Regulators around the globe require financial services firms to capture and store emails and other forms of electronic communications, often referred to as eComms, as well as phone conversations or vComms. This data is used by regulators and by regulated financial firms themselves to investigate potential financial crime, including various forms of market abuse. This protects not only the financial firm but also their clients and their overall business reputation.
In general, record keeping regulations require firms to:
Store communications data for a fixed period of time in a secure environment. This typically needs to be in an immutable, tamper proof, Write Once, Read Many (WORM) format.
Ensure the data is easily retrievable and searchable so it can be reported on in a timely fashion. Some regulators have implemented a timeframe within which firms need to be able to retrieve relevant records if requested, often referred to as a Trade Reconstruction request.
Timestamp all records so they can be lined up on a timeline.
Communications archiving requirements tend to be very detailed, and more than one set of rules may apply which can make compliance challenging for financial services firms. This blog explores why eComms and vComms archiving is important, some of the key issues firms face around Comms archiving along with some best practices for getting record keeping right.
Topics covered in this blog:
Financial services firms need to play their role in the fight against financial crime and market abuse – this is both an ethical obligation and for most firms, a regulatory requirement.
Compliance requirements including Dodd-Frank, MiFID II and MAR require firms to proactively monitor their operations to detect suspicious behaviour, activity and whether someone has acted illegally. The information contained in communications is vital for doing this, which is why the regulations impose rules on capturing and storing this data. And if firms do not do this, the implications can be severe. Enforcement action can lead to financial risk in terms of fines, but also the operational risk of suspensions and reputational damage if it is revealed that a firm is not meeting its obligations.
In September 2020, the US Securities and Exchange Commission (SEC) fined a broker-dealer $100,000 for failing to retain text messages.
In November 2020, Mizuho Securities was fined $40,000 by FINRA for failing to archive the electronic communications of several members of its senior management team for several years.
In the UK, the FCA reinforced its expectations for communications capture and archiving in its recent Market Watch 66 newsletter, signalling an end to temporary leniency in this area as a result of the COVID pandemic. When Covid first hit, the FCA and other regulators recognised that many firms would initially struggle to capture communications in a remote working environment. However, this leniency is now over financial firms can expect the regulator to be looking closely at this area in future examinations.
The rules about capturing and archiving emails, calls and mobile communications can be complex and vary significantly by jurisdiction. In the US and Europe, nearly all financial services firms have some form of requirement to retain communications for certain employee roles.
SEC 17a (3, 4) – This rule applies to individuals who trade securities as a broker or dealer, and people associated with the business. It requires brokers and dealers to preserve email records for six years.
NASD Rule 3110 & NYSE Rule 440 – These rules require brokers and dealers to retain all electronic records and correspondence between the organisation and its customers for six years.
FINRA Rule 4500 – Requires retention of communications with the public for three years, alongside other record-related rules.
Investment Advisors Act – Investment managers and advisors must archive their electronic correspondence for a minimum of five years.
Sarbanes-Oxley Act – This legislation, passed in the wake of the 2008 Financial Crisis, requires that publicly-listed companies retain electronic records, audit work papers and correspondence for seven years.
Gramm-Leach-Bliley Act – This legislation focuses on customer data protection and requires the retention of electronic communications and records for six years.
European Union and the United Kingdom:
Market Abuse Regulation – Implemented in 2016, this EU regulation requires firms to capture, archive and monitor communications (among other data) and report any suspicious activity to a National Competent Authority (NCA). This regulation continues to apply in the UK post-Brexit.
Markets in Financial Instruments Directive II (MiFID II) – All eComms (and other data) made by regulated firms in the EU must be archived for a minimum of five to seven years. For now, these rules continue to apply to firms operating in the UK, even after Brexit.
At a basic level, firms need to capture and archive communications made on landlines and mobile phones, for both eComms and vComms. This includes a wide range of communication types, such as WhatsApp, Facebook, LinkedIn, and Signal if these are used by regulated employees. Over recent years, these modern communications platforms have become increasingly popular ways of engaging with clients. Driving this is the growing use of these platforms by the general public – clients often wish to use these methods to communicate professionally.
If firms are unable to capture communications on these platforms, they need to have clear policies prohibiting their use. However, for competitive reasons, many firms are now choosing to broaden the communications channels that their employees can use within their compliance framework. For example, permitting the use of some communications channels can enhance employee engagement with clients and consequently help increase productivity.
Financial services firms face several challenges around capturing and archiving eComms and vComms, including:
Data capture and normalisation – Firms need to capture text and voice data across a wide range of traditional channels, social media, and messaging platforms. Normalising this data is a big challenge due to the varying fields and data formats. For example, voice calls have a completely different structure to Bloomberg chat or WhatsApp. Figuring out how to align this so that you can see all calls, WhatsApp messages and emails by individual people or teams is a big challenge. This requires an in-depth understanding of how the different data formats overlap and where they are different. Most solutions today are built for specific compliance challenges and fail to consider how to bring together vast volumes of unstructured information.
