The SEC spent the second half of 2022 issuing a series of very large enforcement actions against financial services firms over unapproved communications tools. Most of these actions result from record-keeping violations. Broker-dealers and investment advisors used unapproved tools that prevented companies from capturing and storing business communications.
The enforcement action sent a huge message that the SEC is focused on digital communications. Growing regulatory interest in digital communications in the financial services industry could signal what happens to other financial segments and regulated industries such as insurance, energy, utilities and pharmaceuticals.
Learn how to turn regulatory mandates into proactive risk management.
While they may not face the same amount of scrutiny and rigor as organizations with employees in the securities markets, organizations in other regulated industries do have records that require them to keep business records. have a duty to manage. For these companies, the line between personal and business can become much more blurred, creating a range of thorny issues around personal data privacy.
Nonetheless, there are some key points that all businesses should learn.
1. Gain visibility into the tools your employees use to conduct business
Recent regulatory actions are not about WhatsApp or mobile devices. These demonstrate that compliance and governance practices must keep pace with how employees and clients communicate.
The business benefits of using new communication tools should not be lost in regulatory headlines. All businesses must find their way to new clients (and employees) who are digital natives and demand to use familiar and accessible tools.
First, companies should assess their existing governance processes to support new tools and re-evaluate the ROI of existing tools.
-
- Do your clients want to get in touch with you via text message?
-
- Are you more likely to engage on LinkedIn?
-
- Do you really need to support three different conferencing solutions?
Recent events provide good reason to consider these individual business cases.
2. Risk can take many shapes and forms
The compliance gap is the difference between the tools companies actually use and their current breadth of compliance and governance controls. All companies always have some form of compliance gap.
What businesses should consider now are the potential negative impacts of these gaps, which go far beyond potential regulatory compliance issues. Consider the following recent events.
-
- Court imposes adverse inference sanctions for failure to preserve marketing video and relevant social engagement data in copyright disputes
-
- Twitter and Netflix explaining why Slack has become a prime destination for office meltdowns
-
- An email anti-spam provider sues a retired employee for downloading trade secrets to a USB drive, personal email account
As part of efforts to strengthen governance advice, companies should ensure that initial assessments of the benefits and risks of new technologies include a full picture of risks. These assessments should include the active participation of personnel who can assess regulatory, intellectual property, security, privacy, and disclosure risks.
Understanding the functionality, existence, and availability of unsupported versions of tools, and identifying alternatives to prohibited tools should all be incorporated into policy analysis.
3. Revisit the definition of “business record”
Gone are the days when business records were easily identified and tagged by a certified records manager, confined to email, or securely managed within an enterprise content management system. The value and risk of information are everywhere in a sea of diverse data sources that are growing at enormous rates.
The proliferation of mobile, social, voice, video, and AI-enabled collaborative content has increased the importance of retention policies. Long-standing concerns about over-retention have always been a point of contention. However, the highly scalable public cloud option overcomes most of the technical limitations of storing more data long-term on older premises.
Storage costs and fast retrieval of retained records should be weighed against one top priority. The time, cost, risk, and uncertainty of relying on alternative approaches to collecting records on demand.
Each communication tool is different, with its own syntax, nomenclature, and access methods (API-based or otherwise). Businesses now face the additional risk that some of their contextual information may:
-
- Uncollectible
-
- Has changed since the last check
-
- Limited lookback period for searches – or lack of understanding or processes by content source providers to meet record, discovery, regulatory or other obligations
The recent WhatsApp fines are a perfect example of the trade-off between aggressive retention strategies and reactive collection strategies.
4. Maintain the integrity of these communications
Beyond retention decisions, the storage and playback of multimodal social and collaborative content is also heavily influenced by technology choices. With the variety of technology vendors available, requesting a meeting recording, discovery, or investigation can be easy or near impossible.
Most companies share some idea of the need to keep a “complete and accurate” historical record and the discovery obligation to keep all materials that may be relevant to the litigation. The ability to decipher context from multimodal tools that may include likes, shares, edited content, emojis, and recent attachments is essential to meeting these obligations.
Businesses need to stay abreast of market trends to inform decisions about moving away from legacy e-mail and document-centric solutions. Nearly all eDiscovery, archiving, and compliance tools are desperate to rebuild their solutions to understand and play back today’s collaborative content.
5. Widen the circle of supervision and oversight
Companies with regulated employees have a first-mover advantage because they have processes in place to oversee employee communications and meet clear regulatory requirements. Most organizations update their policies and lexicons to identify off-network or location change activity and identify potential violations. We are also expanding our use of natural language processing-based solutions to help identify the use of other prohibited tools hidden within authorized network communications.
Organizations other than wealth management can benefit from that experience. Surveillance workflows can be leveraged to periodically inspect stored communications for possible red flags. We also have proven models that can inspect instances of WhatsApp, WeChat, Signal, Discord, Mastodon, or any tool that your risk management team needs to get more visibility into employee behavior.
Final thoughts
Investments in policies, training, and technology are the pillars of parity for off-channel management and provide a good foundation for protecting your company from employee misconduct. Recent regulatory actions have further cemented the importance of that investment. Leverage all available resources to help close the communication compliance gap.
