Over the course of 2019, shifts in communication technology and the regulatory landscape delivered several significant changes to the financial services industry. Emerging mobile, social and collaborative technologies create huge risks for companies trying to keep up with the regulated landscape.
Join Elin Cherry from Elinphant, L.L.C. with Robert Cruz and Marianna Shafir from Smarsh as they cover:
- Key themes that emerged from FINRA enforcement actions in 2019
- How social, mobile, and collaborative communications impacted 2019 activities
- What we can expect from regulators in 2020
Vice President, Information Governance Solutions
Robert Cruz is Senior Director of Information Governance for Smarsh and Actiance. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and Discovery cost and risk reduction.
Corporate Counsel, Smarsh
Marianna Shafir is Corporate Counsel and Regulatory Advisor at Smarsh, where she’s responsible for legal and regulatory affairs worldwide. With her expertise in financial services industry, compliance and eDiscovery, Marianna counsels Smarsh clients on meeting regulatory obligations, leveraging technology and guidance on best practices related to electronic communications supervision. Prior to joining Smarsh, Marianna worked for BNY Mellon and Invesco where she was an instrumental member on compliance teams. Marianna has also served as an adjunct professor at New York Career Institute where she taught Law Office Management and Real Estate Law. She earned her Juris Doctorate from Nova Southeastern University. She is a frequent speaker at industry conferences and a contributor to various online publications.
Founder and CEO, Elinphant, L.L.C.
Elin Cherry is founder and CEO of Elinphant, L.L.C., a financial compliance consulting firm. She is a Capital Markets and Compliance Executive who has served as a key member of Compliance Senior Management teams. Known for gaining regulator confidence, she has a proven track record in managing regulatory relations and examinations and has strengthened firm’s credibility with regulators during times of financial stress. Elin is adept at successfully implementing Compliance Programs to enable firms to be proactive regarding compliance matters. Prior to founding Elinphant, Elin was a Principal and the Head of Capital Markets at Compliance Risk Concepts (“CRC”). In that role, she grew a book of business generating half a million dollars in revenue.
Transcription of Webinar Audio
Davi Schmidt: Hi, everyone, and thank you for joining us for today's webinar, A Year in Review: A Look Back at the Regulatory Compliance and Technology Trends of 2019. Please be aware that all participants will be muted for the duration of the call. Feel free to submit any questions you may have via the Go To Webinar messaging app and we'll attempt to answer as many of them as possible during the Q&A session.
Davi Schmidt: Joining us today are presenters Elin Cherry, Marianna Shafir, and Robert Cruz, and with that, I will hand it over to you, Robert.
Robert Cruz: Thanks, Davi, and thank you, everyone, for joining. Appreciate you spending some time in the holiday season with us. Today we're going to talk about the year in review—regulatory compliance and technology trends. The emphasis today is going to be focusing the SEC and FINRA and some of the things that have been happening in the financial services regulatory market.
Robert Cruz: Before we begin, just the standard disclaimer to begin with. Smarsh provides this material for information purposes only. Smarsh does not provide legal advice or opinions. You must consult with your attorney regarding applicability and compliance with laws and regulations.
Robert Cruz: Real fast, to go through the agenda today: quick introductions, and then we'll talk about some of the key enforcement actions in trends that we see from 2019. We'll then turn to how to be prepared for 2020 and some of the things we expect firms should be focusing on as they turn their sights toward the next decade. We'll finish it up with a brief discussion of how Smarsh can help, and some of our capabilities in the area of supervisory, as well as archiving technologies. We'll save enough time for Q&A on the backend and I would encourage you to submit your questions along the way. We'll insert the responses to those when they fit into the flow and also reserve some time on the end.
Robert Cruz: With that let's introduce our very distinguished panelists today. First, let me welcome Elin Cherry, Founder and CEO of Elinphant, LLC, a regulatory expert adviser to a number of firms across the financial services spectrum. So, Elin, thank you very much for joining and why don't you tell us a little bit about yourself?
Elin Cherry: Thanks, Robert, and thanks for having me on. I have a compliance consulting firm and one of the things we do among many is we set up firms for email review and we carry out email and correspondence review for those firms as well. I have broker dealers, investment advisers, research firms as my clients, but I see it on the user side every day, so I'm hoping I can bring that to everybody today. Thanks, Robert.
Robert Cruz: Outstanding, thanks, Elin. Next we have Marianna Shafir, Corporate Counsel from Smarsh. Marianna, thanks for joining. Why don't you tell us a little bit about yourself and your role?
Marianna Shafir: Thanks, Robert. I'm excited to be here today as well. Corporate Counsel, Regulatory Adviser at Smarsh and I'm responsible for the legal and regulatory affairs. At Smarsh, in this role, I help our clients navigate compliance obligations and technology trends, and industry regulations through my vast knowledge of best practices related to electronic communication supervision, and I'm very excited to speak today.
Robert Cruz: Terrific. Thanks, Marianna, and my name's Robert Cruz. I'm the Vice President of the Information Governance team here at Smarsh. Essentially our group is working with our practitioners—companies that are using our technology to address not just the regulatory compliance issues, but also issues related to investigations and e-discovery, and how they are now thinking about managing data privacy and other areas requiring information governance. I’ve been with this company for the past four years working across a spectrum of organizations and, again, looking forward to the discussion today.
