has transformed many areas of compliance supervision, most firms continue to use legacy systems to monitor business communication. At first glance, this trend may be antithetical. After all, communications not only provide the context for most of the compliance issues that a firm identifies but, in many cases, is the driver initiating the review.
The fact is that firms will only consider a significant technology project if the regulatory and or business benefit hit a very high bar. It is easy, when considering business communication surveillance, to maintain the status quo. There are at least four justifications that, my colleagues and I agree, are the typical roadblocks to upgrade initiatives at many top firms.
- Organizational Resistance: Bureaucratic organizations and processes tend to limit change and resource reallocations.
- Cost: Costs accumulate from system acquisition and implementation, moving data archives and running systems in parallel.
- Risk: Replacing processes and changing technology present management with significant operational risks.
- Expertise: Skills to effectively utilize the new system may not exist in the organization, adding to the risks and training costs.
Organizational Resistance to New Archiving Technology
Migrating to a new system requires an organization to make the effort a top priority. Most projects will only get executed if it can be shown that the project solves a regulatory imperative or advances revenue production. Making a case to gain management approval is challenging, and on the surface, operational based projects are hard to justify.
But by maintaining legacy surveillance tools, firms are not meeting the standards set by the regulators and adhered to by top firms. For example, a large global bank decided to junk its lexicon-based system and adopt a system that utilized algorithms to analyze business interactions, based on Federal Reserve guidance highlighting important industry trends to improve the security of the financial system.
Moreover, implementing advanced technology demonstrates that business communications, when analyzed effectively, can reap important customer data to assist business development efforts.
Cost of Migrating to a New Archiving Platform
Expenses associated with migrating to a new platform can be substantial. Not only are firms impacted by the costs of acquiring a new system, but they must also consider costs from migrating the legacy data that is critically important in any regulatory investigation, as well as running both systems in parallel.
Yet costs can in fact be reduced by utilizing advanced technologies. AI significantly reduces the false positives and allows firms to reprioritize the staff reviewing and researching alerts. It also lowers the amount of time a business manager needs to spend supervising messages, which allows them to focus on business transactions. Finally, since most of the systems can be delivered as software-as-a-service, the initial investment may be no more than the yearly operating spend.
Risk of Outdated Lexicon Policies
Legacy systems utilize keywords to identify suspect behavior. This tried and true method is used by most firms and currently accepted by regulators. Practitioners know what is acceptable as the lexicon is well known to members of the firm, but employees have learned how to get around this surveillance technique, which makes it less effective for mitigating risk.
On the other hand, a large firm recently and inadvertently uncovered insider trading because a colleague happened to overhear a compromising phone conversation and alerted authorities. If the message surveillance tool utilized AI to holistically create and analyze a profile for the employee — to include social media, voice firm transactions and employee compliance activities — the plot would have been contained based on strong monitoring, not chance encounters.
Expertise with Advanced Archiving Systems
Staff members know how to use the legacy system, the technology staff understands how to manage it, and risk managers are comfortable that they will not miss “the big one.” In the absence of a strong technology background, most compliance officers think, “why fix what isn’t broken?”
Modern technologies allow compliance officers to work with technical staff to review risk scenarios and set tolerances. Advanced systems take risk management to the next level by bringing together data from many venues to create a risk profile for the custodian. The compliance officer reviews the alerts based on the risk tolerance set for an individual or group. The expertise associated with identifying risk has been replaced by the algorithms within the system.
How to Overcome These Challenges
These are strategies that firms can employ to overcome the justifications for maintaining the status quo:
- Include message surveillance as part of the overall program. In many firms, communication monitoring is treated as separate and apart from the other surveillance missions, including transaction, voice and employee compliance. The newest communications monitoring systems bring all these processes together as part of a holistic approach; therefore, they should be treated as a critical building block of the firm’s surveillance capability.
- Document the compliance advantages of an integrative program. With messaging surveillance part of a holistic program, business personnel not only have less of a burden of reviewing alerts and false positives, but they also work with a system that is more attuned to identifying targeted concerns. The integrated system is also better able to identify miscreant behavior like unauthorized trading, which can potentially save the firm billions of dollars, maintain its reputation and keep the manager’s job.
- Highlight that systems can be used to identify customer insights and business opportunities. The flip side of a holistic approach to monitoring is accumulating information about the sales process. An AI-driven system can identify cross-selling opportunities, which products are trending for customers, what could be done to better satisfy existing customers and lessons learned from clients lost, etc. Business management will begin to rely on the system as a critical input to driving revenue.
For many years, the differentiating factor for communication monitoring vendors was the ability to meet regulatory requests or maintain an acceptable level of customer service. It has been quite easy to ignore new products and delay consideration for another year. But as we move into the third decade of the 21st century, firms must seriously consider the new state-of-the-art products; their features have become compliance game-changers, allowing firms to do much more with fewer resources.
To summarize, the best products now utilize 1) AI to develop more targeted exception review, 2) holistic analysis to bring together all of the surveillance components, and 3) mining of client sales information to assist the business in developing more profitable relationships with customers. The new technologies present a suite of features and capabilities that every compliance executive will find hard to ignore.
This is the second post in a three-part series about what keeps organizations from upgrading their compliance and e-discovery technology. We've heard the legal perspective, now the compliance perspective, and up next we’ll hear what IT stakeholders think keeps companies from upgrading these important technology solutions.
Share this post!
Laurence Goldfarb
He was a co-founder of a SaaS software company, Compliance11, which provides compliance automation tools for the financial services industry. The company was purchased by Charles Schwab in 2011. Prior to that, Laurence was Chief Information Officer of Legal and Compliance at UBS in which he was charged with overseeing a large portfolio of Legal and Compliance IT projects that included affirmation online, global shareholding, AML / case management, knowledge management and document management initiatives.
Latest posts by Laurence Goldfarb (see all)
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US