Stay-at-Home Workforce: Best Practices for the Compliant Adoption of Collaboration Platforms

Shaun Hurst: The way we communicate today has changed significantly. Where once email was dominant, this is no longer the case. And it isn't just a generational thing anymore. People are realizing the benefits of communicating and collaborating with tools we have available to us today. Chat and instant messaging have become dominant, and the immediacy of this form of communication is attractive and a little bit addictive.

Shaun Hurst: Tools like WhatsApp, Facebook Messenger and WeChat show huge numbers of daily active users. A fifth of the global population uses WhatsApp every day. This could be in their personal lives, but increasingly they're also using this for business purposes—especially in the work-from-home situation we find ourselves in at the moment. I'm sure Dean is going to talk a little bit more about this shortly. Mobile text messaging, screen sharing and video calling has also seen a significant growth. But the one area which is consistently in favor is the in-person meetings, and that's across all generations and it's going to be here to stay. But this is a bit of a problem when your workforce are all working from home. This need for the in-person meetings won't go away; instead, a substitute will be found, and this is most likely going to be in the form of video conferences, voice calls and chat.

Shaun Hurst: In fact, the numbers from the last week to 10 days actually suggest exactly this. So some of the short-term trends that we're seeing with the current situation that we find ourselves in: Microsoft Teams meetings, calls and conferences are up 500% in the last 10 days, and although they aren't publicizing their figures, Zoom and Slack are also seeing massive growth, and this has resulted in a number of outages. I'm sure you have experienced some of these yourselves. And while these companies are scrambling to scale to accommodate growth, the fact that they're able to actually get these things up and running again within hours is actually rather impressive. But I put this down largely to the fact that these are cloud products and they inherently are built to scale and scale quickly. You know, cloud certainly is a fascinating area and somewhere that is becoming more and more essential every day.

Shaun Hurst: Yesterday, Bank of America told traders they can execute orders from home. This is unprecedented and it's pretty impressive. They joined peers like Citigroup, Goldman Sachs and JPMorgan Chase who already are allowing their traders to execute orders from home. However, the same regulatory obligations apply, which can be a challenge when considering the variety of methods of communication that are available to them while working from home. You can't force them to use tools that they would traditionally use at their desk in the office. They have available to them a vast array of other tools and communication/collaboration platforms. You still need to ensure that they are regulated and that you are being responsible with this. So I'm going to pass over to Dean. Dean has a lot of more experience in the mobility side of things. And Dean, what are you seeing in the space?

Dean Elwood: Thanks, Shaun. As you've already touched on, Microsoft Teams has introduced some issues [and] Microsoft have had to scale systems very rapidly. We're seeing very, very similar on the mobile space, but [with] slightly different challenges to be overcome with regard to scale. As some examples, we've seen this 600% increase in traffic. This is existing mobile call recording customers, and that has led to some interesting challenges and some difficult decisions for the customers. For example, several of our banks have on-premise recorders. Our platform captures the calls in the mobile network and streams the recordings direct to the bank’s on-premise recorder These on-premise integrations inevitably have a limited, finite capacity, and so do the recorders. Because they're hardware-based these upgrades are pretty slow and can be difficult and expensive.

Dean Elwood: So as a result, we're seeing demand for hybrid-type solutions. So normal conditions continue to stream calls to the on-premise recorder but burst its cloud storage at the peaks or for temporary new added users. As well as the call recording traffic itself being up, what we're seeing is longer calls, these average call durations. The typical trader calls for us historically over the last seven, eight years have been quite short, two minutes or less, classic trader mobile call. We're now seeing call lengths at over six minutes. We're not entirely sure why; we have some theories that it's possible people in these situations just want social contact. We wonder how much of these calls actually have a few minutes of discussion about the current situation and the surrounding politics, governments’ announcements and that sort of thing.

Shaun Hurst: Trying to find that difference between, you know, the face-to-face meetings, trying to find a way to sort of accommodate that still, right?

Dean Elwood: Exactly. Social interaction. I find myself doing that more, I have to say, so it's … I can see that happening. The truth of it is we don't know why. We can hypothesize, but that's one of the strongest hypotheses I think that we're aware of. What it means to us from a technical platform perspective is that longer call durations ultimately means higher concurrency. And that in turn is having an amplified effect on the on-premise systems as well as our own network and the carriers' networks. EE made an announcement a couple of days ago to say, "We're aware of problems. We're working on it to increase capacity to meet the demand," but as well as the sixfold increase in call volumes, we're seeing these longer calls, which just amplifies the concurrency, the scale issue and the value of cloud and the ease of which you can … greater ease with which you can scale cloud.