Robert Cruz: For those of you that may not be as familiar with Smarsh, let’s talk about who we are as an organization really quickly. Smarsh has been in this industry for a number of years, since 2001, with our focus primarily in the areas of financial services and public sector, but also a number of clients and other regulated markets. We are a technology leader in the areas of both information capture as well as archiving, as can be illustrated not just from the Forrester Wave, but also the recently published Gartner Magic Quadrant for 2019. We're very proud to indicate we are to the farthest right and up in the Magic Quadrant, so we are very excited about that accomplishment and recognition from Gartner.
Robert Cruz: We focus very heavily in terms of the use cases of supervision and e-discovery, having the capabilities built within the products so that firms can accomplish those tasks, make those exercises more efficient and be able to deliver that data to wherever it needs to be. We are a combined entity now, the heritage Smarsh together with Actiance brought together in 2018, meaning that we have a very broad set of clients, ranging from the small and medium sized firms to the middle enterprise to the multinational organizations that are dealing with deployments of the highest levels of complexity around the world.
Robert Cruz: Let's get into the material and kind of look at some of the items that appear thematically from 2019. To start, I think there was a really important study or summary that was put together recently from FINRA, their examinations findings and observations from 2019, so a very good recap of some of the things that they've been involved with and the areas they focused on over the course of the year.
Robert Cruz: In looking at this report, Marianna, I think there were a couple of key things that popped out, including this digital communication section being mentioned for the first time. What do you take from this report as far as key takeaways in the areas of supervision, as well as dealing with some of these new communication sources?
Marianna Shafir: Thanks, Robert. At a high level, the inclusion appears to acknowledge that the number and nature of communication applications are rapidly expanding. Again, like you said, for the first time this section in the 2019 FINRA report mentions digital communications, which is a really big deal and it's something we really need to focus on. They mentioned collaboration tools for the first time, video blogs, livestream content, messaging applications with self-destruction capabilities, digital channels used to host electronic sales seminars are just some of the platforms included in the report, and it's very important to note what the report says in here, and quoted.
Marianna Shafir: In the report, they said, "If a firm permits its associated persons to use an application, for example, an app-based messaging service or a collaboration platform, the firm must preserve records of business related communications and supervised activities and communications of those persons on the application. Firms must remain responsible for conducting due diligence to comply with the Securities Laws and FINRA rules and follow up on red flags of potentially violent activity, and may, in some cases, use services provided by the relevant digital channel or third-party vendor."
Marianna Shafir: Which is really implying, because we've been saying this for a while, it’s not just email anymore, right? It's all these other communication channels, not just even instant message anymore, or websites. Now they're mentioning these other platforms, like the collaboration tools. This is really important, this is a big deal that we need to capture this.
Marianna Shafir: Also, noteworthy findings based on actual rule violations was around messaging and collaboration, which the report stated. In some instances, firms prohibited the use of texting, messaging, social media or collaboration applications, such as WhatsApp, WeChat, Facebook, Slack, and HipChat, for business related communication with customers, but did not maintain a process to reasonably identify and respond to red flags that registered reps were using impermissible, personal, digital communication channels in connection with firm business.
Marianna Shafir: I think many can relate to this. Many have a prohibition policy, but basically what the report is saying is it's not enough just to have a prohibition policy. Are you looking for the red flags? Are you doing supervision and making sure your reps are not using those channels? So it's not enough just to say no, you really need to have a process in place to make sure those policies and procedures are effective.
Robert Cruz: I think that's very interesting, Marianna.
Marianna Shafir: And there's something else.
Robert Cruz: Go ahead, continue, yeah.
Marianna Shafir: Just one more thing I want to mention was that the red flags that they detected and mentioned in the report were customer complaints, rep emails, outside business activity reviews and advertising reviews. I think this is so critical and important to know, because lots of times I have clients come to me and they ask me, how do the regulators find out about reps using personal channels for communication, business communication, and many, many times, it is the customer complaint. So that is really something to be reviewing and supervising as well.
Robert Cruz: That's interesting. Elin, from your perspective and the clients you talk to, I'd imagine that these two areas are something you're hearing about very frequently. I mean, number one, just what to do about WhatsApp and WeChat—a challenge for many firms, but secondly, just the idea of these red flags appearing, not just as kind of the normal client communications but potentially appearing elsewhere, in other business processes, in noting that those things are now responsibilities for firms to be able to monitor and inspect as well. How do you see these topics kind of playing out with your clients?
Elin Cherry: Well, you know for my clients, because this is a very real problem that the clients are facing, so it isn't as if the way that FINRA wrote this as if like there are red flags and they're just being ignored. It's that the firms getting their arms around the communication venues that are being utilized is a task in and of itself. The first thing I would say is you've got to work closely with your technology people and your firewalls. Many times, firewalls can effectively block certain websites that would allow you to communicate. I know this doesn't work for cell phones, but one thing you really should be doing is working on your internal firewalls about what goes in and the technology can give you a lot of information about what they're seeing and what things are being requested to help with.
Elin Cherry: The tie between technology and compliance should be tight because you don't want to wait for that customer complaint. You need to be on top of what's going on and your technology people know, even desktop support knows. So when somebody's having a problem with an app, they're calling desktop support—so getting that, educating desktop support on things that they should be informing you of about new applications is another good way to go about it. I would also say being very close to your sales people and the senior management, because they're going to hear, you know, like with WhatsApp, everybody knows the issue is in Asia. That's almost all they use to communicate with each other, so if you have Asian clients, you know that that's going to potentially be an issue for your business people because their clients all want to communicate on WhatsApp.
