The global coronavirus (COVID-19) outbreak has caused many firms to quickly adjust to the realities of a remote workforce. For firms that must adhere to SEC and FINRA supervisory review obligations, this can raise a number of new challenges that did not exist when registered reps were simply across the aisle or up a floor.
Senior Director of Information Governance, Smarsh
Robert Cruz is Senior Director of Information Governance for Smarsh and Actiance. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and Discovery cost and risk reduction.
Regulatory Advisor, Smarsh
Marianna Shafir is Regulatory Advisor at Smarsh, where she’s responsible for regulatory affairs worldwide. With her expertise in financial services industry, compliance and eDiscovery, Marianna counsels Smarsh clients on meeting regulatory obligations, leveraging technology and guidance on best practices related to electronic communications supervision. Prior to joining Smarsh, Marianna worked for BNY Mellon and Invesco where she was an instrumental member on compliance teams. Marianna has also served as an adjunct professor at New York Career Institute where she taught Law Office Management and Real Estate Law. She earned her Juris Doctorate from Nova Southeastern University. She is a frequent speaker at industry conferences and a contributor to various online publications.
Founder and CEO, Elinphant, L.L.C.
Elin Cherry is founder and CEO of Elinphant, L.L.C., a financial compliance consulting firm. She is a Capital Markets and Compliance Executive who has served as a key member of Compliance Senior Management teams. Known for gaining regulator confidence, she has a proven track record in managing regulatory relations and examinations and has strengthened firm’s credibility with regulators during times of financial stress. Elin is adept at successfully implementing Compliance Programs to enable firms to be proactive regarding compliance matters. Prior to founding Elinphant, Elin was a Principal and the Head of Capital Markets at Compliance Risk Concepts (“CRC”). In that role, she grew a book of business generating half a million dollars in revenue.
Transcription of Webinar Audio
Katie Findling: Hi, everyone, and thank you for joining us for today's webinar, “How to Supervise Your Suddenly Remote Broker-Dealers and Investment Advisors.” Please be aware that all participants will be muted for the duration of the call and please also submit any questions you may have via the GoToWebinar messaging app and we will attempt to answer as many of them as possible during the Q&A session.
Katie Findling: Joining us today are presenters Elin Cherry, Marianna Shafir and Robert Cruz. With that, I'll hand it over to you, Robert.
Robert Cruz: Thank you, Katie, and thank you everyone for joining us. Really appreciate your time in a very challenging new world that we're living in. We're going to talk specifically about your supervisory obligations and how organizations are beginning to adjust to the fact that they're now dealing with a very distributed workforce, individuals whose communications need to be supervised but are now located virtually remotely across multiple locations.
Robert Cruz: Before I begin, let me provide the standard disclaimer: Smarsh provides this material for information purposes only. Smarsh is not providing legal advice or opinions. You must consult with your attorney regarding compliance with applicable laws and regulations.
Robert Cruz: We're going to do some quick intros and then we're going to talk specifically about what the regulators are saying, what communications have come out from FINRA, the SEC, as well as the FCA in the United Kingdom. We're then going to talk about some practical implications. What should firms be doing now in terms of adjustments to their supervisory processes? We're then going to hit a specific chapter that a lot of companies are now in the middle of, which is how can you evaluate a new technology—be it a conferencing or a collaboration tool, a Zoom, a Slack, a Microsoft Teams—how can you evaluate these technologies to ensure that you're not introducing risks to your organization? And then we'll conclude with just a brief overview of how Smarsh can help and we'll take questions as we go.
Robert Cruz: First of all, let me introduce our presenters, and start with Elin Cherry, founder and CEO of Elinphant, LLC. Elin, thank you very much for joining us. Please tell us a little bit about yourself and your background in this area.
Elin Cherry: Hi. Thanks, Robert. I'm Elin Cherry, and I have a compliance consulting firm. My background here really starts from 9/11, when we first all had to deal with alternative work arrangements and business continuity planning, and there was also the planning that we had at the turn of the millennium. So being a compliance officer for this many years and having to actually put in place these plans has been part of what I've always done. When this time came around, though, this is very different. I think it's going to be interesting and challenging for all of us to manage through the situation. Thanks, Robert.
Robert Cruz: Thanks, Elin. Marianna?
Marianna Shafir: Thanks, Robert. Hi, everyone. I work at Smarsh. I'm regulatory advisor, and in this role, I help companies navigate regulatory compliance obligations, technology trends or industry regulations through my vast knowledge of best practices related to electronic communications supervision. Like many of you, prior to working at Smarsh, I was also in compliance and had to deal with all the regulatory obligations wearing the many different hats. But this is a special webinar because this was a hat that I didn't wear and this is really all new to us and we're all learning about this at the same time. So I'm excited to be here today to share some best practices, to share some new guidance, and we will get through this. Thanks, Robert.
