Compliance and Technology: A Supervision Survey from Industry Professionals

Robert Cruz: Thanks, Davi. And thanks everyone for joining, I really appreciate your time. Very interesting data to share with you today. So, I want to get right to it. I'm going to provide some quick introductions, then we'll describe a little bit about the survey we conducted in the last couple of months. Really trying to get the practitioner view, the way that companies are thinking about supervision, the actual practices companies have implemented, things they're doing today.

Robert Cruz: And from that survey, we're going to focus on four key takeaways. We'll walk through each of those in terms of their implications and also what companies can learn from in this survey, both large firms as well as small firms. And we'll finish it up with just a brief overview of how Smarsh can help. And, let me start by first introducing our panel. We've got some great expertise on the line. Let me first introduce Elin Cherry. Elin, thanks for joining. Why don't you tell us a little bit about yourself and your firm?

Elin Cherry: Yeah. I'm Elin Cherry. I am the founder and CEO of Elinphant. We're a compliance consulting firm. And we focus on banks, broker-dealers and investment advisors. We do a lot in the electronic correspondence review space for our clients. So, this is particularly interesting for my clients. And thank you so much, Robert, for having me today.

Robert Cruz: Great to have you, Elin, thanks for joining. Marianna, over to you. Thanks for joining as well.

Marianna Shafir: Hi, everyone. Yes, I am Regulatory Advisor at Smarsh, responsible for their regulatory affairs worldwide. And in this role I help companies navigate the regulatory compliance obligations, technology trends related to best practices, electronic communication supervision. In addition, I also write monthly blogs at Regulatory Update. And you can find that on our website. About the recent enforcement actions, keeping you all up to date on the recent current events and news. And like many of you, I was also a Compliance Officer. I used to do the electronic supervision process. I used to log in everyday and look at all the emails, social media and look out for all of those violations at the firm. So, I do understand how overwhelming it can be. And I'm glad to be here and help.

Robert Cruz: Great. Thanks, Marianna. And my name is Robert Cruz. I'm the Vice President of Information Government at Smarsh. Marianna and I work very closely together. In the regulatory compliance space, in financial and elsewhere. And also around new discovery, other emerging topics that the practitioners in our customer base are trying to get their hands around. How can you most effectively leverage the technology we're providing? So, in that role, this is one of the things where the goal is to share best practices, the common concerns that firms are having so that we can all learn and collectively improve the processes that we have to work with.

Robert Cruz: For those of you that may not be as familiar with Smarsh, the company's been around since 2001. So, the focus has been always about helping organizations to communicate through the communication channels of their choice, the tools they want to use, the networks that your clients are pushing you to support, the tools that your IT organization is embracing. Whether that's Microsoft Teams or Slack or what have you. We have expertise on financial services as well as other regulated markets. And we've been named as a leader in the Gartner Magic Quadrant for the past couple of years. And also a leader in the Forrester Wave annual analysis.

Robert Cruz: We provide capabilities that are very specific to financial services and supervisory workflow. So, this topic is very front and center for us, just in examining how firms can get most out of the technology. So, let's turn to the survey itself. And before we hand it to the panelists, I want to just provide a little more context of what we've done here. And, as I mentioned, the purpose was really to understand from a practitioner perspective how are companies implementing their supervisory processes.

Robert Cruz: As we all know, SEC 204.2 and FINRA 31-10 it doesn't say explicitly, "You must do the following," it's allowing firms to define the written supervisory processes and ensure that they're enforcing them, they're expecting them, etc. So, we wanted to look at how companies are doing review today. What's the quantity and frequency review? And what kind of policies are they evaluating? Whether those are lexicon based, random sampling or other approaches. Roughly 120 responses to the survey, conducted end of last year, beginning of this year.

Robert Cruz: And pretty good mix between broker-dealers, RIAs, a little bit of both. Firms with both those capabilities. But also some insurance companies as well as a mix of other regulated industries. So, good cross section of companies that were a part of the survey. So, let's get to some of the key takeaways in the clearly a lot of interesting data. And I think it'd be very useful from Elin and Marianna to understand the implications and what are their viewpoints on some of the things that we've learned from the survey.

Robert Cruz: So, let's get to the first one, which is this consent of firms setting up policies and then forgetting it. The Set and Forget approach seemed to be a pretty common theme that we saw throughout the surveys. And Elin, there were a number of implications that we can learn from this as well as things that were revealed directly in the survey responses. So, why don't you walk us through some of the key ones in this area?

Elin Cherry: Yeah. Thank you, Robert. The overall, when we looked at the survey overall and all of the responses, the thing that stood out the most to me was the infrequency of adjustments to lexicons, exclusions, policies, procedures. And that many times it appears that once these items are set, the firm moves on and goes for years without adjusting them. And it's something I've felt when I've gone in to see my clients is that usually when I look at their email review foe the first time, it's been a long time since they've adjusted anything. And so, I really felt that the survey though showed that in its answers. And it's just an overall theme. There isn't one data set I can show you that says, "Oh, this is where it is." But the overall view from the results of the survey was that.