Elin Cherry: If you're close to the senior business people and you need to be finding out what are clients using, what are clients requesting, it's also a way of finding out whether their firm's going to make sure that they can either get a firewall up, get a policy up, or include it in their process of maintaining and reviewing.
Robert Cruz: Yeah, that's a great point and that's something we talk about a lot—the fact that a lot of these things are driven by changes in demographics, changes in the profile of your clients and the tools they choose to use, the things that they're familiar with. So you know, this notion of this being some sort of an IT push, it's really a function of just the change in the way that people want to do business, so I think it's interesting that FINRA is acknowledging that, both in terms of saying that there is the need to be able to examine where people are using these new networks and also to explore other business processes where these violations maybe arising. So very interesting validation, as Marianna said, of something we've been talking about for a while.
Robert Cruz: Let's get a little more specific in terms of some of the things that are being called out here. Marianna, when you look at some of the themes, I think there are also some categories that come up regularly or frequently across FINRA's activities for all of 2019. When you look at all the enforcement actions, all the exam letters or the monthly reports that appear, talk us through some of the things that you see as coming up most frequently.
Marianna Shafir: Thanks, Robert. Yeah, to note that every month at Smarsh, I look at all the recent enforcement actions and share it with all of our customers and clients. We also post it, you can follow it on the Smarsh website, to keep you guys all really informed on what's really happening out there, and this lets you know of recent themes or trends that are happening.
Marianna Shafir: The trends and themes I saw from 2019: Failure, of course, to execute on the fundamentals. FINRA fined a brokerage firm $90,000 for failing to establish, maintain, and enforce a reasonable supervisory system including the WSPs for the review of email and hard copy customer correspondence. Again, this is something that you guys should all be doing on a regular basis. It's not a new rule. You need to make sure that you are complying with regulatory obligations and your supervision. You need to make sure it's timely and you need to be doing those reviews.
Marianna Shafir: Because the firms did not conduct correspondence review close in time to receipt, any sales practice concerns or red flags raised through the correspondence went undetected for long periods of time. I always get the question of, “how often should I be doing the reviews?” There is no prescribed rule. Every firm is different, the method is a reasonable process. That's all the obligation really is, that's what the rule says. You need to just make sure it's timely—whether it's daily, whether it's weekly, you need to just make sure you are really doing those reviews.
Marianna Shafir: Elin, what do you see from the review process? What do you consider as timely?
Elin Cherry: Well, I mean, I think timely for communications is within a month, as far as actually reviewing it. I think the issue is making sure that it's happening and then that they're getting closed out and that there's not a backlog. Any time you have your employees change, and you're doing the reviews or somebody senior in compliance leaves, you can have an issue. But I really feel if you review within a month of the correspondence coming in, I think. Usually you want to have people on top of them regularly, and depending on your firm—some firms that are very large have people dedicated enough that that’s all they do—but the smaller firms, if you sit down once a week and do your review that’s fine. I would say if you make sure you never go beyond a month, that would be on the far end of it, I think.
Marianna Shafir: Agreed, if you're a really big sized firm, such as a bank, you probably will be doing your reviews daily. The smaller the firm, monthly could be enough, but you really don't want to backlog on those reviews, and you don't want the regulators coming in and saying, "Why didn't you review this?" Again, with Smarsh, with our platform and other tools, as long as you write your notes, there's an audit history, it's pretty easy so you can always go back and have the message stand on its own.
Marianna Shafir: Another enforcement theme I saw in 2019 of this year was a lack of focus on new communication tools, such as social media sites. The same firm also got penalized for failing to conduct a weekly review of their reps' social media sites. In this case, it was a weekly review and the only reason they got fined and got penalized for a weekly review was because in their WSPs, it says they would do weekly reviews and they weren't doing weekly reviews. So I always say, "Don't say you're going to do something if you're not going to do it. If you have it written in your policies and procedures, you need to make sure you're following your policies and procedures." If it says in your policies and procedures that you're doing a 4 percent review and you're doing a 2 percent review, you're missing the mark. You need to make sure that you're doing exactly what your policies say you're doing. Again, it's not enough just to have a policy, you need to execute your policy.
Marianna Shafir: Elin, I know you-
Elin Cherry: Yeah, I mean I can't emphasize that ... Sorry, Marianna, but that's like when you asked me the question about how often is enough to do a review and I said no longer than a month. I always write my supervisory procedures conservatively, and by that I mean, I'm hoping that they're getting done weekly but I may want them done every two weeks. I always make sure I build some buffer into what I say and what I'm doing, like I never squeeze myself into something where I'm going to get caught on something like this. But I suspect this is one of those firms, from my perspective, you know, if they were doing it monthly, instead of weekly, FINRA should have let it go.
Elin Cherry: But I suspect that it hadn't been done at all even though they said weekly. I suspect it's something like that, but again, don't write down something that you're not going to do and check. I mean I think that's the bigger thing, right? Check what your policy actually says, because after you start doing something, very few people go back and actually do a check. So it's kind of like check what your policy says and maybe after this call go look and say, "How often did you say we were doing our reviews?" Because I think that sometimes things get changed and we forget to change the policy.
Marianna Shafir: Very valid point. Actually, the FINRA report, they'd mentioned that one of the biggest sightings they also saw was not amending the policies. When policies get updated, they forget to actually execute that or vice versa, or they forget to update the WSPs. You just need to make sure that you are following your policies and procedures.