Robert Cruz: Thanks, Marianna. And myself, sheltering in place in the Bay Area, Robert Cruz, VP of information governance for Smarsh. I basically work with our customers, the practitioners, the folks that are dealing with regulatory and e-discovery obligations. I have a background both in e-discovery as well as in regulatory technology. And I am joined here by a trombone player, heavy metal guitarist, a small yappy dog who may be interceding here somewhere along the way. I think we've got other dogs and children in New Jersey as well, so we'll test the … process here.
Robert Cruz: For those of you that have maybe not as much familiarity with Smarsh, who we are as an organization … Basically, for the last two decades what the company has been solely focused on is helping organizations use communication technology to drive their business using the technologies that allow them to meet the customer on their terms, to support the latest chat application, the social media product, the collaborative tool, making sure that you can do that without introducing risk. The company is a combination of the heritage Smarsh along with the Actiance company that was joined in 2018, and our primary focus has been in financial services, the public sector. But now because of things like this where the remote workforce topic is very front and center for everyone, [we’re] seeing interest from a variety of organizations across multiple industries. We are recognized as a leader by both Gartner and Forrester in the enterprise information archiving space, and we have a particular focus around supervision and e-discovery, enabling firms to capture all the different communications, ensuring that they're available for the workflows and the applications that you need to deal with on a daily basis.
Robert Cruz: So let's jump right into the discussion here. I think the first thing to do is just trying to keep up with the regulatory communications … every time we look up … there seems to be another communication that's being put out by one of the regulatory bodies.
Robert Cruz: I think the place that we should start is looking at some of the topics that we're going to address here. We're going to look at third-party capacity and risk management. What are the things you need to consider to make sure that your third-party relationships are able to deal with the market volatility, with some of the things that are happening right now? Looking at issues like bandwidth. Are your employees able to access the resources that they need to get their jobs done? Looking at the potential introduction of risks, whether that's phishing attacks, advanced threats or other areas. Just coping with market volatility and also continuity plans, what the regulator is saying with regard to firms and when they activate their BCP protocols. Let's dive into each of these, but look at it from the perspective of each regulatory body.
Robert Cruz: I think the place to start here is probably within the FINRA guidance, the continuity planning document that came out a couple of days ago. Marianna, you've dug into this one deeply, so why don't you walk us through some of the key things that came out as part of this most recent FINRA regulatory notice?
Marianna Shafir: Thanks, Robert. So last week, March 9th, FINRA published its recent guidance and encouraged members to dust off their business continuity plans as the coronavirus continues to spread. The new guidance, 20-08. [states that in] the context of a pandemic, broker-dealer firms should consider having employees and financial advisors working in remote or backup offices or from home. FINRA expects a member firm to establish and maintain the supervisory system that is reasonably designed to supervise activity of each associated person while working from an alternative or remote location during the pandemic.
Marianna Shafir: With respect to oversight obligations, member firm scheduled on-site inspections or branch offices may need to be temporarily postponed during the pandemic, with FINRA understanding that the ability to complete this annual regulatory obligation in 2020 may need to be reevaluated depending on the duration and severity of the pandemic. In addition, a firm may find it helpful to test broad use of remote offices or tele-work arrangements … prior to activating its BCP, including regarding the ability to connect the critical firm systems, the adequacy of remote connections via residential internet, access networks and any potential need to secure premium or dedicated service for a connection. The firm should remember to inform FINRA if they make such arrangements and be on the lookout for additional cybersecurity events such as phishing.
Marianna Shafir: I think cybersecurity is a really big issue right now, especially [because] so many people are remote. FINRA said the risk of cyber events may be increased due to the use of remote offices or tele-work arrangements, high anxiety among associated persons and confusion about the virus, according to FINRA. FINRA also urged their broker-dealers to remain focused on their clients and increase the number of who they call or use their online accounts given the large move in the market. Broker-dealers are encouraged to review their BCP plans regarding communications with customers and ensuring customer access to funds and securities during the significant business disruption, the notice stated.
Marianna Shafir: And also Elin's going to speak more about the new guidance that FINRA just published.
Elin Cherry: FINRA just today put out a notice. They've started a frequently asked questions and they've got one out today about U4s needing to be signed with an actual signature and being on file. And they've said that, no, they don't need to be signed with an actual signature as of right now. And I think what's more important than actually what their question and answer was is the fact that they have these frequently asked questions. And I think we're going to see it updated on a daily basis. I would say make sure … you're checking a couple of times a day to see what they're updating and the relief that they're giving.
