Is Zoom Your Next Compliance Gap?
In the last couple of years, we’ve seen the innovation of electronic communications technology accelerate due to the fast adoption of remote work. Take, for example, the historic adoption rate of Zoom in 2020. This acceleration has uncovered a conundrum for regulated organizations: technology is outpacing regulation.
The age-old strategy of “waiting for further regulatory guidance” before embracing a new communications tool is now creating new types of business risk:
- Being left behind by competitors who are more responsive to the changing needs of their employees
- Demands from a new generation of clients
- Failure to adopt new communications tools in a compliant way
In a webinar discussion on the compliance implications of Zoom, a poll of attendees indicated that 49% of respondents allow employee use of Zoom but do not capture Zoom content or have policies governing its use.
The regulatory viewpoint
FINRA and SEC supervisory requirements apply to any communication format used for business purposes with clients (except where explicit guidance has been provided, as around social media and text messaging). However, the language in the rules is somewhat general and doesn’t name specific technologies.
Three sets of requirements apply to electronic communications for wealth management firms:
• Recordkeeping: FINRA 3110, SEC 204-2: firms retain a “true, accurate, and complete copy” of communications relating to their "business as such”
• Storage: SEC 17a-4 and FINRA 3411: records are stored immutably, demonstrating actions to ensure that records are not tampered with, written over, or accessible for deletion
• Supervision: FINRA 4511, SEC 206(4)-7: firms inspect communications of registered reps against written supervisory procedures
What’s critical is that these requirements are not explicit. The rules do not state what the policies need to be exactly; only that they must be documented and that the firm is able to demonstrate their adherence to the rules.
Take video content from now widely used platforms like Zoom. In the FINRA 2021 Priorities Exam Report, it’s noted that maintaining and implementing procedures for firms' digital communication channels should include video content protocols. It also guides firms to develop written supervisory procedures (WSPs) and controls for “live stream public appearances, scripted presentations or video blogs.”
What makes the note challenging is that it highlights what are described as “examples of best practices." So, following the letter versus the spirit of the report can be tricky.
Elin Cherry, CEO and Founder of the compliance consultant group Elinphant said on a webinar, “FINRA's made it clear that they don't expect us to record phone calls unless they've put a mandate on a specific firm for a specific reason to record phone calls. When you enter the world of video, it looks like these rules are about public appearances and fall more within advertising rules.” Elin said she hopes for a rewrite of recordkeeping and supervisory rules to reflect today’s technology, with more explicit guidance.
Best practices for addressing communications compliance
So, where should firms start in their assessment of policy decisions addressing the use of Zoom and similar platforms?
Examine risks holistically
Compliance risk is not just about not doing what the rules tell you you're supposed to be doing. Inappropriate use of a new communications tool can create regulatory, internal policy, infosec, privacy and discovery exposures — along with reputational damage. Stakeholders representing those functional perspectives should be active participants in this analysis.
Perform risk assessments
When analyzing risk, firms should review policies and procedures to ensure they remain fit for purpose given the events of 2020. We learned a lot from the events of last year. Incorporating those lessons into policies should be on everyone’s to-do list.
Consider records retention a defense strategy
Zoom is a classic example of how policy decisions to capture and retain content are not just about fulfilling an explicit regulatory obligation. The decision to capture in-meeting chat, instant messages outside of meetings and video content should be based upon how that feature is used, by whom, for what purpose and how often. Policy decisions should be made only after considering the alternative of having to resort to the manual collection of non-captured content. Manual processes can be laborious, expensive and ineffective.
Weigh over-preservation risk vs. compliance risk
Zoom and other video conferencing technology represent the next battleground between legal and compliance. Legal concern about over-preservation of Zoom content, in addition to its large data volume and review challenge, will drive some firms toward more conservative retention strategies. Compliance departments will likely have to retain more communications data and for longer periods to satisfy regulators in the event of an examination. An organization’s data retention strategy may end up being decided by whichever comes first: major litigation or a regulatory investigation where that content is material.
Update policy and technology controls to be location-agnostic
Now that many organizations are supporting remote workers, recordkeeping and supervision practices must be adaptable regardless of location. This can be viewed as an information governance challenge. Firms need to inspect policies and technology for portability and effectiveness no matter where work is happening — whether that’s on a Zoom call, at home, on a mobile device or in the office.
Use compliance systems that are built for purpose
Like all of today’s interactive, multi-modal collaboration and conferencing platforms, Zoom produces data that is contextually rich, asynchronous and full of meaningful metadata that provides context into what was discussed in a meeting. Unfortunately, most archiving, supervisory and e-discovery tools were designed only to support email and can’t preserve the complicated conversational context that’s generated today. Firms need to examine whether stuffing Zoom content into an email archive or review platform is an effective strategy, versus leveraging tools that are better suited to modern, heterogeneous content sources.
Develop and implement compliance training
The ultra-fast growth in Zoom users creates an enormous training burden. We recommend creating or re-examining training programs to reflect the way that Zoom (and other approved tools) is being used in the organization. Are only internal teams using it? Are they communicating with customers over Zoom? Which features are approved/ prohibited via policy or automated controls? Clearly define usage policies and be specific about the consequences for policy infractions happening on these digital platforms.
Zoom is just one of many communications tools that companies are now relying on to stay connected. As firms revamp compliance policies to meet regulatory standards, it’s important to future-proof systems to prepare for the inevitable emergence of new ways to communicate electronically.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US