Dean Elwood: I think also from a compliance point of view, when it comes to audits, three times’ as long calls, it's going to be … longer for the auditor to find what we think is going to be likely a very short … quite a short piece of the audio that relates to a transaction, from an audit trail point of view. So, the auditors now have got six minutes’ worth of audio to get through to find the relevant two minutes … that's going to provide some interesting….

Shaun Hurst: Well, I think less so the auditor and less so the regulator, but more so the actual banks trying to find the relevant information, making sure that they're able to find not just the relevant information within a call, but relevant calls. With the longer calls, they're having to spend a lot more time on it, so making sure they have tools in place that not only can accommodate these increased size or length of calls. And it's not just calls. It's video conferences as well, [to] be able to accommodate them but also be able to search them and get through them quickly so that they can find the relevant information to be able to pass that along to a regulator or an auditor.

Dean Elwood: Absolutely. Sorry, I used the word “auditor” loosely. I mean internal and external, but yeah. Thank you. I completely agree. WhatsApp and WeChat and other similar systems, we've seen an increase in demand from our customers for WhatsApp Capture. We're seeing some really interesting use cases right now around disaster recovery. So there are a number of our customers that had already been using WhatsApp groups for disaster recovery, and we're seeing more of those being created. And there's more desire than we expected to have those captured. Even though there's no particular regulation we need for disaster recovery conversations to be captured, what the regulators have said is that when you have a group of bank employees in a group chat talking, there is an inevitability of market chitchat that happens and that requires to be captured and we want the ability to be able to see it.

Dean Elwood: There was a recent ... back in January, I think, a chap called Edward Koo, who is a JPMorgan trader, he'd been a trader for 20 years—this is an experienced trader—got called out by this and fined by the FTA because there was an office group on WhatsApp and it wasn't, I don't think it was intended to be, for people to trade on. But it's this inevitable market chitchat that happens. So even in the DR, disaster recovery scenarios, we're seeing a need for capture. Aside from that, I think it's important to bear in mind that these tools are becoming more and more business as usual. There's a, I wouldn't name them, but there's a top 25 bank we met with a few weeks ago that said to me that WeChat is currently the biggest trading platform in Asia. And he was of course half joking, but he was making a point about the proliferation of these tools being used at the office.

Dean Elwood: There's another bank, a top 10 bank, who showed me a WeChat group where international trading with China is happening right now. This particular bank wasn't in the group, but they desperately wanted to be. Because they can see the level of transactions that they're not involved with, and they basically said to me, "Dean, look, the deals we're missing out on." We're seeing demand for that anyway. It's not just the current situation.

Dean Elwood: In terms of general and the current situation, the FCA are really only giving broad guidelines on what to capture and not, recommendations as [to] what tools to use or what they allow, or they don't allow. The regulators are not talking specifically about WhatsApp or WeChat or similar tools, but that their view on their use does seem to be pretty consistent.

Shaun Hurst: And that's something I think the FCA do in general, that they generalize in terms of what they make suggestions with. There's no definitive—they’re not going to mention specific tools, specific modalities of communications to make sure that you are complying with their regulatory advice. The fact is they're going to give a general gist as to what needs to be captured, what needs to be monitored, what needs to be supervised against. And that's not really different to the advice they're giving now around the current situation. So, we'll move on to that.

Shaun Hurst: This is the FCA response to COVID-19 as it applies to the communication and collaboration elements, which is obviously our business. Number one is the operational resilience. So as always, contingency plans need to be in place. The FCA expect that all firms have contingency plans in place to deal with any major events and also that the plans have been tested. Of course, we are in unprecedented times and these contingency plans are well and truly being put to the test. However, people are finding gaps; and if you do find these gaps, make sure you're doing all that you can to fill them. Many of our clients are racing to fill these compliance gaps and we are doing everything we can to accommodate the requirements. We are deploying services far more rapidly than ever before and we're being very flexible commercially. We are trying to be as understanding as we can in the current climate.

Shaun Hurst: Yeah, you need to continue meeting your regulatory obligations. For example, if a firm has to close a call center, requiring staff to work from other locations, including their homes, then the firms should establish appropriate systems and controls to ensure it maintains appropriate records, including call recordings if required. Now call centers, that's one thing when you're actually trading from home, like I mentioned before with Bank of America. That takes it to a whole new level. Not only are you having to record all your phone calls, but every other form of communication as well, which could potentially either lead to a trade or actually lead to a trade. These are going to be very challenging situations to consider, but they definitely need to be considered. And that brings us to the market trading and reporting.