Robert Cruz: And let me just add here, I think one interesting topic—and we'll come to this in a little bit more depth in a minute—is testing the broad use of remote office arrangements. I think there's a number of layers there, not just looking at does everyone have adequate WiFi coverage, but there's also the question of, what are the tools you're now putting in front of folks that may not be familiar with those technologies? Do they know how to log in? Do they know how to conduct meetings? Do they know how to control what features and functions are accessible for those individuals? There's quite a bit in that bullet that we're going to come back to in a second here. But thanks for that on the FINRA side.
Robert Cruz: Why don't we talk about SEC and where they have also put out similar guidance? What are some of the key things here to note, Marianna?
Marianna Shafir: The SEC also put out guidance, announced the relief, last week on March 13th. The relief provided covers in-person board meetings and certain filing and deliver requirements for certain investment funds and advisors. The impacts of the coronavirus may delay or prevent funds and advisors operating in affected areas from meeting certain regulatory obligations due to restrictions on large gatherings, travel and access to facilities, the potential limited availability of personnel and similar disruptions. The relief is designed to enable funds and advisors to meet those obligations and to continue their operations while recognizing that there may be temporary disruptions outside of their control. The commission and its staff continue to assess impacts relating to the coronavirus on investors and market participants and will consider additional relief from other regulatory requirements.
Marianna Shafir: So that was the recent release that SEC announced. And I think the big takeaway from the US regulators, FINRA and SEC is that they are aware of the issue. They are understanding if you're not meeting your deadlines on your regulatory obligations, the filing. Also they delayed the form ADV. They are aware, and it's really a reasonable effort. I think that's really important to recognize. Elin, what are your thoughts on the recent SEC relief?
Elin Cherry: Well, my thoughts on the SEC are similar to what we're seeing from all the regulators, which is that they have a couple of significant priorities which are really important. The first one is, they are working really hard to be reasonable and making sure that customers and business can still happen during this timeframe. And I think that's front and center on their mind, which is very reasonable. And they're working hard also to make sure that ... I've had reason to speak with a couple of regulators the last couple of days on business as usual type things, and they're making sure they are business as usual. I think it's good to know that they're up and operating and they want to keep business moving as it usually does. And then as far as giving relief, they're being very reasonable.
Elin Cherry: My view is, if you need relief, you need to ask for it. And my guess is it's likely to be granted if it's backed up with a substantive reason.
Robert Cruz: Good guidance and feedback there. And one other thing I'll note here is that I believe it was FINRA indicated that all scheduled events that they had on the calendar through April are now either canceled, moved virtual or postponed. I'm not sure if that's been updated but we're obviously monitoring that in light of the FINRA annual conference in May, as well as other related activities. I think many of you had planned to attend the SIFMA conference this week in Orlando. Something that we're watching very closely, and we can also supply some links with the stack at the end of this webinar so that you can continue to stay updated on the latest from the SEC.
Robert Cruz: As you all know, this isn't just limited to the US regulators. There are also communications that have started to be delivered through some of the international regulatory bodies, and I think the first to start with is within the UK, from the FCA. Marianna, do you want to cover some of the key elements from the FCA guidance? And I believe there was also an update to this that just recently came out the last several hours.
Marianna Shafir: Yes. Thanks, Robert. The FCA just published more information today on Covid-19, and firms are expected to take reasonable steps ... remember the word “reasonable.” I see all the regulators continue to use it to ensure that they're prepared to meet the challenges the coronavirus could pose to customers and staff—particularly through their business continuity plans—to be clear and transparent and provide strong support and service to customers during this period. I also noticed that FCA was more specific on reporting obligations. In the new guidance today, there's a section on reporting alone. There was something on voice call reporting, and firms should make the FCA aware if they're not able to meet call reporting recording requirements and take mitigating steps. For example, enhance monitoring and review. Also the submission of regulatory data. If firms experience difficulties with submitting their regulatory data, the FCA expects them to maintain appropriate records during this period and submit the data as soon as possible. Where firms have concern, they should contact the FCA as soon as possible.
Marianna Shafir: Also, on March 6 … that was their first coronavirus guidance, and that's what we have on the PowerPoint slide. That was the initial guidance that the FCA put out … that's where they started. Expect all firms to have contingency plans in place to deal with a major event. They also expect firms to take all reasonable steps, as I mentioned. For example, they would expect firms to be able to enter orders and transactions promptly into the relevant systems, use recorded lines when trading, and get access to the compliance support they need.