Marianna Shafir: Also again, mobile, not treating mobile as a first class target. I see brokers getting fined monthly for texting from their personal devices and one broker was fined $20,000. That's the biggest fine I saw for a broker getting personally fined for using their text messaging and personal email account to engage in business related communications with a customer.
Marianna Shafir: This is also very important because I do see the use of personal email accounts is a big trend for FINRA. They're fining brokers monthly because of this; they're looking for this. The broker consented to the sanctions that he caused his firm to fail to comply with record keeping obligations by using texting and personal email accounts to communicate business…and how again did the regulators find out about it? It was a written complaint by a customer, perfect example.
Elin Cherry: Marianna, the question that I get from my customers, and this is a real live question from a customer during an annual training is, you're running to meet a client. You're supposed to be meeting for coffee and the client's running two minutes late and they text you and you text them back, because you have each other's cell phone numbers and so they're like, "How much trouble can I get into," right? "Like do they really mean that we're supposed to capture this?"
Elin Cherry: I hated the question because the answer is FINRA really means that you're supposed to capture that, so it's really problematic, but people, because of the way they use text, they have a hard time thinking of it as, "Oh, this is something that has to go ..." Like, "Do they really mean this?" It's just a hard concept and I guess I very much empathize with people with this one. It's tough, right?
Marianna Shafir: Absolutely, it is very tough. I do sympathize as well and I think the issue also is once you just start texting that "Happy Birthday, let's meet for coffee," you're also opening the channel to start speaking about the actual customer's accounts.
Elin Cherry: Well, that's ... Marianna, that's absolutely right. That's what happens, it's a slippery slope. First, like you said, it's a "Happy Birthday," which would be fine, or it's "I'm running late," which would be fine, and then all of a sudden, it's like, "How did my portfolio do this month," and you're just responding to it, because you've set up this pattern, right?
Marianna Shafir: Exactly. I also remember at the FINRA conference a few years ago, we were actually discussing this, what is considered actually business communication is, you know, "Let's grab coffee," business communication and one of the brokers said the issue was not always really us. It's that customers want to communicate by text. They want to communicate this way, and they're just responding a lot of times as well. So that is something that we do understand and that's why we always say, once you start using these channels, we need to start capturing them.
Marianna Shafir: Again, don't forget about mobile as a first-class target. The regulators are fining advisers and firms—they have fined firms for not complying with capturing mobile. Another trend, of course, is supervision—that's never going away. This year I saw the SEC fine a firm $700,000, and the CEO was barred for failing to establish and maintain a supervisory system for the review of email. Again, you need to show you're doing those electronic communications supervision reviews.
Elin Cherry: Well, and one of the big things on this as far as finding out about other types of communications being used. If you've noticed, and I've seen this at one firm, that there are people who are regularly emailing their personal email address, receiving from their personal email address and sending to their personal email address, and things like that. Look, you really can't capture, your reviewers can't find out when people are using other things if you're reading the communications that you are reviewing and I think that's ... It's kind of also back to one of those red flags, but this is also about training your reviewers of one of the things you should be looking for in the communications is are they ... That the reviewer should know what communication devices have been approved and if they start to see, "Well, let's jump onto Slack," and Slack isn't approved, they should be raising that up to a supervisor.
Marianna Shafir: Yes, absolutely. Another great example, I always say, is lexicon, when you're doing the reviews, look for keywords, such as "Sent to my Gmail, Text me at this number," or "Don't text me," is also a big red flag sometimes. You want to look for keywords as well and the reviewer should know that when doing the reviews. And again, I think that the most important part is when you show the regulators that you're actually doing the reviews and looking for those keywords, it shows that you do have a supervision process in place. They don't expect everyone to get an A+ and have no issues, but they want to see that you are looking for some sort of red flag violation and that you have a process in place to escalate them, which takes us into not embracing advances in technology.
Marianna Shafir: FINRA fined a brokerage firm $300,000 for failing to reasonably investigate and escalate certain email communications of a rep, despite having been flagged and reviewed. This is actually a perfect example. With our platform, you're able to write notes, escalate the messages and make sure they're appropriately being reviewed by supervisors. In this case they didn't investigate and escalate certain emails that should have been and then again, what Elin was saying, the reviewers need to know this. Is that right, Elin? What do you see happening with this?
Elin Cherry: Yeah, I mean, the reviewers need to be trained, and we're going to talk about training a little more later, and the reviewers need to be supervised. There needs to be some spot checking. Reviewing emails and communications is not a fun job to start with, but there does need to be a supervisory process around it. You at least need to be spot checking and making sure that those things are happening, and the worst thing that you can do is flag a bunch of things in a system and then ignore them, because then you're not using the technology that you purchased. You can't just implement and have a reviewer and then not have the person above it following up, which is what seems like is happening here.
Robert Cruz: You know, great points here and I want to just come to a couple of them to move on to the next topic, but just the advances in technology, clearly this whole exercise was framed as RegTech at the beginning of the year, and that last point, we continue to see firms that are looking for ways to further automate the review process. Like integrating with surveillance technologies to be able to spot some of the more cleverly disguised risks to be able to look at patterns and trends and anomalies. So definitely seeing a lot of that, but let's come back to the topic of mobility and text messaging, because that's something that we also saw at the beginning of the year on the SEC side, where the Office of Compliance Inspections and Examinations also called out the fact that firms need to be thinking about how they're dealing with the use of texting.