Shaun Hurst: It's understood that there will be difficulties in submitting regulatory data. The FCA understand that, but they expect you to maintain appropriate records during this period and submit the data as soon as possible, and there should be no unnecessary delays. So again, there's that vagueness, but that is what the FCA are advising; and it's about you making best efforts. Firms should continue to record calls. Some scenarios may emerge where this is not possible. Firms should make sure that the FCA is aware of this. If you're unable to meet these requirements, you need to get in contact with the FCA and let them know the situation. But they also expect that all firms consider what steps they could take to mitigate these outstanding risks if they're unable to comply with their obligations—to record your voice communications, for example. This could include enhanced monitoring, it could be retrospective review once a situation has been resolved, but all these things need to be kept in mind.

Shaun Hurst: When it comes to the market trading and reporting, firms should continue to take all steps to prevent market abuse risks. As always, your market abuse risks are going to be a key area of focus for the FCA and again, including enhanced monitoring and retrospective reviews. But the challenge will be in the capture and monitoring of all relevant communications, including these new channels. And this is one area that Smarsh has been on top of the game for many, many years, not just at the moment.

Shaun Hurst: And you know, if there is some element of concern that you have around ensuring you're capturing everything you need to capture from a communications and collaboration perspective, you need to talk to a company like Smarsh. The FCA are not going to take excuses because there are solutions out there.

Shaun Hurst: I'm going to move on to the next slide, which is a few resources that are available to you. These are some of the responses that the various regulators across the world have given, including the FCA. They are being updated constantly. I believe, Aleks, that we will be sharing this information after the fact, but this is, this is somewhere to go and have a look. Even if it is a regulatory body that doesn't have oversight over your specific country or location, it's still good to go and see what they're saying. And in general, it's pretty similar, the advice that has been given across these various regulators.

Shaun Hurst: Let's talk about being strategic about these collaboration and conferencing technology choices. There's a strategy you can take, and this is our guidance. It is challenging times. It is unprecedented times. But having a good approach, having a structured approach is going to help you to resolve any outstanding concerns or risks that you might have.

Shaun Hurst: The first one is starting the benefit-risk analysis. Every organization should evaluate the benefits and risks of any new tools that you choose before allowing them to be used within your business. And this doesn't have to be just for our current situation, but this is good advice in general. The benefits could include things like the ability to replace in-person meetings or improved access to information, better productivity through collaboration. The potential risks that may be introduced to the business, such as potential cybersecurity, data privacy and most importantly regulatory compliance vulnerabilities. You need to take those into consideration as well and weigh up the risks versus benefits. If your key stakeholders conclude that the benefits exceed the risks and that those risks can be controlled and mitigated through the use of technologies such as Smarsh provides, then they tend to allow them to be used in business.

Shaun Hurst: Beware the freeware. A lot of companies, Microsoft included, Zoom, Slack, they have been very generous with their offers to increase the number of users that are allowed on their systems. The length of calls in the case of Zoom—and this is fantastic from them for an individual perspective, from a company perspective—from a regulatory perspective, this can be risky. These solutions have multi-tiered offerings and I'm sure most of you are aware of this, if you are choosing an enterprise version of Microsoft Teams, there are extra functionalities that it provides.

Shaun Hurst: One of the key ones when you consider the risks involved is the ability to perform compliance on these products. Capturing information from a chat tool like Teams is fairly easy on a broad scale; doing it in a compliant manner isn't as easy, and you need to consider that. For example, if you're talking to an external third party or an internal, you're talking between traders and something is pertaining to a specific trade. If there's no way to check that that communication is actually being recorded and being put into an archive, then that communication should not be allowed to happen. Doing this in a compliant manner is something that is really important. The IT leaders that are in your organizations need to show due diligence in exploring what these various offerings provide, and you need to make sure that they are sufficient to meet the firm's data protection objectives, and in addition to the comparative valuation of features across the various vendors as well. So just take that into consideration when assessing what products you're going to use to help with the current situation.

Shaun Hurst: Capture and storage. Every collaboration and conferencing vendor is unique in terms of the capabilities and support it provides natively to capture and store these communications, and your existing communications archive needs to be able to scale to this increased demand. As we see, [there’s a] 500% increase in the number of meetings and conferences that Teams alone is providing, never mind all the other tools. Can your existing archive scale not only to the volume but also to the sheer variety of the modalities that would need to be captured? You need to take that into consideration.

Shaun Hurst: The availability of third-party solutions to capture and store that content needs to meet your regulatory and litigation demands, and that should be a key component of your analysis. And don't just think about the current situation. Think about what happens at the end of this. There's going to be business as usual. It's going to come, whether that's in a few weeks or a few months. It's going to get back to that, and you need to take that into consideration. You don't want to be stuck with a mess at the end of all this.