Marianna Shafir: I bolded here “recorded lines,” and I think it's really important to point this out because they keep mentioning recording. They really want to make sure that you're complying … with a regulatory obligation reasonably … to make sure that the firms still are complying with record keeping obligations, that you have that data to back up everything that the firm is now doing since there's so much remote work. I think that's really, really important. Even though the US regulators haven't said it, I think this is something also as a good guidance, that it's really so important to make sure that you're recording all those electronic communications. I think the FCA is a good guidance. Even though it's not in the US, it's still something that firms should be following even if you're not required globally to follow the FCA.
Elin Cherry: Yeah. And I do think, Marianna … what's important is if you're not recording phone conversations because people have gone remote and you're not able to. So the FCA and the US swap dealer regulators are all aware that this could be a significant issue to overcome, and so they are providing—I don't want to call it relief—I would say, make sure you know what's being recorded, what isn't being recorded and be speaking to your regulator, because they are taking a reasonable view here and they don't want to stop business because you don't have one line recorded. I think what's important is, know what is recorded and what isn't recorded and be communicating with your regulator.
Robert Cruz: Great points on both sides.
Marianna Shafir: Exactly, and put forth your best effort.
Elin Cherry: Yeah.
Robert Cruz: And also just to point [out] that the challenge here is to make sure that whatever alternative communication mechanisms are being used—or things that you've seen, you have approved, that you understand the risk for—don’t leave it in the hands of the individuals to make their own choices and download their own apps. There's a lesson in governance here that comes up as well that we'll touch on in a second.
Robert Cruz: And I did get a question that came in. I'm not sure if either of you have had a chance to take a look at IIROC in Canada, if there was anything specific put out from the Canadian regulators. If not, then we can look into that and provide some commentary as we get a chance to research.
Marianna Shafir: I have not seen anything. Elin, have you?
Elin Cherry: No, I haven't. I have not been following the IIROC yet, but now I will.
Robert Cruz: Okay. Thank you. All right. So good guidance here from the regulator aspect. As we mentioned, these things are very fluid. By the time this webinar is recorded, I'm sure there will be additional guidance. Make sure you've got a good set of links to know where each of these regulators is posting their updated communications.
Robert Cruz: Let's go to the next chapter. Actually, first let me summarize some of the resources that Elin, I appreciate you taking the time to summarize the different regulatory bodies and some of the things they've put out. Good idea to keep these handy. We'll send this out as part of the deck once the recording here is published.
Robert Cruz: So let's get to the next element here, which is, what does this mean specifically for supervision, the fact that the worker location has now, at least temporarily, been changed? I think one way to look at this is it can be considered an activation of a contingency plan. But let's talk through some of the aspects here that a company should think of when a worker location changes. Marianna, you want to start on this? Or actually, Elin, if you can start on this because we're kind of drafting off some of your blog commentary that you put together a couple of days ago. I want you to walk us through some key aspects.
Elin Cherry: The first thing I want to emphasize—and I know with my clients, compliance isn't necessarily the top thing that the businesspeople are concerned about on the best of days, sometimes—but really truly right now people are worried about whether they can pay their employees first. I think that's the biggest one, right? Can they stay in business? Can they pay their employees? To be in front of your businesspeople with compliance issues right now—and that's, like, all of my clients—I’m really picking and choosing where I'm in front of them. I'm also taking the lead from the regulators that they're being reasonable. While we have all of these things about “this is what you should do,” I want people to also take a very measured, reasonable look at this and do what you can do. But the most important thing I think right now is to let the businesspeople carry out business and be in the background making sure you're helping get the correct infrastructure in place. But do it carefully and at the right time, because that's how you can have the impact to get it done.
Elin Cherry: Updating the list of each remote worker location is really important. I will also say updating the BCP, what I've noticed is that most BCPs aren't being activated the way people anticipated them being activated. I don't want to say they're not working, because I think by and far they're working, but what you have posted on your web for your BCP may not actually be what you're doing. And so I would say that after things settle just a bit, start looking at that BCP and see how you need to update it to reflect what you've actually implemented. I think there are a lot of unknowns that came with this one, including WiFi capacity, etc., that the BCP is just looking a little bit different.
Elin Cherry: The other thing that I'm doing to kind of cover all of these issues, I'm taking two different kinds of tactics with my clients. For some clients, we've actually written up an attestation for the people who are now working at home who didn't used to work at home. And we're having them sign an attestation that they understand that they're supposed to use only your work-approved communication tools, that you can’t have clients at your homes, and just kind of what the rules of the road are for working at home. We're having them sign an attestation. The other thing that we're doing when we don't want to do that is we're having firm-wide meetings and we're carrying out compliance training just to say, "Hey, remember, these are kind of the rules of the road of working from home,” and we're making sure we get that training done.
