Off-Channel Communications: Where Do You Stand?
We’ve spent the better part of two years tracking the status of regulatory action related to off-channel communications and continue to be left in search of industry best practices (in fact, we are still working on defining ‘good’ and ‘better’ before contemplating ‘best’).
Even further, we’ve yet to find a way to take regulatory settlement actions to conclude:
- How firms can assess where they are today
- How they can identify and prioritize gaps that need to be filled
- How to balance policy, procedure, training, and technology investments
Independent Consultants (ICCs) have done great work, but the absence of explicit regulatory guidance about topics such as BYOD vs. corporate-owned devices, whether to support the use of WhatsApp, and whether to allow transcripts and break-out rooms has left us looking for answers that ‘regulation by enforcement’ rarely offers.
For these reasons, Smarsh has developed a simple Off-Channel Risk Assessment Tool to allow firms to gain insight into where they are today and put plans into motion for the future. The checklist covers four primary areas:
Historical analysis: Assesses to what extent the off-channel topic is “widespread and pervasive”
Policies and procedures: Explores how well defined off-channel is within policy documentation
Employee training: Looks at how well training programs are testing for institutionalization of key lessons
Technology and automated controls: Examines the extent of automation of policy controls
Below, we’ll touch briefly on each category, and what the scores in that category represent.
Historical analysis
This category examines how well understood the off-channel topic is internally and what actions firms have taken to determine its pervasiveness. While most firms are now aware, few have conducted extensive historical analysis of communications over fear of what may be uncovered.
In most cases, off-channel has become familiar either because it was the subject of previous regulatory, litigation, or investigation activity, or simply because it may have been prevalent due to the firm’s culture. The highest risk scores here represent firms that have had direct experience with the topic yet continue to rely upon ad-hoc and informal methods to assess its pervasiveness – which is highly likely to be flagged by regulators.
Policies and procedures
This category explores the sufficiency of written documentation and process controls that firms have implemented. It also explores the operationalization of governance programs to evaluate tools and the specificity of policy and oversight programs to be tuned to off-channel. Firms with high-risk scores are overdue for policy refreshes, and a shift toward ongoing, proactive inspection of those policies as the topic continues to evolve.
Employee training
Training also looks at the specificity, frequency and integration of off-channel behaviors the firm seeks to reinforce. Simply conducting a training class on the topic is insufficient. Lowest risk scores reflect those programs that test, audit, and integrate attestation to ensure employees know what to do when confronted with an off-channel scenario.
Technology and automated controls
Technology and automated controls are a broad category, reflecting the variety of communications formats, and the recognition that not all automated controls are created equally. The use of purpose-built automated mechanisms to capture, store, and provide oversight for all supported communications tools receives the lowest risk scores and the foundation to ensure that those controls can be inspected and updated over time as communications functionality, methods of access, and vendor practices continues to evolve.
What to do next
Finding your organization with scores within the high-risk categories sends a loud signal that should be remediated with the help of communications compliance experts along with those that are skilled in building training programs and revising policies and procedures. It is also important to dig into any individual high scores in the Technology and Automated Control category, as regulators are likely to ask why your firm has yet to invest in readily available technology solutions in clear areas of deficiency.
The long-term goal of ensuring that you have alignment between what communications tools your business is using and where you have existing automated controls is difficult, but showing a pattern of decreasing the size of compliance gaps is the message that comes clearly in smaller regulatory settlements.
This assessment also provides an opportunity to re-engage with Smarsh and our partners as we gather additional information from the industry, regulators, and major advocacy organizations as we begin to establish benchmarks and define the elusive set of best practices to address off-channel communications risks that we can share with your compliance and executive management teams.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US