Robert Cruz: I think this one, Elin, in particular, over the course of the year, no doubt this has come up in conversation with your clients. How have you seen them wrestle with this requirement over the course of 2019? What are some of the issues that you find firms are having with regard to the SEC guidance?
Elin Cherry: I mean one of the bigger issues with the SEC guidance is that it's guidance and not rules, so it's harder for the SEC firms to commit the capital to reviewing and archiving everything they're getting. So like they may be doing the basics, like they might be doing their email review but all their communications are really done on Bloomberg and so the investment adviser, client specifically, really struggle with where is the right place to be without overdoing it. Like you know, they want to be in line, but it's a big struggle for the investment adviser clients and so you know, you take a texting issue which is an issue for the broker dealers and you move that into the investment advisers where there's not quite as hard guidance that it has to be captured and it becomes a harder conversation to have.
Robert Cruz: Terrific, so let’s kind of look at the SEC in a little more detail and you know, I think there's some very interesting data here in terms of the SEC enforcement actions and kind of always the questions that comes up, is the level of inspection, the number of actions and enforcement activities going up, down, or sideways and how is it affecting different segments of the market. So, take us through, if you could, Marianna, some of the key things you see from the SEC enforcement actions from 2019 in terms of their focus and what we can expect in terms of trend lines for 2020?
Marianna Shafir: Yeah, so the SEC recently published its annual report for 2019 and what's interesting is the report shows a broad 862 enforcement actions. They obtained $4.3 billion in penalties and returned $1.2 billion to investors, firm's investors. With the last two totals representing the most for these categories since 2015, so what is this telling us? That enforcements have increased even though the data shows that it continues to be a top priority for the SEC, even ... What's interesting ... with a government shut down and a change in administration. I thought that's what was really interesting, so it's really showing it's on the upward. It's not on the downward.
Marianna Shafir: What was also interesting was the agency took the most actions against investment advisers and investment company acts, as you see the data shows. That was really, really interesting.
Elin Cherry: My take on this is a little bit different, is I look at these and I say, "These are all opportunities where the SEC most likely did a communications review before coming up with the enforcement actions." So even if I were to look at this and say, "Oh, you know what, I've got mostly broker dealers, so there were less enforcement actions," but when you think about all of the requests for correspondence and communications that came with each one of these enforcement actions, it says, "You know what, I'd better have my documents because the chances of me getting a request for information is pretty high."
Elin Cherry: One of the things, and this was a little surprising to me is what I have been telling ... as I'm been going out and I'm training people. You know, even if you're at a small firm and it's unlikely that there's going to be a request ... You're at a small firm, low risk, you think it's unlikely that they're going to request your communications, what you don't know is whoever you're working with, how your communication is going to get requested by the SEC from a client or from a competitor and all of a sudden, they've got your email there that leads them back to you. It's something ... I just look at this and say, "Look at all the correspondence requests that came with each of these enforcement actions, and would I be prepared to hand over my correspondence?"
Robert Cruz: Yeah, be prepared and so that overrides the broker dealer line looking as if it's in decline, when in fact it's still a significant number of requests firms need to be thinking about. And also, I think you've mentioned before, it's also reflecting the fact that there are a fewer number of broker dealers in the market than there were perhaps a year ago, so very interesting data here.
Robert Cruz: Where do we go from here and I think that the trendlines is kind of where I think a lot of folks are thinking about what to expect from 2020, more or less or the same. Marianna, could you start us off here, with some of the things you would expect to continue into 2020 or perhaps some things that might be different, just given what some of the things are that surface from these summaries from 2019?
Marianna Shafir: Yeah, so definitely an ongoing focus on supervision and record keeping obligations, that's keeping up in the recent FINRA guidance and the SEC Risk Alert. Also, compliance with digital communications, also mentioned in the FINRA guidance support, collaboration platforms, your personal channels versus your business, your personal email, your personal mobile. Also, Reg tools, you want to deploy your Reg tools to help compliance, also based on the FINRA RegTech Guidance, and as I just mentioned also, investment advisers should expect increased SEC scrutiny based on that recent SEC Annual Report. Elin, what do you think?
Elin Cherry: Well, you know, I'm really stuck on collaboration platforms because I think that that is ... Microsoft Teams, it's almost every client I'm walking into is wanting to use or are already using Microsoft Teams and like the chat function on a Team's meeting and things like that. It's really something you want to look at because there are some just fabulous tools for collaboration that are out there but it falls within digital communications that needs to be maintained.
Elin Cherry: I can almost guarantee you that it's very likely that people are using Teams even if they don't have it internally, that their external clients are starting to want to use Teams and other collaboration platforms. I do know with global firms, because the rules are different in other places, that they actually have implemented some of these, so if you're with a global firm, and you find that your foreign affiliate is using ... and I'm just going to keep using Teams as an example ... and they're using Teams, but you don't maintain Team within Smarsh, you need to really be thinking about that, and I kind of go back to the beginning when I was talking about firewalls, et cetera. You may need to do some of that work to make sure people can't actually access it, until the time when you're making sure those platforms are included in your communications review.
Robert Cruz: Right, and I think, Elin, when we talk about the capabilities to restrict access to some of these networks ... I mean firewalls are definitely one layer, but also just having the mechanisms in place to be able to block the use of channels or specific features within those channels or to enable controls in the way that those networks can pass through your infrastructure. I mean those are all available technologies to firms that we can talk in much more detail about.