Elin Cherry: I think one of the things that's also ... anybody who's working in the trading side of things, I think you really do need to be checking in with your vendors on their capacity and how they're managing the capacity and whether they're going to be able to continue to maintain capacity so that you can be out in front of any vendor capacity issues that happen. So that's kind of a very high level but a lot. Marianna, I don't know if you want to step in and [inaudible 00:26:07].
Marianna Shafir: Yeah, I definitely agree. And I wanted to add, as the regulators are all saying, use their guidance, follow your BCP, and it's likely you're going to face new challenges. I think the good part about it is that this is happening to everyone, you're not the only one. You're going to face challenges with your BCP. Revise and update your BCP plan when you get a chance. There's going to be new avenues you have to take. Entities must not only revise the work procedures and patterns, but you also need to simultaneously maintain the compliance of the regulations and legal norms and keep that [to a] reasonable standard. Keep that in mind. The tools you need to communicate with your employees and clients, having a fully archiving system for all the channels that you're using, is emerging as a critical element for proper corporate functioning. You really want to make sure that you have the tools in place that you need to continue to drive your business.
Elin Cherry: I want to add one other thing about the training and the attestation. It's so important that people remind people about cybersecurity and the phishing attacks right now. I think getting that out there in the training—because we have seen an uptick of fraudulent behavior and people putting things out there about Covid-19 that are inaccurate, etc., but also the actual work to get into our financial systems right now—we really need to make sure that our financial institutions are protected. So you do want to make sure your employees are on high alert about cybersecurity right now. I think it's a very sensitive time for the financial markets, and I think that's got to be a key focus.
Robert Cruz: Great points. And I want to get deeper into this one regarding the risks and making sure that these work-related communications are transmitted through the appropriate channels, because that's a topic we cover very regularly. We'll come back to that. But first, let's go one step further. Supervisory considerations. What should firms be doing differently in terms of the way that they adapt their supervisory procedures? Elin, kind of talk through some of the key things here, that you once had a centralized team of individuals down the hall or up one floor and they're now located everywhere. What are some of the key things that firms should consider in the way that they adjust their processes for supervision?
Elin Cherry: I think the first one is reviewing the supervisory checklist and make sure that you're able to carry it out. Like, some of these supervisory checklists where things are done, the more electronic you are, the easier and the less work this is going to be. But just looking at the chart that's on this slide, you have to take your supervisory checklist and say, "Am I able to do it for all of these instances the same way that I was doing it before, or do I need extra people?" I think that's the key thing. And again, I would put this in the reasonableness category of, it's very important you get this in place. But to me, it's really important we get business up and running and that people are able to service customers and things like that, and then be working really hard behind the scenes to make sure that you can still supervise the way that you've always been supervising.
Elin Cherry: Also I mentioned training before, but I think that it would be a good idea if you're able to do a training, a compliance training about operating in this environment. And that may be in a week or so, but the sooner you get a training done, the better—but after you kind of know where things settle—just to make sure that you've covered your bases and made sure that you've communicated to everybody.
Marianna Shafir: Go ahead. Sorry.
Robert Cruz: I was going to say, Marianna, do you have anything further to this discussion on the supervisory process?
Marianna Shafir: I think this would be the ideal time to use the supervision technology that you have in place, and if you don't, that this is the time to implement it. A lot of vendors that you're using have the supervision technology. There's analytics right now. I think from a remote standpoint, that would be the best way to supervise, which is pretty critical. You could also do the supervisor ... the reviewers can do it by implementing the lexicons and doing the reviews. That is a great way to continue supervising their employees. I wouldn't stop reviewing those electronic communications. I would actually enhance it even more and start doing it even more. So that would be my recommendation coming from a technology standpoint.
Elin Cherry: And I think, Marianna, also with technology—and I know this is a Smarsh webinar, but I can't emphasize enough for the people on the phone—if you guys use Teams, if you're using Slack and they're not already hooked up to your electronic communication supervision, please get them hooked up as soon as possible. That is going to be an issue. A lot of firms may have had Teams but weren't really using it, and we all know these things are being used a lot now. So please go back in and check what people are using and make sure you've got them going through your electronic supervisory process.
Robert Cruz: Great advice. And the point that you both have made in previous webinars like this about supervising your supervisors I think now is even more important if that process and workflow is one that can be adjusted and is flexible. And to your point, Marianna, your technology supports that to be able to change the model to adjust to the fact that you now have these individuals that are distributed. All key considerations here.
