Off-Channel Communications Top 3 Considerations: Define, Capture and Oversight
We’ve spent the better part of the last two years monitoring the industry’s response to regulatory off-channel communications enforcements. We’ve conducted one-on-one meetings, webinars, industry presentations and written about policy and procedure adjustments, training programs, as well as investments in capture and oversight technologies.
So, what have we learned?
- This is not over:
As the SEC’s Zachary Sturges noted in our recent ComplianceWeek’s Financial Crime Summit panel in New York, “The off-channel communications issue will be us for the next 50 years.” - Best practices continue to evolve:
In a recent webinar, Helen Gugel, Partner at Ropes & Gray noted what started out with the SEC asking global firms to “tell us about your practices,” has evolved into a much more comprehensive undertaking for a variety of firms. That undertaking includes continued engagement with independent consulting firms that will make this an ongoing process — even after firms have settled with regulators. - It’s about culture:
Radical Compliance founder Matt Kelly noted in a recent webinar, “Given the statements from the US Department of Justice, the requirements to examine compliance programs can be 'exacting and onerous,' given the wide-ranging purview over surveillance programs, technologies being used, records preservation, and how firms are managing enforcement.” All of these questions will ultimately point at the presence, or absence of, a culture of compliance.
These observations beg the question of where we stand as an industry. For one indicator, we surveyed attendees across all our off-channel programs asked how enforcement actions have changed their firm’s behavior and culture related to off-channel communications. This is how the responses broke down:
- It has changed firm behavior – 24%
- It remains a cost of doing business – 6%
- Steps are being taken to demonstrate a proactive posture – 48%
- It’s too early to tell – 14%
- Views vary by function and business unit – 8%
So, what are the implications from an operational perspective? Amongst the many considerations to keep in mind, three fundamental questions remain:
- How business communications are defined
- Which employee communications should be captured and archived
- Whose communications should be supervised and surveilled
1. Define: Redefine business communications
This question is among the most complex regulated firms face, highlighting a fundamental disconnect between regulation and technology. Nowhere is this more evident than for broker-dealers and their endless attempts to define and clarify FINRA’s “business as such” language. Firms battle between what is explicitly defined within regulation and what are reasonable practices to manage risk.
Further complicating the challenge is:
- The blurry line between business and personal communications
- The ever-expanding set of modalities, including voice, video, whiteboards, breakout rooms, and the use of generative AI that lacks clear regulatory guidance
In response to enforcement, we see several changes occurring in this area.
First is a more explicit definition of business-approved applications and devices, such as one that can support a BYOD mobility strategy with solutions that partition business and personal communications.
Second, we see firms focusing on behaviors and context in determining where business recordkeeping obligations apply instead of focusing on the technology, tool or application. For example, decisions about whether a whiteboard discussion should be preserved are focused on the risk and value of the content being shared and not on the tool itself. This posture is consistent with regulatory guidance, which focuses more on adherence to policy versus specific technologies.
2. Capture: Determine which employees to capture and archive
Like #1, this question is being reassessed considering the “widespread and pervasive” language of enforcement. In the days of email, the question was straightforward: any employee with a corporate email account was subject to the firm’s retention policy and, therefore, to their communications being archived.
Today, that question is more complex. The storage cost of large data objects is a significant consideration, and firms are exploring the alternative of managing communications content in place and retrieving it on demand.
This is interesting in theory, but meeting all of the conditions of SEC 17a-4, including not impeding on an off-channel regulatory sweep, will require significant testing to operationalize at scale given today’s communications data volume and variety. However, we have heard via audience surveys that roughly a third of respondents are either evaluating new archival systems or have selected or deployed modern technology to address today’s communications.
Overall, we continue to see varying archiving practices, with firms archiving 40-90% of their employee base depending on:
- Their mix of financial products and specific regulators
- The persistence of legacy archiving systems, geographic markets served
- Other factors
3. Oversight: Redefine the populations for supervision and surveillance
Another critical consideration of off-channel enforcement has been the “failure to follow up on red flags.” For most firms, this directly points to the processes and procedures for communications oversight across the entire employee population.
For FINRA-regulated firms, level 1 supervision policies are defined within written supervisory procedures (WSPs) for ‘associated persons.’ This is defined within FINRA 3110, primarily consisting of broker-dealers and those carrying dual registrations.
This supervised pool continues to be 10-25% of the employee base when factoring in higher-risk individuals added to supervisory processes. Despite the ‘widespread and pervasive’ nature of off-channel communications, we have not yet seen significant changes in supervisory pools. Firms continue to manage that supervisory process by what is specifically mandated by regulation.
However, for many firms, level 2 surveillance priorities are defined by financial and other risk categories, which can happen anywhere across the firm. In this area, we have seen firms attempting to deploy solutions that could leverage captured and stored communications beyond the levels experienced for supervisory review.
This improves visibility into traditionally non-supervised staff and to avoid the time and complexity of ingesting and normalizing heterogeneous content sources on demand. As a result, we expect to see “surveilled” or “monitored” percentages continuing to grow in relation to employee count.
What do these top 3 off-channel communications considerations mean?
The widespread and pervasive nature of off-channel communications has caused firms to rethink their strategies to capture, store and provide oversight of employee communications. This challenge will live amongst us for the duration given the non-stop pace of innovation.
Firms attempting to keep pace and demonstrate a culture of compliance need to continually examine where business is being done, they ensure that they have visibility into where their existing controls may be inhibiting them from following the red flags.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US