Elin Cherry: Now, I really feel that it's essential for technology to evolve as business objectives and regulations evolve. So, I think there's a significant risk to setting it and forgetting it. And the same with the policies and procedures. Marianna, I don't know, before we move on, if you want to comment from your view on that.

Marianna Shafir: Yeah. So, I'm looking at the respondents in the survey, Set it and Forget it was really the overall theme. Most of them a lot of times, you implement your lexicons, you leave it alone and you don't do any manual maintenance on it. And I even seen this when I worked with our clients at Smarsh. Many times they implemented a few lexicons, they didn't look at them again I don't think ever, so, they came to me and I would help with their policy tuning. And actually, it's funny because that really is an issue. Regulators do look at the maintenance of the lexicons. And even in Smarsh, in the platforms in the archiving system, you could see the last time that lexicons were updated.

Marianna Shafir: So, keep that in mind. We really want to avoid the Set it and Forget it approach. And during this webinar, we will give some techniques that we can help with preventing that Set it and Forget it approach.

Robert Cruz: Yeah, well, there's clearly a lot of implications here. And I guess the question I would have is, is this changing? Now that we're in a very different mode of operating, do you think that this Set it and Forget it mentality is going to evolve or would you expect us to continue? What would you think is going to happen here considering the events of the last several months?

Elin Cherry: So, I anticipate that until firms begin getting fined, people are going to be more likely to Set it and Forget it. I think people scramble to add teams or Zoom where they need to. I don't think they've sat back. And frankly, I don't think they've had time right now. But I do think that this is an area that, for my firms, we're looking at implementing an annual review of these things and seeing what we need to adjust and making sure we do that review and adjust as necessary. But the Set it and Forget it also goes more beyond exclusions and lexicons, it also goes to the percentage of your review, the frequency of your review, how you're choosing to do your review, have the tools increased, etc.

Elin Cherry: There's a lot. Has Smarsh ruled out additional functions that you're not using? There's a lot involved in this Set it and Forget it. And I think, and I really feel for the firms because I see it all the time, the effort of implementation is so hard and it's a lot of work and the maintenance of that to keep it up and make it forefront, you're just happy to get it running. But I think it's important to think about. You don't want to just set it up and forget it because it was such a burden initially.

Robert Cruz: Yeah, that's a great point. And, Marianna, I'd be interested in your thoughts there as well. Because I would assume that FINRA would look at this and say, "You used to review folks that were in eyesight, they were within a certain location. Now they're distributed everywhere." It would seem that they would presume firms are at least examining what that policy is and whether that should be done either more frequently or perhaps with more rigor in terms of the way that lexicons are defined, as Elin alluded to. What are your thoughts?

Marianna Shafir: Yeah, I agree. I would want to say Set it and Forget it and I would see it evolve. But I agree with Elin that it's really when the regulators come knocking on the doors of these firms is when they implement and update their policies. And that's really what they wait for. Or if they see another firm getting fined a lot of times as well, that's when there's a red light to update, to implement new policies. And which, there's so many resources today, especially with technology, that they don't need to just wait and Set it and Forget it. There's so many ways of implementing new tools to help keep up to date with the policies and the changes. So, I really would want to see it evolve, but yeah, many firms get stuck in the Set it and Forget it approach.

Robert Cruz: Right. And just as side, I would encourage you to look at the FINRA site. They've actually done a pretty good job of outlining and providing a series of resources that firms can look at of how to respond to the work from home scenario and what the expectations are going to be, moving forward. So, a good number of FAQs and things that they've been able to assemble. Okay, so let's move onto the second one which is the idea that firms will be able to ... get the mouse on the right place here.

Marianna Shafir: I know we also had a poll.

Robert Cruz: Actually, we did have a poll.

Marianna Shafir: We did have a poll.

Robert Cruz: Yeah. So, yeah, in fact, that's probably a good insertion point, just considering the Set it and Forget it, why don't we ask the participants, Davi Schmidt, what their feeling is in terms of how they've changed or what's changed in the way that they do supervision since this whole situation has arisen?

Davi Schmidt: Awesome. So, I have launched a poll now. Go ahead and feel free to answer it. So, the poll is, how have your supervisory practices changed since stay at home became the new normal? No change, supervising remote workers more frequently, reviewing additional tools used by work from home staff, adding more review staff or more than one of the above answers. Wow. Thank you all for the participation. Right now it looks like no change is leading, with about 62% at no change. 12% supervising remote workers more, 13% reviewing additional tools and 12% more than one of the above answers.

Robert Cruz: Interesting. And you know what, I think that's consistent with what we just discussed, right?

Davi Schmidt: Yeah, okay.

