In this blog, I present a solution matrix to the ABC framework, looking at how Policy, Procedure, and Software can help firms navigate unsupervised communication channels.
The problem with navigating unsupervised communication channels
As a recap, in my previous blog, I describe the challenge in three layers - the ABC framework of unmonitored and unauthorized communications:
Adherence: The primary challenge of unmonitored & unauthorized communication channels centers around recognizing, understanding, and meeting the core rules. If the content and audience of an electronic message represent ‘business as such,' the message is subject to the Securities Exchange Act of 1934 record keeping rules, which must be adhered to.
Blunders: Even with the best of intentions, mistakes will be made, gaps will be found, and compliance obligations will not be met. Regulators understand this and will generally not fine firms for their initial blunders, provided they see a plan for improvement, followed by an action.
Criminality: This is the sharp end of the problem. There will always be people intent on circumventing the rules for personal gain.
Strategies for Navigating Unsupervised Communication Channels
When it came to discussing solutions to the problem, the lunch and learn panelists at SIFMA described three components of the solution:
While most of the focus at SIFMA was on the first two points, as a software vendor, I would have liked to see more focus on software solutions. As solutions providers, it’s frustrating to read that firms are fined hundreds of millions of dollars when solutions are both available and affordable.
That said, it is important that we understand the problem from our clients' perspective: software solutions do not sit in isolation and are rarely the silver bullet that we’d like them to be. Change management in the compliance arena is complex, and policies must be updated, reviewed, and approved before solutions can be put in place. Procedures must be implemented to make policies workable and keep them current. In a world of expanding regulations and contracting margins, the cost and effort of implementing and securing change cannot be overlooked or undervalued.
The upside of having a three-layered challenge with a three-part solution is that it offers a neat three-by-three matrix to describe what we learned from the experts at SIFMA.
Firms need to decide between permitting communication channels or banning them through policy.
Adherence is largely about proactively opting in. Users of these channels must opt-in to having their devices or accounts surveilled.
There are a range of software solutions available to address unsupervised communication channels.
Policies must be clear, complete, and regularly reviewed to avoid errors and possible compliance breaches to ensure adequate risk coverage.
Controls and testing are essential. A key element of procedure that was discussed is the “new business process.”
Software can help firms identify errors and omissions.
Policies should reflect what “good looks like.” Policies can lay out the repercussions of non-adherence.
In addition to the procedures that identify gaps and mistakes, regular testing of controls and auditing of communication activity is fundamental.
Rich, holistic surveillance tools can help firms identify criminality.
Some firms are "hardening" rules to exclude social messaging channels to prevent them from being used, and therefore “reducing risk.” Others are enabling new channels and implementing new policies and controls to monitor. A key factor governing the policy and solution is BYOD (Bring Your Own Device) vs. corporate devices, and privacy remains a major concern when setting policies.
Adherence is largely about proactively opting in. In order to capture non-standard communication channels, the users of these channels must opt-in to having their devices or accounts surveilled. On corporate devices, it’s easy to either lock the system down or use a mobile data management system to enable archiving across the board. However, it’s up to the user when it comes to BYOD.
The software solutions are available, and they work. SteelEye has partnered with LeapXpert, which has the most comprehensive e-communications capture solution on the market. Firms can, for example, leverage LeapXpert’s “governed” model to integrate social messaging communications into their established collaboration platform, such as Microsoft Teams or Slack. Alternatively, they can leverage the native orchestration product that allows point-to-point communications to be captured and sent to SteelEye for archiving and surveillance.
Policies must be clear, complete, and regularly reviewed to avoid errors and possible compliance breaches to ensure adequate risk coverage. They must also be socialized appropriately to those who are affected. Periodic communication, education, and proactive attestation will keep the policy fresh in employees' minds.
Controls and testing are essential. A key element of procedure that was discussed is the “new business process.” There is a risk that new business solutions include a messaging component. If compliance is not included in the new business or new product approval process, there’s a risk that new messaging platforms will slip through the cracks.
How do you build solutions to identify errors and omissions? Surveillance, in particular, integrated surveillance, can help. Looking for evidence of channel switching might identify a communication that is taking place offline. Correlating trading activity with communications is valuable, and gaps in the data might be an indication of offline communications taking place.
Policies should reflect what “good looks like.” However, there will always be those intent on circumventing the rules. Policies can lay out the repercussions of non-adherence, and strict enforcement is necessary to prevent bad behavior from taking root.
In addition to the policies and procedures designed to identify gaps and mistakes, regular testing of controls and auditing of communication activity is fundamental to protecting the franchise from bad actors.
Rich, holistic surveillance tools are available and growing in importance. It’s no longer sufficient to surveil communications and trading activity independently. By putting these two streams together, along with central compliance controls such as personal account dealing, compliance attestation, and HR records, compliance officers will have the best chance of identifying the anomalies and changes in behavioral patterns that might be the canary in the coal mine for something more nefarious and impactful.
In order to manage compliance risks adequately, compliance teams must continue to frequently review their firms' risk assessments and adjust controls to manage any new risks so that new communication channels or areas of risk are addressed in a timely manner and before a compliance breach occurs.
All said, SIFMA C&L was a great event, and I was pleased to have chosen the unmonitored & unauthorized communication channels break-out session to sit in on. I learned a great deal about how our prospects and customers see the challenges ahead of them, ultimately helping me to position SteelEye as a key contributor to the full solution.
Turn Supervision into Super Vision
Contact our team of compliance experts to see our platform in action, or to learn more about how we can help your firm gain a competitive advantage.