Shaun Hurst: The key one here is updating communication policies. An important step for firms in the midst of deploying collaboration, conferencing tools is to ensure that the communications and employee conduct policies are up to date. Take into consideration the fact that people are able to trade from home now; that is a completely new situation. You need to make sure that your policies and procedures reflect this change. Conferencing and broader unified communications platforms offer a variety of capabilities and modalities, some of which may not be used without taking specific steps. For example, recording a conference with an external party without first having received the permission. You need to take that into consideration. Knowing the features of each tool and how that feature would be necessary for an individual to do their job should be considered in order to make policies relevant and specific to those who may not have had previous experience working remotely or managing a distributed team.

Shaun Hurst: And then lastly, training, training, training and retraining. Remote work can be a major adjustment for individuals accustomed to an office environment. And when you invest in collaboration conferencing technologies, you should work closely with the leaders and the key departments to design training programs that reflect the nature, timing and business impact that these tools are going to have. Ensure that your workforce gets the most out of your investment. I don't know, Dean, if you had anything to add here, what you're seeing. Or is there anything to add to the points I've raised?

Dean Elwood: You really made very well all of the points that I would have added in here. I think for me the key point is that this is strategic. It's all very well … there's an immediate need for this stuff. We all can see that in the current situation. But I do think it is important to remain strategic about it, because what we've seen for years is customers wanting to have banks as our customers, wanting to have a work-from-home policy; that's been around for years. This is not just about disaster recovery, so I think these things are important for the long term.

Dean Elwood: The only other point I would add is to say that it's worth remembering [that] many of these tools were not designed for compliance from the ground up. And as you say, quite rightly, that compliance is not just about recording. There's more to it than that. And that's why I think working with partners, working with a compliance partner who works with these tools I think will remain important.

Shaun Hurst: Yeah. And there are two key things that you sparked off my head there. Number one is you need to consider tactical response, but strategic response is also highly important. Consider from those two different avenues, making sure that you have an immediate response for what's happening right now. But you have to take into consideration strategy. Things will get back to normal, and you need to be prepared for when that happens. And the other one there, you know—your company, Dean, and ours—we are both, we live and breathe compliance. This is what we're good at. This is what we're experts at. Take advantage of us. Ask us the questions, give us a call. And if you have some concerns around how you're using your products today—what communication tools you want to embrace or are currently embracing or concerned that your staff may be using—we may have a solution for you. It's good to get in contact with us, and we'd be able to give some advice and some guidance.

Shaun Hurst: On the last slide I just wanted to talk a little bit about, you know, what do we actually do? I've told you who Smarsh is and where we come from. But when you think about Smarsh as a company, or when I think about Smarsh as a company, we cover not only the capture of multiple forms of communications, of collaborations and, using partners like Umony, where Dean works, we're able to capture these vast arrays of communication types and collaboration types. That's across email, IM & collaboration, social media, mobile text and voice—and voice could be voice of IP, it could be mobile voice. And then putting it into an archive that is able to scale, number one, to these increasing demands, but also is able to keep this data in a way that is easily searchable in one place. So you're not having multiple archives. And across a variety of these content types being able to get at that information, search for it, get it up on the screen quickly, but also be able to export and provide it to a regulator very quickly. That is where our archive works. And on top of that to provide that functionality, we have our applications like supervision, discovery, as well as third-party applications. If you're using a third-party discovery tool or surveillance tool we can plug it into our system.

Shaun Hurst: It's good to keep in mind. And if you do have any questions then I'm sure Aleks is going to provide a way to contact us if you want to find out a bit more about what we do, how we do it and how we can help.

Aleks Fedorova: Great, thanks Shaun. I did see a couple of questions come in during the presentation and we have some time to address them. I'm going to read out the first question and then Shaun or Dean, you guys can decide who will answer. The first question that I saw come in: “So how do you manage regulated staff who are using chat tools that we aren't currently able to record?”

Shaun Hurst: I think we touched on it during this presentation, and then Dean, I'm sure you have some input here as well. But you need to do it quickly. You need to show best efforts. I think the regulators, the FCA want to see that you're making efforts to mitigate any of these risks. Whether you're using a company like Smarsh to help you with these challenges or someone else, you need to take action. You can't wait. I know that from speaking to a few of our clients, they can't stop their staff from using certain tools. So you've got a couple choices: You can either try and force them down a road of using tools like Teams, but if you're not enabling the full functionality of Teams, if you're not enabling the video chat, for example, your staff are going to find other ways to do that. And by using free tools … doing a quick download of Slack and using that to communicate with their teams, that's what's going to happen.