Elin Cherry: Right.
Robert Cruz: But, you know, in terms of just the RegTech comment here or the bullet on that topic, you know, at the beginning of the year, I think FINRA said, as well as the SEC, they are using advanced technologies. They are using analytics and machine learning in the way that they conduct inspections and exams, and their presumption is that firms are using these same approaches. I think the use of RegTech to facilitate compliance, you know, definitely getting a very strong message and a lot of our clients have told us that they are investing significantly to see how this can make them more effective in spotting some of these issues.
Robert Cruz: Let's get to 2020 in terms of what the firms can be thinking about to be prepared, and I want to go back to what you said, Marianna, initially, which is just going through and doing the basics, not neglecting the core WSP exercise and making sure that you're consistent in enforcing your policy. What are some of the key elements here in terms of just focusing on the blocking and tackling aspects that companies should be thinking about.
Marianna Shafir: Yeah, so in the FINRA report, they specifically mention in their observations ... There's an observations section ... know where their observations, what they see firms doing out there, and they're not amending and updating their WSPs. One of the recommendations was policies must be up to date and must address newly adopted or amended rules. Also, regulatory testing and audit existing supervisory controls, making sure that your policies and procedures are effective, that they are working. Even if you're working with third party vendors for archiving and capturing, you need to make sure that's working. Don't just rely that, you know, you implemented it and it's just there. You need to check your systems that you have in place.
Marianna Shafir: Exam effectiveness of technology to keep up with today's information volume and variety, and you also want to make sure you're utilizing your platform, like incorporate the risk monitoring into your compliance program. Everything is a checks and balances. You need to make sure it's all working. Elin, what are your thoughts on that?
Elin Cherry: Well, I mean, I think the biggest catch here is making your written supervisory procedures reflect what you're actually doing, which we spoke about earlier but, you know, at least annually, I think that you need to step back and some of the big ones like with any of your correspondent reviews, just check your supervisory procedure. Make sure you're doing it, make sure you've gotten monthly reports, make sure they've gone to the right people, and it doesn't have to be a big exercise, it can be a relatively simple exercise but you need to check that because I think too often, people are performing the function and they don't go back and look at what we wrote down originally. I would say add these things to your calendar so that they're happening annually.
Robert Cruz: You know, and just, Elin, on that point, we often see clients also saying, as they roll out or as they evaluate a new communications network, making sure that they understand what the specific modalities are in that tool. Microsoft Teams is a great example, so that your policy addresses all the different ways that you can interact with these newer approaches that incorporate voice and video and bots and emojis and AI. You know, having use cases to find and having those reflected in their communications policies is definitely a good place to start.
Elin Cherry: Agreed, that's ... I mean, go ahead.
Robert Cruz: Terrific, so take us now to the supervisory task itself. I mean when you look at firms trying to wrestle with, in some cases, 60, 70, 80 different communication sources that they may be allowing access to, how do you expand your supervisory circle or how do you change your process to reflect the fact that people are interacting through all these new mediums? I mean, what would be some things that you would call out, Elin, in terms of how to adjust your protocols?
Elin Cherry: I think the first one is I think it's better to be over inclusive of those mediums than under inclusive because people are using them, so it is ... I think that the mindset in the past has been, "Well, we'll just prohibit this. We'll just prohibit that," and as you guys said at the beginning, that just doesn't ... the prohibitions don't work so well. I think that we need to really change our thinking and it needs to be how do we easily include that and it needs to lean more towards a, "Yes, let's include it," than, "No, it's too expensive," "No, we can't."
Elin Cherry: I think that the beginning answer and I think technology has gotten better and it is less expensive to include all of these things and that's where we need to be looking rather than the, "No, we're just going to prohibit it." I think that was the easy answer initially. I don't think that's a realistic answer. I don't think you can be ... You can't be talking to your clients and say, "Well, you can only talk to me through these two communication channels."
Robert Cruz: Mm-hmm (affirmative), I think, if all ... so you look at the right side of the chart, the notion that there's this spectrum of risks and a part of what is embedded there is the idea that those who have intent on doing something bad, were going to go to a place where they think they can avoid detection. I think that's where you see them mobile in the collaboration, in the ephemeral messaging types appearing as kind of areas of higher risk because someone is not going to ... They're not going to launch a scheme in email, because that is in the supervisory process. They're going to be looking for those edge devices and networks that they believe may not be subject to inspection.
Robert Cruz: Marianna, we deal with this a lot, just mobility in particular. How are you seeing firms adjust supervisory process to deal with mobile devices?
Marianna Shafir: It's similar what Elin said, for long time I've seen a prohibition policy because saying no is an easy answer and I've been saying that no should not be the answer, it should be yes. Like she said, it's definitely easier to comply with now and I think what's interesting is that FINRA's recent report mentioned, as I mentioned earlier that they see many firms have a prohibition policy but that's not enough. They're not checking to see that their prohibition policy is working and effective and that's where they could really get in trouble, so I think just complying now and capturing those communication channels will definitely make it much easier than just saying no.
Marianna Shafir: You can say no right now, but I always say like every year, that you're going to have to add on those channels. It's just a matter of time.