Robert Cruz: It sounds very much aligned with-

Davi Schmidt: Set it and Forget it.

Robert Cruz: Yeah. So, yeah, good to know. And I think it's, again, just reflecting that individuals are working very differently and communicating with clients and prospects in a very different way. It's interesting but aligning to the thoughts that you guys both provided. Excellent. So, why don't me move onto topic number two? Which is just supervision itself. So, implications here, Marianna, in terms of this finding that when supervisory processes stagnate that firms tend to fall behind the marketplace. What are some of the things to support this takeaway?

Marianna Shafir: So, FINRA firms are required to test and verify their supervisory procedures for electronic correspondence as required by rule 3120. But the survey's indicating that not many firms are really following that. Nearly one quarter of respondents, 23% indicated they've never reviewed their supervisory process or have set a timeframe. What does this mean? This puts firms at risk for penalties for violation of rule 3120. And we see this happening all the time, as I follow enforcement cases one of the biggest finds always are failing to implement supervision. And then with lexicons as well.

Marianna Shafir: Lexicons should be tailored to your firm's business and regularly fine-tuned and the majority do not have a routine process. 42% of those surveys say they only do an ad hoc lexicon review, which means there's no parameters around their frequency process. 14% they say they never even review their lexicons, which is quite a gamble in this regulatory frequently changing space. So, FINRA notice 07-59, as a they say, FINRA recommends that you have a combination of lexicon and random sampling approach. So, they do mention it that you do have to implement lexicons, you have to maintain lexicons, they're always evolving.

Marianna Shafir: A perfect example would be the Reg BI, which is going to be in effect June 30th. That's a perfect example how when there's new policies, you want to implement and update and modify your lexicons. What do you think, Elin? What are you seeing?

Elin Cherry: Well, this was one of the more interesting things that came out of the survey to me is one of the things we noticed, Marianna, in reviewing the survey answers, we clearly confused some people with this question because they thought the supervisory review process was reviewing the electronic correspondence versus actually reviewing the process by which you do electronic correspondence review. So, I thought that was really interesting that maybe we could've worded it better, but I think that most people feel like they're doing the review on a daily basis, or weekly or whatever they should, they're doing it fine.

Elin Cherry: I also suspect for people's CEO certification and the annual compliance report, they're going in and saying, "Is our system capturing email and are we reviewing the email and are we reviewing what we're supposed to be reviewing?" And they say, "Yes. Yes." And they say, "Okay, we've done a review of our review process. All is good in the world." That's what I think most firms are doing. And that's what the survey reflected as well, and the survey responses did. So, some people said, "Our whole review of our supervisory process is maintained in our system." Well, that's because that's where you've said, "Okay, we've reviewed so many pieces of electronic correspondence."

Elin Cherry: So, my thing is that on an annual basis you should absolutely be documenting and reviewing. You should be going through whoever provides you electronic correspondence supervision, the tool, you should be reviewing what new releases they've had, have you implemented them? You should review, are your lexicons up to date? Are your exclusions up to date? And you should be documenting all of that in some sort of memo somewhere. And I would also suggest probably making some changes. So, the survey clearly said that people aren't doing that regularly and the view is also that the ones that are doing it regularly, I don't think many of them are doing a full review of their process. They're just reviewing that their process happened as stated.

Robert Cruz: Right. So, some additional implications here. And Reg BI, lets' talk about that as well because I think that's a good point of ... is that a driver? Is that something you would expect firms to at least examine whether that provides sufficient coverage to be able to address some of the new requirements here. So, Marianna, why don't you take us on that point?

Marianna Shafir: Yeah, so, Reg BI is going to be in effect June 30th and that would just be a perfect example where the Set it and Forget it approach. This would be a perfect indicator, when there's new rules, like Reg BI, you don't just leave your lexicons alone. You need to update them, you need to implement new keywords to help with that supervision process. And that would be great to show the regulators that you are complying with the rules and you have the policies in place to comply with the Reg BI rules. Just alone, by updating or creating new keywords just for Reg BI really shows that you do have a process in place. So, I think that would be a great tip.

Marianna Shafir: As well as, when it comes to maintenance of lexicons, I wanted to mention a great tip. And I used to do this as compliance officer, at least annually set a calendar reminder, just one day of the year, lexicon maintenance. It's pretty easy. Look at them, modify them. Well, I created many lexicons for Smarsh. And how I did that was I look at enforcement cases. I look at what's in the news. What are other firms being fined for? When brokers are getting caught texting, what are they saying in those conversations, to look if your employees are texting.

Marianna Shafir: So, that's really great ways to create lexicons. There is no lexicon dictionary. We do have those resources that we'll talk about later, but there are ways of creating your own lexicons. There's resources on the internet. So, that is really important, to have a supervision process in place. Lexicons are part of that. And you don't want to be getting fined for not having up to date lexicons. So, I want to indicate that.