Elin Cherry: A point that just now stuck out to me is implementing restrictions for those with a disciplinary history. I think this is a time, it's not just for people with a disciplinary history, especially for firms that have people who have access to trading, to operations, etc. The financial stress on individuals right now is going to be probably higher than no other time that we've seen.
Elin Cherry: And so making sure you have the right supervisory controls, that your supervisors have the right supervisory controls over their employees, that operations people are separated from trading people, and to make sure that the technology restrictions are in place that should be between those groups. Just when the market gets volatile like this ... I was at Societe Generale in 2007, 2008, when we had the largest financial loss in history at the time, and it was because a front office person also had access to the back office. It's not the only reason, but it happened when the market was really volatile. This is when we really see those things happen. You want to make sure you've got your supervision over those sensitive positions, that you really do have that tied down right now.
Robert Cruz: Good advice. Let's move into the next chapter here, which is the question of technology. And I think, as we just stated, there may have been reasons why a firm didn't implement Teams or didn't support Zoom in the old world, and now we're faced with kind of a different set of situations or different set of conditions that are causing firms to rethink it.
Robert Cruz: Let me kind of walk through some of the key things that we're seeing companies do just now to be able to equip this suddenly remote workforce. And I think part of where it begins is the benefit risk analysis. We hear companies all the time say they have a good governance program that allows them to look at, what's the benefit of the organization for using this new technology and let's assess that versus the collective risks that may be exposed, whether it's an infosec exposure or a potential question about personal data privacy or other things that potentially could harm the firm. I think that benefit risk analysis has to be reconsidered now, clearly, because this is the model that firms are being forced to implement. Start with that analysis, look at it in terms of the benefits to the firm and the risks that are potentially exposed when you compare the two choices of different communication technologies that you can leverage and utilize.
Robert Cruz: One consideration that's very important is that many of the technologies that are out there for collaboration are free or have free versions. And the problem is that a lot of their freeware have limitations both in terms of features, but also in terms of your ability to capture and preserve some of those communications. You really need to understand what are the trade-offs and what are you not getting through a free version of one of these technologies. I mean, this now was made a little bit easier perhaps in the short term because most of the major collaboration and conferencing technologies are offering a free six-month use of their products. But still, you need to make sure that you know what's the difference between their free and premium versions.
Robert Cruz: When we get to the question of capture and storage, really that's just about making sure that if you intend to rely upon a Zoom or a Slack as the means that you would use to capture and retrieve historical content, if there was a question that came up from a regulator somewhere down the line, you need to know what those native capabilities are and where the deficiencies are and where there is potentially need for a third party to complement or to augment what you're getting from each of those providers negatively. The general rule that we've seen for all industries we serve is that a lot of these technology providers—the content source and the collaboration tool providers—many of them don't know what they don't know about companies who are regulated. They really need to do the third-party risk analysis into each of them to make sure that you're not introducing exposures through the use of a particular tool.
Robert Cruz: With a case or the question of features and functions, this is a good example of where you have a collaboration tool that's allowing you to do many things—like share a whiteboard, or a video, or embed a bot, all of these capabilities—you need to assess as to how would individuals be using them and what's your strategy to control those new capabilities, whether it's policy or technology or training or some combination. And when we get to the training and policy side of this, as was mentioned earlier, [you] need to make sure the policies are updated, your communications protocols reflect the variety of tools that now may be in use, and making sure that your users are involved in an update of your training to make sure that it's clear what are the acceptable and prohibited uses from each of these new communication sources and each of these new communication tools.
Robert Cruz: A lot of these things are good governance. But I would say, Marianna and Elin, this is really a vital opportunity for compliance to be involved with IT in assessing what some of these technologies are capable of and where are the risks. What are your thoughts?
Elin Cherry: I think compliance has got to be there with all of these decisions that are being made right now. I think you may find it as a compliance officer that it's hard to execute right now, but you've been there, and working behind the scenes to get the controls implemented is what's most important. And I do think that the collaboration and conference tools, especially at a lot of firms, are being much more widely used and potentially even more widely used than people are aware of as they—like Robert, you said—people jump into some of the free things. And this is one of the reasons with people moving to work from home, it's very easy if they're struggling using what they're given to jump on to their home computer and then jump on to one of the free applications with clients or with coworkers, etc. So that's where the training and the attestations come in.
Robert Cruz: Exactly. And Marianna, we've talked endlessly about the use of mobile devices. And so it seems like, as a scenario Elin just described, "I can't figure out how to log into the tool I was given, so I'm just going to text somebody." What are some of the things to think about here in terms of the FINRA guidance and SEC guidance regarding the use of mobile applications and text messaging?