Robert Cruz: Right, and, Elin, I think your last point on the slide regarding the "Supervising the supervisors" is a great one and that just understanding where's the backlog, how are folks keeping up with the volume today and making sure that you don't have a bottleneck that needs to be addressed in terms of just the number of individuals trying to deal with the volume and variety of data that just continues to get more complicated and voluminous.
Elin Cherry: Yeah, and I mean I just think that still is an issue that is people, firms are still caught in a surprise situation about backlogs. Like after doing compliance for many years, I'm still seeing ... It used to be that you would find the stacks of papers under somebody's desk. Now those same stacks are kind of, I would say, "hidden in systems," and so that's where you've really got to make sure that things are being reviewed and that there's escalation reports going on. I just, I can't emphasize that enough.
Robert Cruz: Good. The assumption that risk and value live anywhere and everywhere, I think, is a great takeaway from this, but another aspect, I think, you've highlighted the fact that attestations are very powerful tools. So tell us a little bit more about that and kind of what you see firms doing.
Elin Cherry: Well, so I think that the annual attestation has become more and more important. In fact, we've seen where a firm has actually had people attest to the fact that they're not texting and then they find a rep that's texting, I mean, and the firm is protected but the individual rep isn't. I do think that's the right way to go about it, if this is clearly explained to reps. So what I've been doing in my training this year, when I've been working with my clients, we're definitely beefing up our annual attestations, but during the annual training, we're spending time telling people, "Read what you're signing and make sure you understand and if you're saying you're not going to text, you'd better not text."
Elin Cherry: This sounds contrary to my like, "You can't say no," but if you haven't implemented the right technology, you can't say yes either, so my encouragement is implement the technology so that you can say yes, but these attestations, they're protecting firms, not necessarily individuals, but they're definitely protecting firms and saying, we've trained, we've communicated and they agreed, they understood the policy, and I think that you have to do that with ... and part of the attestation should be that the person says, "These are the only communication tools that I'm currently using and I'll let you know if I use a new one." I think it's really important.
Robert Cruz: Excellent, hey, and so I think this leads just directly into the question of training. You know, in addition to the attestation, it's I think a very meaningful questions, you know, what do the individual reps and other front line staff need to know, what should they be aware of understanding the risks, understanding the things they should and shouldn't be doing?
Robert Cruz: Marianna, when you walked clients through a training process, what are the key things that you would say firms should be doing as a foundation?
Marianna Shafir: Definitely, it's not a question of should you give a training program. They should be mandatory. This is also something the regulators want to see. They want to see that you are training your reps and your advisers. Training needs to be explicit. You need to clarify which communication channels are permitted and which are prohibited. Again, and I don't mean just mentioning them briefly, you need to spell it out for them. You need to say, "These are not allowed."
Marianna Shafir: Just mentioning which ones are allowed and never mentioning which ones are prohibited is not enough. You need to mention, "WhatsApp, prohibited. WeChat prohibited." You need to make sure that you are training them on that. Make sure the users are engaged. Stay ahead of new channel demands. Ask them in a training session, what do they see out there, what communication channel would they like to use, and enforcement needs to be automated. I think also, I wanted to note in the recent FINRA report, a recommended practice by FINRA, they mention that some firms implemented mandatory training programs prior to providing rep access to firm approved digital channels and the training clarified the firm's expectations for business and personal digital communications and assisted personnel with using all permitted features of each channel in a compliant manner.
Marianna Shafir: That was directly coming from FINRA, that is a recommendation that they gave on training. I think that is something that firms should be implementing if they're not implementing that already. Elin, what are you sharing about training with your clients?
Elin Cherry: Well, I'm focused on training the reviewers right now, also the reps are important but just kind of to add on to what you're saying. My concern is training the reviewers, making sure they understand what they're looking for, what they're doing, what the policies are, what the rules are. You know, when to raise red flags. I mean training the reviewers is very important and also training the managers and supervisors who are on the front lines answering the questions when the employees on a day to day basis is important.
Robert Cruz: Great points here, folks, so I think dynamic nature of these programs, just reflecting that it's a continually shifting target in terms of what your clients are asking for as well as what tools are available with mechanisms to capture, since some are not designed or suited for the kinds of business that regulated entities and financial firms in particular are in search of. Yeah, very important considerations here.
Robert Cruz: I'm going to try to get through this next section fairly quickly. We have a few questions on the line that I want to make sure that we get to before the top of the hour. But first, thank you very much Elin and Marianna, great content, great insights, really appreciate you sharing those with us.
Robert Cruz: If I could just kind of give a couple of minutes here on how Smarsh can help, because I think the capabilities that we're offering are really well designed to address this growing variety and volume of information, just all of these new mechanisms that are now becoming popular and mainstream. It's really the way that we've set up our portfolio and on a front stack, you see our Capture Technologies and these are basically the ability to capture any communication source in its original context, understanding how a persistent chat is different than a social media post, different than an email, different than a text message, so the strategy and approach just work natively with each of the content providers, including the Telephony carriers, and make sure you're capturing the full context of that conversation.
Robert Cruz: Once you've done that, you can now deliver that content to wherever it needs to be, whether that's to your existing email archive or our Connected Archive and with the Connected Archive, we have both our professional version that is the technology used by over 6,000 companies in these small and medium size segments of the market, as well as the enterprise offering that is more for those that are dealing with the multinational requirements.