Robert Cruz: And, Elin, the point here is not that processes need to be uniform or homogenous, right? You have individuals, high risk brokers and such that may require a different process or different frequency. So, do you agree with the fact that it's not a matter of just the lack of uniformity? It's really more about ensuring that there is some consistent application of the policy that's been defined. Is that fair?

Elin Cherry: Yeah. I mean, you should tailor it towards your firm, and we'll talk about this more when we get into the ... but there are some things like, one of the reasons that I really wanted to do this survey is to get some benchmark numbers of quantity of review, frequency of review, to help my clients and my firm to be able to say, "This is where the industry is," because no one really knows where to be. But the importance is, is to take that information and then tailor it towards your firm and also further tailor it towards either, depending on the size of your firm, tailor it towards business lines or tailor it towards individuals so that you get it tuned correctly.

Elin Cherry: And I do think that the systems now do make this much easier. And we can talk a little bit later about if the systems aren't as difficult, if the systems are doing some of this for you, why aren't they being altered and changed, etc.? And I got some answers on that and some things that firms should be thinking about.

Robert Cruz: Great. And we'll go back to both those points. Both what can you use technology for and also what does one do, if they are deviating from the benchmarks and the norms, what are some of the things that they should do as part of an exercise to be able to close that gap. So, why don't we turn to the third aspect, which is the frequency and quantity review. And I think the message here that small firms can learn from large firms ... Add some color here Elin, what are some of the things that are to be learned by the smaller firms based on the lessons learned from others?

Elin Cherry: One of the things that I noticed, and frankly this was a surprise to me, but it shouldn't have been, when I think about what my experience has been in small firms versus large firms, it shouldn't have been a surprise but it was. What we really found is that small firms, and many of them are reviewing 100% of electronic correspondence, because they've decided that's easier than using lexicons or something like that. And then, on top of the 100% though, what's really interesting is they may only review once a month or once a quarter. But then they're reviewing 100%.

Elin Cherry: And larger firms are more anywhere one to five, with most of them ... there's even in between 0.05% to 2% of all electronic correspondence is what the larger firms are reviewing. And I would say that smaller firms, just because you're smaller and you're not going to have a big quantity to review, I'm like, why are you reviewing 100%? And the answer is I think they want to be able to show FINRA, "Hey, I'm reviewing something." But the benchmark is saying you don't have to review 100%. But along with 100%, the thing that was surprising to me is again the frequency. Just because you're small and you don't have much electronic correspondence, you can't wait once a month or once a quarter to review your electronic correspondence. It really needs to be timely.

Elin Cherry: Because if something happened in that electronic correspondence, you can't wait a month to take action on it. I think the regulators would have an issue with that. So, I was a little surprise to see some people said quarterly. And these were smaller firms, and I get that. But I don't think in any regulator's mind, would they really be okay with once a quarter going in and looking at electronic correspondence.

Robert Cruz: Right. Marianna, what do you think? It seems like 100% is not even a feasible option anymore. We're not having face to face meetings, everything is electronic. So, is it even realistic that companies could review 100% of everything that's happening via all these digital platforms? What's your take?

Marianna Shafir: It's great if a firm can review 100%. I think that's pretty rare. Of course, those are much smaller firms. But I do think you can have a process in place that can make it easier, more efficient. Again, you could utilize your technology to really narrow in on those messages that require those reviews. Quarterly reviews of emails is not enough, like Elin said. And another thing is, one, definitely you can miss a violation, having that supervision process, reviewing those messages timely can really show you what's going on in the firm and not wait until the regulators come knocking on your door that you had a violation or how did you miss this?

Marianna Shafir: But to the backlog, the more you wait and you're not doing those reviews, the more the messages and the workload is just going to pile on. I remember when I worked with clients, they would come to me and it's they missed the one week reviews or that monthly reviews and by the time they logged in, they had so many messages that they just chose not to review them at all. That's also you can't do that. So, I think it's really important to have those timely reviews. I know Smarsh has cues, which is really helpful and efficient. Every reviewer has their amount of reviews, they log in, it shows you how many messages you have left to review, if you review all your messages timely, you get a trophy, a digital trophy.

Marianna Shafir: So, the point is that there is technology to help make your review process more efficient. And I think it is really important to utilize your technology.

Robert Cruz: Okay. Let's try it again to get to the next slide here.

Elin Cherry: I think just while you're waiting to switch, Robert, I just think I would really encourage, if you can review 100%, that your resources should be used elsewhere and that you should put your lexicons in place and start doing more of a sample. I think the regulators would much rather see less than 100% and see more frequent reviews. And I think there are some firms that are still making some sort of manual workaround where they're not using a system to actually do their electronic correspondence. They're still trying to review somehow without having a system to do it. And I would say you're really putting yourself at risk at this point, the regulators absolutely expect to see a system especially with the changes with the work from home.