Marianna Shafir: I think the regulators always say it doesn't matter what device you're using, it's really the communication. Whether it's a business communication, you need to be capturing it. I think right now it's really critical to make sure that you have those archiving tools in place, that they're working, especially since everyone is remote. I think it's really, really critical right now, and that the only way, really, from a technology standpoint, is to be able to supervise the supervisors and supervise the firm and the employees and really try to stay compliant and make sure there's no bad actors in the firm right now during the market volatility.
Marianna Shafir: I think it's really, really critical to foster a remote working culture and mentality. Make sure you have those tools in place, those technology tools, and I think that's where it's really, really critical right now, to make sure you just have those tools in place to continue business as usual.
Robert Cruz: Exactly. And just one final note here. The update and communication policies; it's really not just about communication, it's really the code of conduct. It's the rules and the behaviors that organizations have put into their policies internally. People will find a way to do silly things through a tool that they're not familiar with. If it looks like a place to socialize, those code of conduct guidelines really need to be front and center to make sure that it's not just a potential regulatory concern that gets raised. It could be other things that could be damaging to the organization if these tools are not being used properly.
Robert Cruz: Great. Keep an eye on smarsh.com on this one as well. We're going to continue to hit this from different dimensions—whether it's a technology point of view or an HR point of view or a litigation point of view—just to make sure that the evaluation of these new tools for remote use, the firms are getting a complete picture of all the considerations.
Marianna Shafir: Robert, I want to note also I think it's important that if you don't have those tools right now in place—let’s say you just have email—I mean, it's not too late. You can absolutely add on any of those features, new features, communication channels, that you need to continue business from a remote standpoint. I think that's very important to know. I know our company, Smarsh in general, we're still working and might be remote, as I'm even remote, but we're here to put those communication channels in place, as other vendors are as well. I think it's critical to really know that those tools are out there and to continue business. If you need those conference tools, if you need to capture those text messages which are happening right now, I think it is very important to update your policies and implement those channels now.
Robert Cruz: That's of great importance And just to be clear, it's not an exercise of going through a multiple-month deployment process and provisioning systems and all the typical IT exercise. These are things that we do every day to deploy Teams or Slack or other tools. It's just the standard nature of Smarsh business. We definitely look forward to chatting with you regarding the use of new technologies.
Robert Cruz: So key takeaways and Q&A. A lot of great information here I just wanted to sum up. And Elin, for those looking at the new world and needing to take a couple of key steps, what would be the two or three things that you would call out as most critical here for companies to walk away with?
Elin Cherry: I think the most critical is to make sure ... the key is to get the controls implemented. You have to take a reasonable approach during these times—and we've seen that the regulators are being reasonable, so we can't just ignore the rules and regulations—that’s not at all what I'm saying. But I think that taking a reasonable approach and getting things done as quickly as possible in the circumstances, and it's in the circumstances really kind of changes things. I would say look at everything you have to get done and then prioritize into where are the biggest risks for the firm and take care of those first. And I would say, most important is, really in this case, is to keep business going and also have your controls in place.
Elin Cherry: You really have to look at what are those things that are detrimental to get in place to keep the business going. I think that's the biggest takeaway I have, is just keep your eye on that during this time of crisis. And then as things start to go back to some sort of normal, you'll be able to go back and dot I's and cross T's. But I think what we really need [is] to help the businesses keep in business and do it in a compliant way.
Robert Cruz: Great advice. What about you, Marianna?
Marianna Shafir: Same. I'm going to add business as usual. It's really time to continue the business. All the regulators from the regulator guidance are saying, "Be prepared to follow your BCP,” and you're going to face challenges with your BCP. Revise and update your BCP. There's going to be new avenues you're going to have to take, and so these firms must now not only revise their procedures and patterns, but also maintain all compliance and legal norms. And I think the main takeaway from this is you're not the only firm going through this; every firm is going through this and this is just the new norm.
Robert Cruz: Yeah, very good advice. And I'll just sum it up from my perspective. I think number one, in the technology aspect, I think it's really a critical time for compliance teams to be engaged as new technologies are being considered to prevent just the proliferation of tools that you then would have a problem controlling after the fact. I think it's really a great opportunity to be in that proactive posture.
Robert Cruz: But secondly, from somebody that's spent most of my career in a virtual or remote or everywhere sort of work mentality, I think some people will find this very comfortable. And I think as we emerge from this, you will find that there will probably be more individuals that would prefer the remote work situation, and maybe driving toward an inevitable outcome where you see more individuals wanting to stay in a remote situation. And on the other end of the spectrum, there's those that, this will be entirely foreign, and you need to make sure that you can reach out to those individuals, provide them the help and support. Get your power users, the folks that are accustomed to this, to reach out and give some guidance to those that aren't as comfortable and familiar with some of the remote working environments.