Robert Cruz: I should just add, that this week in fact, we have been in the process of rolling out our federal government cloud as well, for those that have FedRep requirements. The important points of these technologies are that they're allowing you to playback all of these communication sources, natively, so that you understand the context and you can get through the review process with the speed and the efficiency that you need to be given the volume of this data.
Robert Cruz: Now on top of our archiving technology, we have our applications, including our supervisory review application for those that need to set up the policies, need to have the lexicons to find, need to be able to demonstrate that they're following those written supervisory procedures. Application that's designed for rediscovery, helping firms to deal with the early stages of litigation and the ability and call and filter and apply legal holds against all of this data that's under management, and very importantly, the ability to work seamlessly with external applications via our APIs and extensibility, so that if you work with an existing legal review tool or a content surveillance application, we can work seamlessly to deliver data to those downstream applications.
Robert Cruz: The content sources, and an ever growing list and I think the key things here are, again, working natively with all of these content providers. We know why each of these is unique. We know what can implemented as far as controls in terms of capture, as well as archiving so the fact that we have done the hard work in building out all these connectors, as well as the APIs for new content sources is helping our clients stay up with the changes that they see in a client base and the preferences from their end customers.
Robert Cruz: The supervisory application, we have two flavors for our professional cloud customers, as well as the enterprise cloud customer. This is showing one of the new visualizations that we have available through the product, but essentially, it's really trying to improve the effectiveness of getting through the identification review and mitigation risk, whether that is just purely within your regulated base or as regulated users communicate with the rest of your employees or perhaps other issues that may be arising where you need to periodically inspect content to make sure there's nothing bad happening in the way that people might be using Slack or Teams or their mobile devices.
Robert Cruz: Key thing is that we're able to work with our clients to transform some with their existing policy sets to make those more easy to interpret and process and understand within our supervisory system. Very highly configurable in terms of being able to work with any kind of workflow a client has in place and also to monitor the progress as they go through that supervisory activity. This is seamlessly integrated with our enterprise archive product and we also work with other archiving technology if you want to use us for supervisory. Only we have the capacity to do that.
Robert Cruz: With that I think we have a few minutes left to turn to Q&A so let me hand it to Davi Schmidt and see if we have any questions that we can address here in the last couple of minutes.
Davi Schmidt:Thanks, Robert, yeah, we have a couple of questions we can go through quickly with the last four minutes here. One of the questions is "Can you please clarify your standpoint on attestations versus prohibitions?"
Robert Cruz: Elin, you want to cover that?
Elin Cherry: The difference between attestation versus prohibition. So, first of all, I think the attestation is to say that people understand what communication methods they can use and I do encourage firms to have as few prohibitions as possible, but if you do not have the technology to capture something, then you need to let people know that it is prohibited and people need to sign that they're aware that they're not supposed to be using it.
Elin Cherry: Again, I think that we have to get away from that, because I don't think that prohibitions really are workable for the foreseeable future but I think right now when everything is in such flux that people need to be signing that they're aware what the policies are and that the firm wants to be able to demonstrate to the regulators that they've done training and have told people what they can and can't use. The reason I'm against the prohibitions is just from a business perspective, the firms need to be able to communicate in the way that the clients want to communicate and so we have to change our mindset around and get away from prohibitions, but that's going to take a little bit of time to get there.
Davi Schmidt:Awesome, thank you. The next question, probably for you, too, Elin, how do you manage your registered reps who are receiving information on unauthorized channels and how do you move those communications to authorized channels?
Elin Cherry: So what I tell people to do when they ... Because this happens, right? This is what registered reps are really dealing with on a regular basis is that their client comes to them via text and what did I do, and my response is is respond to them and let them know that you need to move it to a different venue. If you can copy your email address or something or forward it there, but I say that just don't get in ... I think, we kind of touched on this, Marianna, earlier, is you start with a "Happy Birthday," and you end a month later or two months later with, "How's my portfolio doing."
Elin Cherry: It's just like move those communications as quickly as possible and quietly let your clients know you need to talk via this way versus a different way.
Davi Schmidt:Thank you. I think we have time for one question here. "How should companies evaluate the use of new communications to minimize compliance and e-discovery risks?"
Robert Cruz: I can take a first shot at that. I think one of the things we're seeing and this true in terms of supervision as well is just from a broader governance perspective, we see a lot of firms defining governance programs or protocols where there is a cross functional group that evaluates the potential acceptance of a new communication tool, and looking holistically at what's the value to the business of using this technology and what are the risks holistically in terms of potential compliance exposures, because you don't have a mechanism to capture it, because of sensitivity to e-discovery. Maybe there's information security or data privacy concerns that maybe surface.
Robert Cruz: We're seeing companies build these councils where they can evaluate these new tools as the business brings it to them on a regular basis. I think it seems to be working well, just in creating a holistic picture across functions of how we should say yes or no to some of these new networks and not just leave it in the hands of IT.
Davi Schmidt:Okay, thank you very much, with that, we are pretty much out of time. I want to thank everyone for attending the webinar today and thank you to our speakers. Please note that the webinar has been recorded and a link to the recording will be sent out via email. If you asked a question and we were not able to get to it due to time constraints, we'll definitely have someone reach out after this webinar to make sure all of those questions get answered.
Davi Schmidt:You're welcome to send any additional questions you have to us at Advantage@smarsh.com, and if you are interested in communicating with Elin and Marianna and Robert, their emails are here on the screen for you.
Davi Schmidt:Thank you for joining us today and have a great rest of your day.