Shaun Hurst: Try and push them down a road where they're able to do what they're trying to do. They want to have the voice chat, so that's fine. They want to have the video chats. That's fine. You have the tools in place or get the tools in place and do it in a way that you're able to still capture that information, especially for your regulated users. That's obviously where the question comes from. It's essential. The FCA are not going to let you get away with it just because of the current situation that we find ourselves in. Dean, I know that you've seen this a lot on your side of things on the mobility side.

Dean Elwood: Yeah, absolutely. The personal device is key to a lot of communications these days. It's just a fact. But I think you hit the nail on the head with the point that from the regulator's point of view, this is all about best efforts. And the only way that you can comply with best efforts is to make tools available so that if your employees need to use these mechanisms for communication, they can do it in a compliant way. And many of these are solvable problems; it's no longer an excuse to say, “there's no such product that helps us do that on the market today.” I do think it's really … the key part is around ensuring you make best efforts and you make tools available to the teams.

Dean Elwood: I think the one other point is to say—you mentioned about internal use of things like Microsoft Teams—but many of these communications are initiated by the customer, and that's where a lot of stuff tends to get out of hand. Most of the recent cases around WhatsApp, for example, have been instances where a customer has initiated the communications into the bank over WhatsApp. The trader didn't even really want to do it. And there's a lot of pressure from customers who demand a reply, and that makes it a challenge. But I think that key phrase to remember is “best efforts.”

Shaun Hurst: Absolutely. And that's something key to think about. Obviously my focus at the moment is our current situation that we find ourselves in, but this has been an ongoing trend. Customers often dictate how they want to communicate. Are there any other questions, Aleks?

Aleks Fedorova: Yeah, we just have one more. Question number two: “So our needs are immediate. Realistically, how quickly are we able to get a solution in place?”

Shaun Hurst: This is something we've been discussing internally. Traditionally, we've been able to respond very quickly to the demand of the customer. When you want to spin up a new capture environment, when you want to get these new modalities captured, we've traditionally been able to do this in a fairly responsive way. And our internal dialogue at the moment is to make that happen even quicker. We understand the concerns that people have in this current environment and we're doing everything we can to step up our professional services teams and make sure that we can get these products put in place as quickly as needed.

Shaun Hurst: We're definitely scaling up internally to make sure that we can scale up with yourselves. And on top of that as well, financially we know that this is also a challenge, especially when you're working with large financial institutions. Making those decisions to purchase new products, things like that can be difficult and can be time consuming. But again, we are willing to talk about flexibility on these areas as well. So it's definitely worth, if you do have these concerns, we're here to talk and we want to help solve your problems. So get in contact.

Dean Elwood: Just to add to that, I think for me the key thing is about compromise. I think it's a great question, and if speed is the critical point, then [at the] senior level within the bank, some policy decisions may need to be changed in order to ensure speed of delivery, from the bank's point of view. For example, as I mentioned earlier, a lot of our banks for mobile call recording are on-premise, and there can be six months’ lead times on ordering private lines and all of that sort of stuff, where a bank traditionally has said “all of our data must be on premise. We can't use cloud.” If you want speed it's probably going to be cloud. So that may require a policy decision on the bank side.

Shaun Hurst: Yeah, it's definitely forcing a few decisions. You know that the cloud has been for a long time the direction that people should be going. Some of the large financial institutions are addressing [it] but hesitant to actually embrace cloud for a variety of potential security reasons, compliance reasons, concerns they may have internally. But I think what we're seeing today is you're kind of being forced down that route a little bit, and there's going to be some elements of perceived compromise internally that needs to be made as well to work with partners that are providing these cloud technologies. We can't afford to stop trading; as a bank you can't afford to just shut the doors and wait this out for a few months. We need to continue helping banks to keep working, and banks need to help themselves as well by embracing these technologies so that they can keep working.

Aleks Fedorova: Excellent. All right, well that's all the questions that we have for today. With that I'd like to thank everyone for attending and thank you to our speakers, Dean Ellwood, mobile compliance expert from Umony, and our very own subject matter expert and technical director Shaun Hurst. So just the last note, this webinar has been recorded, and a link to the recording will be sent out via email. If you were not able to get to some of your questions or a few didn't submit them, we will have someone reach out to you after this webinar to make sure your questions are answered. And you are more than welcome to send us any additional questions or just to reach out to us at advantage@smarsh.com. Thanks again and have a great rest of your day.