Zoom is a prominent communication channel among regulated financial firms. Since the pandemic, many meetings are still taking place online via Zoom or Microsoft Teams, and firms are also using these platforms for their chat, file sharing, and phone call capabilities. This creates additional complexity, as compliance rules require ingestion, archiving, and surveillance of communications.
The electrification of communications has presented firms with a wave of new compliance challenges as communications technology has moved faster than firms’ ability to meet regulatory rules. While regulatory guidance on the use of these virtual meeting platforms has been lacking, waiting for an update on Zoom compliance is too risky, particularly after the wave of regulatory fines we have seen for communications-related record keeping failures over the last 12 months. As a result, organizations may want to take matters into their own hands and create a compliant playbook for Zoom compliance to ensure they stay ahead of any regulatory scrutiny that may come down the line.
In this blog, we look at the rules, challenges, and best practices for Zoom compliance archiving and supervision.
What do the rules say about Zoom archiving and supervision?
Supervisory requirements exist under US, EU, UK, and other financial regulations. Generally, they require firms to store and monitor any internal and external communications that have taken place for business purposes.
These rules are a critical focus area for regulators who want to know that firms are: a) complying with disclosure and record keeping requirements, and b) conducting the monitoring and surveillance required to detect potential compliance violations in an effective and timely manner.
US Zoom archiving and supervision rules
FINRA and the SEC, among other enforcement agencies, have established rules governing business communications with clients and investors. While the rules don’t tell firms exactly how they should meet the requirements, what policies to adopt, what technology they should use, or that Zoom is explicitly in scope, they clearly state that capture, storage, and communications monitoring must be carried out.
Record keeping rules state that firms must retain accurate and complete copies of all communications relating to their “business as such.” See rules: FINRA 3110 and SEC 204-2.
Archiving rules stipulate that records must be stored in a tamper-proof format for a minimum period, typically five to seven years. See rules: SEC 17a-4 and FINRA 4511.
Supervisory oversight rules state that firms must inspect communications of registered representatives against written supervisory procedures. See rules: FINRA 4511 and SEC 206(4)-7.
With these rules, it is essential to remember that while the requirements aren’t explicit, firms must have clearly documented compliance policies for communications and demonstrate adherence to those rules.
European and UK Zoom archiving and supervision rules
In the UK and Europe, MiFID II and MAR provide the overarching regulatory frameworks for communications record keeping and supervision.
Record keeping rules under MiFID II and MAR stipulate that firms must store extensive and detailed records of transactions, documents, and communications, including telephone conversations, emails, instant messages, and meeting notes related to transactions or client orders. These must be stored for a minimum of five years in a ‘readily accessible’ medium, in a Write-Once-Read-Many (WORM) format.
Supervisory rules under MAR and MiFID II require firms to proactively identify and report suspicious activity, insider dealing, unlawful disclosure of inside information, and market manipulation.
While the rules themselves don't specifically mention Zoom compliance, FCA guidance states that firms need to factor in the use of communication platforms that have become more widely used as a result of the pandemic (such as Zoom, Teams, Skype, WhatsApp and Signal) into their internal policies and procedures.
What are the challenges with Zoom archiving and supervision?
The rules around what communications firms need to capture can be somewhat blurry, but regulators in Europe and the UK are undoubtedly much clearer than their US counterparts.
In the US, for example, voice isn’t included within the communications monitoring scope. However, in FINRA’s examination and risk monitoring 2021 report, video content is highlighted as a channel of which firms need to develop written supervisory procedures and controls, including live-streamed public appearances, scripted presentations, or video blogs. However, it is unclear if this refers to client communications or mainly to public appearances.
The conflicting guidance, not to mention different interpretation of the rules laid out by the SEC and FINRA, have made it difficult for firms to understand how to compliantly archive and supervise communications from virtual meeting platforms like Zoom.
With this added ambiguity, the best practice for financial firms to demonstrate a robust and proactive compliance culture means getting ahead of regulators and capturing Zoom for compliance.
What are the risks of not capturing and monitoring Zoom?
Compliance breaches can damage a firm's reputation, have severe financial implications, and even lead to criminal prosecution. At the moment, penalties for communications record keeping violations are at an all-time high. Fines range from thousands to hundreds of thousands for repeated or continued violations, up to multi-million-dollar penalties.
Most recently, US regulators fined 16 Wall Street banks a combined sum of nearly $2bn for record keeping failures related to WhatsApp and off-channel communications.
What are the best practices for Zoom Compliance?
Compliance risk is not just about not doing what the rules tell you to do. Today, it is about much more than that and requires a proactive mindset to appease the regulators.
To move Zoom compliance out of your blind spot and comply with communications record keeping and supervisory oversight rules, financial firms need to:
Define clearly and enforce what is permissible and prohibited
Firms must have clear policies that permit or prohibit the use of Zoom and other communication platforms. Where a channel is forbidden, the firm needs to be able to demonstrate adherence to that policy. They also need to have the ability to identify where someone has broken a compliance policy and act when certain channels or registered representatives do not comply with policies by setting out remedial actions.
If Zoom is permitted, firms must have supervisory procedures tailored to the platform, including the ability to capture the recordings, store them and carry out supervision on them. Additionally, supervision for video content needs to include transcriptions of the conversations, and thankfully Zoom has this embedded, which makes compliance monitoring easier when using the right surveillance platform.
Train internal staff on digital communications compliance
Thorough training should be offered before providing access to firm-approved digital channels and should include expectations for digital communications and guidance around permitted and prohibited channels. The lack of clarity in the current process means firms should be over-preparing their staff to stay out of the regulatory spotlight.
Zoom is just one platform financial firms use to communicate with investors, colleagues, and clients. While lockdowns may have made video communications necessary at the height of the pandemic, they have quickly become part of the new norm. Firms should therefore ensure they integrate virtual meetings like Zoom in their regulatory risk framework.
As firms review their communications compliance policies and procedures in light of the increased regulatory action in this space, don’t let Zoom remain a compliance blind spot.
This means embracing modern technology tools that enable firms to capture and monitor Zoom for compliance, which is vital for firms that want to: protect themselves against litigation and regulatory activities, reduce compliance risk, maximize operational efficiency, and reduce costs.
How can SteelEye help with Zoom Compliance?
SteelEye is the most effective compliance insurance policy you have ever taken
The SteelEye communications surveillance platform helps firms comply with record keeping and monitoring obligations under SEC and FINRA rules in the US, and MiFID II and MAR rules in Europe and the UK. SteelEye captures electronic records and communications from a wealth of eComms, vComms, and traditional channels, and stores those records compliantly in a tamper-proof WORM format.
With SteelEye, firms can monitor, manage, and control all their compliance and communications data globally on a single platform. We also provide advanced surveillance algorithms and intelligent lexicon searches that identify early warning signs of misconduct or market manipulation while reducing false positives, so bad actors and rogue traders can be stopped before any financial crime or misconduct has taken place.
Enhanced risk detection and reduced false positives
All-in-one platform to monitor, manage and control your communications data
Data consolidation of structured and unstructured sources
Voice transcription and translations (54 languages)
Advanced call analytics and AI-driven lexicon
Real-time tracking and audit trail for demonstrable compliance
Fast record retrieval for data requests and auditing purposes
Sophisticated communications oversight technology and machine learning capabilities
Highly customizable and scalable software