Robert Cruz: Terrific. I see one question that came in along the way that we addressed, I believe, in some of the FINRA guidance, and then the second one that came in regarding IIROC. And Marianna did post in the chat the IIROC guidance pertaining to Canadian firms.
Robert Cruz: Katie, was there anything else that came in?
Katie Findling: Yeah, there was one more question. So it is, “what are the record retention requirements for information shared onscreen using these collaboration tools?”
Elin Cherry: Do you want me to take a shot at that, Robert?
Robert Cruz: Sure.
Elin Cherry: If you're using a collaboration tool and you're sharing things onscreen, it is an electronic correspondence that needs to be maintained. You need to be capturing the screen sharing, etc.
Marianna Shafir: And I agree.
Robert Cruz: Go ahead.
Marianna Shafir: I was going to say, last year FINRA came out with the 2019 report and examination findings and observations. There was a section just on digital communications alone, and they specifically said that if you use an app-based messaging service or a collaboration platform, you must preserve the records of business communications and supervise the activities and communications of those persons. They did specifically mention it already last year.
Robert Cruz: Great. Excellent. Well, I really appreciate, Elin and Marianna, you spending the … hour with us. I really appreciate your insights. Thanks very much, and you have information that folks can reach out to you directly.
Robert Cruz: I'm going to spend the last couple of minutes wrapping it up and talking about, just briefly, how Smarsh can help organizations in this area. In moving to the final chapter here, as I mentioned at the beginning, the capabilities of Smarsh really align very well to the dynamics that are happening now. There are various communication channels that we're able to capture and maintain with the Connected Capture suite. And we've built those connectors to be able to deal with the rigors of firms that have regulatory obligations. So as opposed to try and to do this yourself or use the freeware or capture natively from a mobile provider or from Slack, we're ensuring these communications are robust, that we're preserving all of the metadata, all the contextual information, which now is even more important because of the nature of collaboration and conferencing technology. The connected capture suite is basically providing the products that you can very quickly and easily deploy, whether it's Team or Slack or other communication sources.
Robert Cruz: Once that communication is captured, then we have the option of either delivering that to our archive, our content store, where we're able to preserve all the uniqueness and richness in the interaction that's happening on a conferencing tool, something our clients are already benefiting from if you have a persistent chat or information that's traversing across multiple networks. We have the ability to preserve all of that and respecting the conversational context. We also have the ability to deploy in multiple geographies so that as you have different guidance that emerges in Canada and the UK and elsewhere around the world, we deploy on a multi-cloud, cloud-native strategy so that you can deploy in each of those geographies to meet each of those unique requirements and do that in a way that companies that have to rely upon their own data centers just can't be as agile.
Robert Cruz: We also have the option for firms if they want to use their existing email archive. We can also take the content that we've captured and delivered it to those archive systems that have been in place for the purpose of management of email. Once that information is within our system, we're able to then enable supervisory review, e-discovery and also deliver it to third-party applications, whether those be business intelligence or content surveillance or other external business applications.
Robert Cruz: The list of networks continues to increase and will continue to grow now probably even quicker because of all the new collaborative technologies that are emerging. You see the list here on the IM and collaboration space, a very familiar territory for the organization. For firms that are beginning to venture into the collaborative space or a new messaging app, chances are we've got an existing set of technologies that are equipped to be able to address that demand. Also very importantly, we're able to deliver that information or capture that information, say, using an API, so that you've got your own messaging app perhaps that you've built, and you want to be able to capture that communication, you can use our API and software development kit to be able to make sure that information is stored appropriately.
Robert Cruz: Supervision, finally, is the ability to take all these heterogeneous content sources, all the different communication sources, whether they're collaboration or communication or email or social, aggregate them into one spot so that you can very efficiently define policy, conduct supervisory review, and get those items that need further attention to where they need to be. And as companies go through these transformations from a centralized to decentralized model, we have the flexibility and the workflow to be able to make the change very seamlessly so firms don't have to go through a major exercise in rebuilding their systems to adjust to a new way of doing supervision.
Robert Cruz: With that, I think we have reached the top of the ... or the end of the hour. I really appreciate everyone staying on the line. We will make this recording available, as well as the links. This webinar will also be recorded such that you can share it with your colleagues internally that may not have been able to join. We can make sure that we get this out to the other individuals that need to know inside of your organizations.
Robert Cruz: With that, I will turn it back to Katie and wish you good health, and thanks very much for joining.
Katie Findling: Thank you everyone for joining, and we will indeed get this out shortly.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.