In Communications Monitoring and Compliance, the Complications Keep Mounting Up
Smarsh survey shows firms are overwhelmed by volumes and struggling with policy implementation
Friday, November 22, 2019
By Ted Knutson
Financial firms' communications compliance may never have been entirely easy. But the explosion of mobile technology, social media, chat and collaboration platforms raises to new levels not just the difficulty of monitoring huge and growing volumes of messaging, but also cybersecurity and third-party-risk vulnerabilities, Smarsh points out in its 2019 Electronic Communications Compliance Survey.
It's little wonder, then, that in the communications monitoring and archiving solutions company's poll of 310 financial services industry compliance professionals in North America, 45% “are in constant catch-up mode, rather than proactive mode, when it comes to electronic communication compliance,” the recently released report says.
“Prohibition is no longer an option,” Smarsh asserts. Yet in the face of the proliferating risks, 56% have written policies prohibiting use of “encrypted and ephemeral” messaging applications such as iMessage, WhatsApp and Snapchat.
Regarding Facebook and other social channels - the subject of “wide nets” cast by regulators, Smarsh notes, and despite advances in policy creation and archiving - “surprisingly, 44% of responders still prohibit the use of social networks, even though 10-14% of their employees are still requesting use of Twitter and LinkedIn.”
The numbers without written policies in place allowing or prohibiting: Instagram 26%, Twitter 22%, Facebook 19%, LinkedIn 18%.
The top three perceived sources of risk are text/SMS messaging, cited by 77%; collaboration platforms such as Microsoft Teams and Slack, 36%; and encrypted messaging, 34%.
The online meeting and collaboration category is described as “yet another emerging channel that requires compliance attention.”
In an example of the cost of non-compliance, the Commodity Futures Trading Commission, in a November 22 announcement of a $3 million civil money penalty imposed on futures brokerage BGC Financial, said that BGC “lacked adequate procedures or processes in such areas as the creation, maintenance, and retention of audit trail data and failed to follow its policies and procedures regarding brokers' use of personal cell phones to conduct firm business . . . BGC's failure to supervise contributed to its other violations of its recordkeeping, reporting, and other obligations.”
“This year's survey findings show that firms are overwhelmed by the volume, variety and velocity of electronic communications channels, and their oversight practices are challenged to keep up,” said Smarsh senior director of information governance Robert Cruz.
As stated in the report, “organizations with up to 500 employees have four or fewer staff members performing supervision of electronic communications. Organizations with 500 or more employees had an average of 10 staff members doing work related to electronic communications compliance . . . Without proper technology that automates the collection, preservation and review of increasingly diverse and growing volume, variety and velocity of data, organizations won't be able to fund a hiring plan that can keep pace with their business requirements.”
The survey, Portland, Oregon-based Smarsh's ninth annual, shows that 38% struggle to balance employee privacy considerations with oversight obligations, and 30% are concerned about personal accountability associated with electronic communications compliance.
Restrictions Can Backfire
Prohibition policies are problematic for both technological and cultural reasons.
“In the past, teams would use prohibition of personal devices for work communications to cover their regulatory bases,” the report says. “Time and again, we've seen that this approach simply doesn't work. In fact, when asked about prohibited devices, 82% of responders who prohibit the use of devices for work communication felt little or no confidence they could prove adherence to their policy of prohibition.”
Risk management is made more complicated by the fact that business conversations shift quickly “from one channel to the next. An employee may start a conversation on LinkedIn, then move to email. A meeting will get booked using a meeting platform, and follow-up or a quick reminder might be sent via chat. Attempting to prohibit the dynamic nature of these conversations could cause employees to circumvent the process, introducing additional risk in doing so.”
While 56% attempt to prohibit encrypted messaging with written policies, 8% allow usage with written policies, and 37% have no written policy governing use or prohibition.
“Although it is likely that some employees will find ways around those restrictions,” the Smarsh report says, “it's important for firms to have a policy that clearly outlines whether channels are allowed or restricted.”
“New Approach Is Needed”
“If the past few years have taught us nothing else, prohibition does not work, and in fact increases a firm's risk by effectively blinding it to the activities that will inevitably take place on commonly used prohibited channels,” the report says.
Therefore, reasons Smarsh executive Cruz, “A new approach is needed to enable today's social, mobile and collaborative workforce and to meet the needs of a customer base that will only grow more tech-savvy as younger generations represent a larger portion of each firm's revenue.”
The report summarizes: “It starts with the ability to give employees the tools to communicate with customers and prospects using modern applications they want to use for conversations. IT and Compliance teams need an aligned roadmap that allows them to:
“Embrace new and dynamic communication channels responsibly with use policies and achieve efficient oversight across all channels with robust capture, archive and supervision technology.
“Empower the mobile workforce while limiting the restrictions on message and collaboration applications on mobile devices they want to use.”
Addressing compliance requirements and record retention effectively can result in business and strategic upsides.
“Business teams need to deliver more personalized customer and employee communications and experiences in order to increase loyalty, compete and grow their business,” Smarsh says. “These demands put pressure on IT and compliance teams to expand the volume and variety of services they allow the organization to use.”
One of the document's “key takeaways” is that “the archive is helping compliance move from a cost center to a value driver.” The function not only contributes to company-wide risk management “alongside other departments including IT, marketing and HR,” but firms are “also recognizing that the creation of a centralized store of communications can also function as a revenue-building asset to the business, especially as providers leverage emerging artificial intelligence/machine learning capabilities. Stored communications can contain valuable insights into the needs and preferences of prospects and clients, and can be harvested to improve social media campaigns, messaging, and to equip sales teams with additional insights into their targeted firms.”
Forty-seven percent in the survey agreed that “compliance is more than a cost/risk mitigation center; it can also contribute to top-line growth by maintaining valuable customer intelligence.” That response rose from averages of 39% in 2017 and 32% in 2018 providing use cases for archived data utilization.