Elin Cherry: I think that it's a cost decision that is going to be an issue for these firms in the very near future that they need to reassess whether that risk of not having a system is really worth it. And this is even for the smaller firms, I really feel strongly.

Marianna Shafir: Elin, you raise a really good point that especially during right now, during the remote workforce, it is even more critical to have that supervision process, reviewing those messages timely is a great way to see what is happening within the firm. What are the brokers saying to their clients? How are employees communicating? Are your employees following the rules? So, doing timely reviews is really critical, especially right now, during the pandemic FINRA came out with a notice that you still need to comply with your supervision requirements and obligations. And I really highly recommend the reviews timely during this time.

Robert Cruz: Ah, went a little too far there.

Marianna Shafir: And that takes-

Robert Cruz: Thank you, guys.

Robert Cruz: Let's go to number four. Take-Away 4, Using Technology at its Fullest. And I think this is very timely because I think today, in fact, FINRA just came out with a release indicating that it's gotten approval to adopt some advanced technologies to use in their exam process. So, I think the expectation that FINRA's using advancements is probably now presumed that firms are doing the same. So, why don't you take us through the implications here, Marianna, in terms of how technology could be better to leverage in the supervisory process?

Marianna Shafir: So, the respondents were saying, 54%, most of the respondents used random sampling. That is good, at least half are using random sampling. Only 31% are using lexicon. And like Elin said, 39% are doing manual searches. Again, the regulator FINRA recommends a combination both. When I worked with my clients I really think it's a great checks and balance. You should be using both random sampling and lexicon searches. The random sampling ... are messages that are not in the lexicon searches. And the lexicon searches will find messages that are not in the random sampling.

Marianna Shafir: And so, again, a combination of both is highly recommended. And you can use you're archiving platform to do that. For random samplings, you can set a certain percent that you would like, you could set it daily, weekly. You'll have the messages right there, especially if you're using cues. Lexicons, again, you can use your archiving platform to add the lexicons for Smarsh in the policy section and you can set your lexicons to run and they'll find the red flags. You can also exclude the red noise. The white noise.

Marianna Shafir: You could set exclusions to filter the spam and use your technology to do that. So, you don't need to do 100% reviews. You can utilize your technology to help you, save you time, be more efficient and really get to the heart of the message. And only review the messages that require your review. So you can spend that other time doing other obligations that you have at work. So, really technology is really great at helping you advance the supervisory process. Yeah, also language translations.

Marianna Shafir: I worked with clients where they had their brokers speaking in Spanish in their messages, electronic messages. So, we implemented Spanish translations. That is something to think about. I have a firm fined before for not having lexicon language translations when their reps were communicating with clients in a different language. So, that is something to think about. Also, some of the survey comments said, "I'm not a technologist. I'm old school minded." Another one said, "We don't use a lot of new technology." And some ... they're old school, manual.

Marianna Shafir: But my comment is, it doesn't have to be that way if you already have an archiving tool, you can utilize the technology there. And there's helpful ways of doing it. So, what do you think, Elin? What are you seeing with your clients when it comes to not utilizing technology?

Elin Cherry: Well, I do think that, "I'm old school," seems to be a response that we got a lot. And what I would encourage people to do is, it's not hard to hire an intern, and there's lots of them out there right now, who can come in and update your systems and help you get up to speed where you need to be. And I would say you really need to, especially with the work from home environment, that you really need to, if you're old school yourself, you've got to outsource and get somebody in. I just don't think FINRA's going to be accepting of this, "I just haven't adopted the new technology that's out there."

Elin Cherry: Especially this far into things as far as how long ... email review has been out there from electronic correspondence since at least 2001 now. I don't think 19 years later that the regulators are going to be okay with saying, "I just haven't really used the technology that's out there." So, I think that that's really important. And I do think there's a fear of making changes to those lexicons, etc. and I think that that just comes from a little bit of the fear of technology. And I would say if you yourself have a fear of technology, the best thing that you can do is get somebody in your office, hire a summer intern, something like that, to help get over that bump with some of these regulatory tools.

Robert Cruz: I think that's a great point and we hear that from a lot of firms where you got to mix the people that are old school and those that are more technologically comfortable and just being able to get those that are tech savvy to help coach and guide along the others to make sure that people are making the most of the tools they have accessible. It seems like that's an important change management capability that firms should be thinking about. Again, from those that are comfortable and proficient in using social media or messaging apps, can help along the company or the individuals that are still reliant upon phone or face to face contact. The machine learning and surveillance response surprised me. Did either of you take note of that? The 18% in the survey that indicated they were using some advanced machine learning approaches in the way they do supervision?

