Compliance Gaps in a Time of Business Disruption
How did we get here?
Business communications changed dramatically at the turn of the century with the social media revolution and the introduction of the smartphone. Before long, personal devices began to replace corporate-issued BlackBerrys while desktop computers made way for portable laptops. And while email and instant messaging continued as the primary modes of electronic communications, consumer platforms like Twitter, Facebook and LinkedIn began to find their way into the office.
These challenges quickly began to overwhelm compliance teams. At the time, we wanted to better understand these challenges so we could help serve the industry with useful, modern solutions. So began the journey of our annual compliance survey, now in its tenth year.
The results of these surveys have been invaluable to our understanding of the industry, helping shape our innovations over the last decade to meet the changing landscape of electronic communications compliance. Our customers have given us a unique vantage point into their world and what they’re facing when it comes to new technology, regulatory changes and an increasingly mobile business environment. They’ve given us thought-provoking information about:
- Current trends in electronic communications
- The communications tools employees are using or asking to use
- The types of communications requested in examinations
- Top-of-mind concerns about risk
The number and variety of electronic communications tools introduced in the last decade have been astronomical. With those tools came major increases in the volume and variety of data to be collected, stored and reviewed. The expectations by regulators for financial services firms to supervise employees escalated along the way.
As we look back on the last ten years of surveys, we’ve noticed that, while many things have changed, one challenge persists: compliance and IT professionals must stay ahead of new communication channels to enable productivity and manage risk.
The year of operational disruption and transformation: 2020
In 2020, electronic communication became the foundation of the business world. Applications such as Microsoft Teams, Slack, Zoom, Webex Teams and others saw record-breaking adoption numbers. These modern tools are designed for mobile utility as well, so conversations now travel from phone to tablet to computer and back again.
For regulated financial services firms, this wasn’t a simple shift. Employees and clients put pressure on these organizations to enable technology so they could stay connected and productive. But the governance and rollout of new communications tools had not yet been adequately addressed. Compliance teams did not have the time to develop and implement policies for collaboration, conferencing and mobile platforms, revealing compliance gaps that expose them to damaging regulatory violations and legal risks.
Our survey data exposes significant gaps between the communications channels firms have allowed for business use and the retention and oversight of those channels required to meet compliance obligations and manage risk.
Cybersecurity is a top priority
Broad shifts to remote work have introduced a range of new or enhanced risks for financial firms. Cybersecurity risks ranked highest among the risks introduced by the WFH mandate for most respondents.
Top risks introduced by WFH:
- Ransomware/phishing: 44%
- Unsecured home networks: 43%
- Unauthorized home computers & mobile devices: 30%
- Out-of-date security updates: 21%
- Communication tools deployed before policy controls: 18%
- Free downloads and unauthorized apps: 13%
In FINRA’s 2021 examination and risk monitoring report, new electronic communications tools were identified as a principal operational risk that broker-dealers will face. Regulators expect to see firms developing policies, programs and controls around the use of new communication technology and devices.
Education and guidelines for acceptable and prohibited tools are critical, especially as the lines between personal and business continue to blur. Financial services organizations can protect their firms from evolving cyber threats by fully vetting the applications and platforms employees are using and monitoring communications for potential data loss and misuse of personally identifiable information.
Collaboration and conferencing tools are business-critical
Conferencing and collaboration solutions have become essential tools for business continuity, but their potential compliance risk is evolving and perhaps not completely understood.
As business shifted to remote work, firms needed immediate solutions for communication. Enter, conferencing and collaboration platforms. Typically, firms would consider these platforms and their compliance implications before rolling them out. Instead, many firms are playing compliance catch-up. This is indicated by the gap between what tools are being used even though those same organizations do not yet have an archiving system in place.
These dynamic electronic communications platforms provide a combination of the best of other tools — email, file sharing, video calls, chats, likes, comments, etc. Calling them conferencing and collaboration solutions doesn’t quite capture their multi-modal nature.
Firms adopted technologies very quickly when they didn't necessarily have a full understanding of what the technology involves, and what it's capable of doing. And they haven't always developed procedures for how they're going to be supervised.
More than half (51%) of respondents started using meeting solutions such as Zoom and Webex – or added seats or functionality – because of work-from-home mandates.
Mobile remains a compliance conundrum
Mobile devices have become essential for maintaining business continuity in our always-on world. However, of those surveyed, 40% lack confidence in their ability to capture business communications sent and received on mobile devices.
More than half (51%) of respondents view SMS/text messaging as a top source of compliance risk, and by a large margin. At the same time, text messaging is consistently ranked as the most requested channel for use by employees over the years.
An emerging mobile compliance issue has been encrypted applications like WhatsApp and WeChat, highly popular communications tools used worldwide and yet the most widely prohibited among survey respondents. Encrypted applications were not even in the top 10 most requested by employees in 2018 or 2019 but were tied for second among the most requested channels in 2020.
Unfortunately, prohibition policies may be hindering compliance, rather than helping it. If employees continue to use these applications, those communications aren’t being captured and supervised and assuring adherence to the rules will be almost impossible.
Every application used for business communications is being used on mobile devices. Regulated firms must consider mobile as the norm and get ahead of any compliance issues by developing explicit mobile device and communications policies for workers and enabling appropriate technology to archive and supervise communications content.
Encrypted applications were not even in the top 10 most requested by employees in 2018 or 2019 but were tied for second among the most requested channels in 2020.
How to manage regulatory expectations
New communication tools are consistently entering the workplace. The fragmentation of electronic communications and the increase in communications to be monitored and reviewed will only continue.
Regulators want to see that firms can capture and archive all electronic communications so they can be supervised and produced for an exam. They expect firms to develop and fine-tune realistic policies for the use of electronic communications instead of relying on the prohibition of tools that employees are likely to use.
We recommend taking a close look at how your employees are communicating with clients and each other, so you can develop policies and procedures and adopt technology to capture and monitor those activities for compliance — no matter where business is taking place.
From a discussion on the 2020 Risk & Compliance Survey with Robert Cruz, Mimi LeGaye and Steve Marsh.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US