Data volumes – The amount of data that needs to be captured and stored continues to grow as trade volumes, number of communications platforms, and regulatory requirements increase. The ability to gather all this data in one place is a significant challenge which is why many firms have ended up with a plethora of different record keeping archives for different data types. However, if the data is scattered, it is difficult to use, analyse and report on.
Remote working – As a result of the pandemic, more employees are working from remote locations than ever before. This situation has challenged firms to ensure that they have complete oversight over the working from home environment. While there were temporary measures in place when the Covid-19 pandemic first hit to help firms adjust to remote working, regulators are now insisting that all conversations are captured.
Bring your own device (BYOD) – There is a growing trend for BYOD which is bringing its own challenges in terms of how to separate corporate and personal data and access controls.
Search – Compliance teams need to be able to effectively search the unstructured data within emails and voice call transcripts, to find communications connected to cases quickly and easily. By not having the right technology in place which allows firms to easily search and retrieve data, processes often end up being both manual and time-consuming.
Regulatory change – New data protection and data privacy rules are regularly being implemented across the globe. Emails, voice calls, and other communications can contain sensitive data. Firms need to ensure data is protected when it is archived, so that they meet the data protection regulations in their jurisdictions, such as GDPR. Also, the regulatory landscape is becoming increasingly complex as regulators review and amend regulations around the capture, storage, and retrieval of emerging communications formats, meaning that firms need to ensure they can meet their obligations today and tomorrow.
Bring communications capture and archiving under one umbrella
The new era of remote working requires firms to capture electronic communications from several locations and on different types of channels. On top of this, firms need to monitor this data and be able to demonstrate that policies are being adhered to. However, when firms store different communications channels separately, this becomes increasingly challenging to do. By bringing communications under a single monitoring platform, firms can easily manage, oversee and control all their communications data, speed up their investigation times and improve operational efficiency.
A focus on data
As with most compliance requirements, data is imperative for a successful programme. To effectively manage eComms record keeping requirements, firms need to ensure they can ingest and normalise communications data from a wealth of platforms and channels. This is no small feat, but possible when firms take a data-centric approach to compliance.
With growing data volumes and varying formats, the key is to work with technology that can ingest data in any format, that can also capture new channels and sources quickly.
There are additional benefits of this kind of approach, too. By taking a more strategic and data-driven approach to meeting regulatory obligations, firms can use the same data to power almost all compliance processes – simplifying operations and increasing data integrity. This also means a firm’s data storage requirements are optimised and costs kept as low as possible.
Taking advantage of the cloud
While some financial firms remain hesitant about cloud-based systems, the Cloud can offer significant benefits when it comes to storage scalability, efficiency and data management. Today, regulatory audits can require firms to retrieve certain pieces of data within as little as a 72-hour period. Cloud-based archiving systems are equipped with advanced search capabilities which allow firms to search through thousands of communications in a matter of seconds and quickly respond to these requests.
Firms need to archive eComms and vComms for several years but simultaneously communications archiving needs to be able to grow and adjust to unpredictable circumstances. It is therefore necessary for firms to have scalable storage capacity which the Cloud is well equipped to deliver.
|COMPLIANCE IN THE CLOUD WITH STEELEYE
In this video, SteelEye CTO, David Haines, provides an overview of the cloud practices applied at SteelEye to ensure the utmost security of its compliance services.
Clear communications capture strategy
Another key part of the eComms record keeping puzzle is having a clear compliance communications strategy in terms the channels a firm wants to capture and the ones which are not allowed. For the prohibited channels, it is crucial for firms to advise their employees by having written supervisory procedures in place that limit which communications types are allowed or not. This allows them to ensure they have the right technology in place to accurately capture the required eComms and vComms records while also monitoring for the use of prohibited channels.
Communications archiving is essential, but with a huge number of eComms and vComms channels used today, it has become more challenging than ever before. By bringing all communications together, firms can meet their regulatory obligations more effectively and efficiently. Beyond that, by unifying and validating their financial and regulatory information on a single platform, clients turn their data into an asset that can be leveraged beyond compliance, for enhanced data analysis, visualisation, and reporting.
Firms need to think strategically about how to capture eComms channels, but also look at archiving as an opportunity to go a step further. Deep data insights into their business performance could allow firms to better understand their strengths and weaknesses, set up a clear business strategy, and improve efficiency and productivity.
|RECORD KEEPING WITH STEELEYE
With SteelEye record keeping is easy and your data becomes an asset that you can use whenever you need it.
STEELEYE LIMITED, A COMPANY REGISTERED IN ENGLAND AND WALES WITH COMPANY NUMBER: 10581067, VAT NUMBER: 260818307 AND REGISTERED ADDRESS AT 55 STRAND, LONDON, WC2N 5LR.