Elin Cherry: I did take note of it. Even 18% is a lot, but there's still not ... we have, on the other hand, you've got people using AI. And then you have still not even using electronic surveillance system. And so, while I took note of it, I still think the AI is a little bit of an outlier. I would think that is where the regulators expect us to go. And I do think to be efficient, that's where firms need to go. I think it's going to be a cost efficiency. And it's just a smart use. Right now finding an issue in electronic surveillance, even with lexicons and exclusions, there's a high degree of needle in the haystack that firms don't like. I think AI is going to help address that. But I do think the lexicons and exclusions together can also really help gear towards the things that you want to look at.

Elin Cherry: But I think that AI, that's definitely the future. The machine learning and AI.

Robert Cruz: And I think you laid it out very well. We see that the way that larger firms are using it is to address the problem you just outlined. It's the fact that there's more data, there's multiple haystacks. And the needles can move among the haystacks. And so, how do you identify that effectively just using lexicons alone? So, we see that the AI getting applied where the red flag goes up. I see there may be a policy infraction and I want to then use the AI to be able to determine, what's the pattern? What's the sentiment? What's the behaviors going on? To be able to really get into the activity. The behaviors are underlying whatever this policy was about. So, it's really using these two things in concert that we've seen at least from some of the larger firms.

Robert Cruz: The other thing I wanted to ask about here is just the manual, the random sampling, whether we expect this percentage to go up or down given everything that's going on right now? It feels to me that firms will maybe start to think of adopting other approaches and that percentage will decrease. Do you guys see that the same way or differently?

Elin Cherry: I think it has to to be efficient. I really do. I don't know if it's going to be this year or next year, but I think to be efficient and not look for a needle in a haystack, I just don't see how random sampling ... I think it has satisfied a regulatory need. I don't see it as being the way that is truly able to identify issues in your business line. And I'd like to see it ... go ahead, sorry.

Marianna Shafir: No, I was going to say I agree. I think it's also an easier for firms outlets. It's a click of a button. And the archiving platform performs a random sampling but it's good to have, like I said, it's a checks and balances. But it is not the most efficient way to really find a potential violation.

Elin Cherry: It's a way to hit the percentage so that you can tell your regulators, "I've hit a percentage," and then that turns the job into a job that's ... It would be great if we could get better and better odds, and flagging things that actually need to be reviewed.

Robert Cruz: Exactly.

Robert Cruz: Before we turn to the last chapter, I thought this might be a good opportunity just to, two things, one, get your key takeaways from the survey overall. What did you learn? How is this going to be useful for your work in talking to other clients? What are some of the things you're gleaning from this in terms of benchmarking data? So, key take-aways from both of you?

Elin Cherry: The first thing, just two things that came up during our conversation that I'd like just to comment on is the foreign language. Please everybody, make sure, if you're getting a lot of foreign language emails that you have somebody who can understand that foreign language doing the reviews. That's been a consistent issue with international firms and their electronic correspondence review of being found to not reviewing certain foreign language. That all their people are only English speaking but they're getting in a different language. The other thing I can say is that we didn't ask about it in the survey but as far as, Marianna, you mentioned getting behind in your reviews, I have a lot of clients, I go in, they're a year behind in their reviews and you don't want to get into that spot. That's a very important spot and hole to get out of and to stay on top of.

Elin Cherry: But as far as my key take-aways from the survey, it's going to help me work with especially the smaller clients and saying, "Get your percentage down, you don't need to be doing 100%, you don't need to do 50%, you don't need to do 25%." And that's the biggest take-away for me, for my firm. But also, you need to come up with that percentage in a good way and you need to keep your frequency, my recommendation is going to be weekly. So, my big take-away from the survey is to make sure you're doing it frequently and make sure you've got a percentage that's around where the rest of the industry is.

Elin Cherry: And then the big one is, is do your review process and do a real review process. I hope I didn't take everything, Marianna.

Marianna Shafir: There's one more.

Marianna Shafir: I was going to say, my biggest take-away is utilize your technology. That's really the biggest take-away. No one is expected to do 100% reviews. Utilize it, it's a resource to help with your supervision process. Another recommendation is doing your timely reviews, having the right lexicons and also the documentation process. For the Smarsh archive platform there's a section that you can document your process. I recommend for every message that you look at, document it. That message will stand on its own. Even if it's a spam message, not material, this is spam. If you escalate it, write in documentation why you're escalating it. Because, remember, in a year from now, you're not going to remember that message. If the regulator comes and says, "Did you see this message?" That message will stand on its own and be like, "Yes, I have the documentation for it."

Marianna Shafir: So, you don't need to have the papers, you won't lose it anymore. Ti will be all in your archive. And I think that's pretty critical that shows your supervision process, that shows that you're reviewing the messages. So, that would be really my biggest takeaway.

Robert Cruz: Great. Terrific. And, Davi Schmidt, I think this is probably a [inaudible 00:42:56] a couple of questions I saw come in. So, why don't we do that here since I think they were probably directly relevant to either Take-Away number two or three. So, can you run those past?

Davi Schmidt: Sure. Yes, we did have a ton of great questions come in. One that was relevant to what you guys were just talking about was what constitutes a lot of foreign language in emails? Is that 2%, 10%, 50%, etc.?

Robert Cruz: What constitutes a lot of foreign language participation? 2%, 5%, 10%? Is there a number that you can say it's sufficient that you actually should be paying that additional attention to it?

Marianna Shafir: There's no number set in general. Regulators have no number or the amount percent. It's based on the firm business, the size, the employees. If most of your messages are in translation, are in a different translation, then I recommend a higher review. If it's minimal, then I would say smaller review of 2%. So, it really depends on the firm size. I wouldn't set a specific number based on just the amount of foreign translation. What do you think, Elin?

Elin Cherry: Well, I have a little different take. I think if you're starting to say, "I get 1% or 2%," as soon as you get into a percentile, if you're getting a random here and there that you could throw into Google Translate and you could do something with, I wouldn't worry about it. But if you have a rep that's regularly soliciting in another country, or their client base, if you have a rep with a client base that speaks a different language, you really should be having somebody who can review those messages back and forth. So, I wouldn't necessarily go on the percentage base, I would go no if your business is carried out in certain areas of the world, in a different language, you better be reviewing those emails somehow. If it's one every once in a while and you can throw it into Google Translate, I wouldn't worry about it. But if you start seeing them flip up regularly, you better have somebody who can read the language reviewing the correspondence.

Davi Schmidt: Should firms now be reviewing Slack, Teams, Zoom and other tools used at home?

Marianna Shafir: That is a big yes.

Elin Cherry: Well, let's be careful here about ... and I think one of the concerns is if it is approved by the firm for use and they're using it through their firm systems, the answer's absolutely yes. It needs to be included. I think the biggest risk firms face right now is that you're sitting at home with your personal computer next to your business computer and are you conducting business of off your personal Slack, your personal messaging and how are they monitoring that? And that's where I'd go back and look at your lexicons so that you could be capturing and looking. Are people sending things from their home emails into work now. But I think this fear for firms, if the firm has approved Slack, etc., if you're using Slack, it needs to be captured. If you have any indication that your employees are using it on their personal devices, you need to get it approved by the firm and moved to the firm device or have a way to monitor for it.

Robert Cruz: Yeah. I'm glad you brought that distinction up, Elin, because what we've seen for a lot of firms is the recognition that their employees are using a lot of new tools. And so, they're evaluating whether those tools should be added to their communication policies, whether those accepted use cases are well defined so that here's what you can and cannot do on one of these platforms. And for those things that are prohibited, having some mechanism to be able to inspect that people actually might be using, let's say a WeChat or WhatsApp or some other application that hasn't gotten corporate approval yet.

Robert Cruz: So, good to do both, making sure that your policies are up to date, to reflect the tools people are approved to use and also you have some mechanism to inspect those things that are on the prohibited list.

Elin Cherry: Right. And let's be clear, in my view there's a lot of firms that grabbed a new communication tool before they put it into their electronic surveillance tool during this situation of everybody working from home unexpectedly. I will say the firm, if there's anybody on the phone, they all know who they are out there, and all the compliance officers are nervous about it and every time people get on Teams and they know Teams isn't going through their electronic correspondence review but people are using the chat, you guys are all aware, the people on the call are all aware that sometimes the cart left the barn before the horse did and you've got to play some catch up. And I would say, you should make that priority right now.

Marianna Shafir: That’s also a great way to test for it and see if your reps are using those unauthorized channels is creating lexicons looking for those channels. Such as, "Let's chat on WhatsApp," or on WeChat. Just putting in those keywords will really let you know if they're using unauthorized chat. "Send to my Gmail." One of the most recent finds I see monthly are reps using their personal emails instead of business emails, firm issued emails. So, that is a great indicator to send lexicons to see if they are using their personal email.

Elin Cherry: Right. And one lexicon you should have is you should definitely have WhatsApp, WeChat and all of those things. So, if somebody's saying, "Let's switch to this," on their email, that's what people do. And I want to say my comment on people, on firms using these things without getting them into their electronic supervision process first, there's not a judgment with that from my perspective at all. And I even think FINRA will have some leniency to it. But you want to shorten that timeframe from when you started using it to when you started capturing it. And I only think they would maybe have leniency during the beginning of the pandemic. But the further you go on without including it, the less likely FINRA's going to say, "Yeah, this is okay.

Robert Cruz: Yeah, that's a good consideration during this interim period. Because the FINRA books and records requirements or supervisor obligations don't distinguish one communication source from another. If it's used for communicating the business of the firm, you have the obligation to capture. So, one last question, Davi Schmidt, and then we'll wrap it up with the how we can help one.

Davi Schmidt: Okay. Great. What guidance is SEC and FINRA providing about how firms should be conducting reviews during the pandemic?

Robert Cruz: I think we hit that one earlier on Take-Away number one. And I mentioned some of the guidance that FINRA has published. I think it was 2016 was the note that came out several weeks ago that said, "Here's what they're seeing in best practice." And by the way, we had a very good conversation with FINRA, with a number of their executives just highlighting some of these new dynamic communication sources. And I think that came out in that 2016 notice that says, "Be aware of using the home computer and not having security updates on the machines and making sure you're tracking the unauthorized prohibited network usage," and such.

Robert Cruz: So, I think a lot of those things were very well outlined. They're included in the FAQ. I think it's on top of the FINRA page, a nice set of resources firms can refer to.

Davi Schmidt: Let's do one more question. We had a couple of questions around this topic. Should lexicons be modified for new regulations such as Reg BI?

Marianna Shafir: Yes. I touched on that earlier as well. And they absolutely should. That's a great example that lexicons require maintenance. So when there are new rules being enforced, I definitely recommend updating your lexicons, creating new lexicons around the rules to enhance your supervision process.

Elin Cherry: Yeah. So, I'm going to do a little bit of the same. We put out an article with you guys, from my team wrote an article with Smarsh on updating lexicons, etc., with Reg BI. So, it is on the Smarsh blog page, if people are interested in it. And it does go into some of the detail around that.

Marianna Shafir: And there's some lexicon examples in that blog.

Robert Cruz: Hey, well, that's a very interesting, insightful discussion. Really appreciate you both sharing your insights. I think there's a lot of things here that firms could take away. And also, as you mentioned, Elin, benchmarking data that helps us in looking at firms and how they can improve the way they're doing some of their day to day supervisory tasks. And I want to get back to that one poin there in one second. But, again, thanks for both of you joining the call. So, the real quick tying this up with how Smarsh can help here.

Robert Cruz: The capabilities for providing can span three different dimensions, the first of which is making sure that the firm can capture all of the communications that are in use today by the organization. Whether you're now allowing the use of Zoom and Slack and Teams or WeChat and WhatsApp, we have the mechanisms, the ability to capture these communication sources in their native context and format directly from the source. Even including mobile and voice and being able to have information from the mobile device that is captured and then delivered to our connected archiving technology.

Robert Cruz: So, within this you have the ability to store, to supervise, to search and review, to export this information to other applications or to conduct supervisory review with our supervision app. Or to do discovery, the managing of a case and legal holes and things of that sort with our Discovery app. The networks that we support today are more than 80. And the important aspect of this, and this is I think really where companies are going to see this showing up in their supervisory processes very quickly, is that each of these communication sources are distinct. Each of these networks provide a differing level of ability to capture all the content, all the meta data, all the activity that's happening on Zoom or Teams or Slack or what have you.

Robert Cruz: So, the fact that we can do this natively, we can allow firms to use the communication tools that your employees are comfortable with or the tools that they've already been approved to use. We have the ability to support all of these sources natively. Supervision for us means in our two products, in our archive as well as enterprise archive, it's the ability to manage the process more efficiently. It's the ability to transform what might've been a very complex policy set, into something that's very intuitive and simple to use within Smarsh.

Robert Cruz: It's the ability to manage the lexicon, to continue to build the workflows and the policies that reflect the nature of your business. And as it changes you can modify and make those adjustments very seamlessly. And this works interoperably with the underlying Smarsh archiving platform. The couple of key deliverables and calls to action here, first of all, for Smarsh customers, our professional services team has a service that's called Policy Tuning. And this is allowing the Smarsh customer to be able to work with our services team to figure out how to get more from the policy set that they've defined within the platform. So, if you continue to refine and optimize that policy set so it can be more intelligent, given the changes of regulation, given the fact that people are using these new tools.

Robert Cruz: So, very useful service from our practitioners in house, that can help companies at are looking to get more from their investment in Smarsh. And finally, Elin, on Elinphant LLC, I think that the firm is providing a tremendous amount of expertise and best practices that they can share with you. Elin, I'm not sure you want to wrap it up with a couple of words on specific things that you're focused on within your practice.

Elin Cherry: No, thanks, Robert. You've done a great job. Just if you do need help with email surveillance, we do do it. And I'm happy also just to talk to you about my views, you can just give us a call. We're happy to just have a conversation just if you've got questions about what we're seeing and where we're benchmarking things.

Robert Cruz: Terrific. So, with that, let me hand it back to Davi Schmidt. And I appreciate your time, from the panelists, as well as everyone for joining today. So, let me hand it back over to Davi Schmidt.

Davi Schmidt: Awesome. Thank you all for attending today and thank you to our speakers. Please note the webinar has been recorded and the links for the recording will be sent out via email after this webinar is over. If you asked a question and we were not able to get to it, we'll have someone reach out to you directly after this webinar to make sure those questions get answered. You're welcome to send any additional questions to email at advantage@smarsh.com. Thank you again for joining us and have a great rest of your day.