Industry Insight

Vital Compliance Considerations for Collaboration Technologies

August 10, 2023by Smarsh

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Content based on the webinar: Compliance Quick Hits – Collaboration Tools in 20 Mins by Elin Cherry, CEO, Elinphant, LLC and Tiffany Magri, Regulatory Compliance Advisor, Smarsh.

In a modern, hybrid-workplace where many employees now work remotely, collaboration technologies — like Microsoft Teams, Slack, and Zoom — have become a central part of business communications. From a compliance standpoint, financial services firms must ensure such communications satisfy their books and records and supervisory obligations. Failure to meet regulatory requirements will result in penalties that can hurt the business’s finances and reputation.

collab quick hit 650x330

In our recent webinar, Compliance Quick Hits – Collaboration Tools in 20 Mins, our industry experts discussed:

  • How regulatory requirements apply to collaboration technologies
  • Spotting and addressing common compliance pitfalls
  • Best practices for implementing supervisory controls over collaboration technologies

Below is a summary of critical points from our discussion.

Regulatory requirements

The Adviser Act Rule 204-2 is the main rule that requires registered investment advisers to maintain and preserve books and records, including the many types of records that apply to collaboration technologies—like video conferencing, file sharing, and chat messaging. SEC Rule 17a-4 lays out additional requirements for how electronic records must be maintained and preserved.

Thus, when firms use collaboration tools, a key consideration is what books and records to save from a compliance standpoint. “The answer isn’t black and white about whether all video calls need to be recorded and saved as books and records,” said Elin Cherry, founder and CEO of Elinphant, a financial compliance consulting firm.

As technology evolves, so do regulators’ interpretations of what constitutes a record. A decision that may have felt relatively conservative to a firm a couple of years ago might not be a conservative decision going forward. “It’s important to continually reassess whether to broaden what the firm currently keeps as books and records,” Cherry said, “Or whether the firm needs to broaden its supervisory practices.”

Compliance pitfalls and solutions

Define business records

By their very design, collaboration technologies enable multimodal conversations and features, including email, video files, text messages and more. Because firms can use these tools in various ways, businesses must look at all the features and then define which features in the collaboration tools are business records that need to be stored.

One potential compliance pitfall of collaboration technologies is failing to define which communications need to be captured from a books and records standpoint. A business must establish these definitions to lay the groundwork for policies and practices.

Develop policies and procedures

Once upon a time, firms used to be able to write their policies and procedures more broadly. By doing so, they “didn't have to be updated quite as often, maybe just annually,” said Tiffany Magri, a senior regulatory advisor at Smarsh. That’s no longer the case. “I don't think you can get by with general policies and procedures for communication anymore,” she said.

Policies and procedures should be strategic, allowing businesses to operate efficiently while maintaining regulatory compliance to avoid disruption and fines. “I would caution, when going through policies and procedures, make sure that they are customized to each collaboration platform,” Magri added. “How are you documenting that? How are you supervising those?” The key is to understand the use of your different platforms thoroughly.

Stay apprised of new features

New features or updates are often added to these collaboration technologies unbeknownst to the firm. It’s critical to stay on top of any recent updates. Staying apprised of new features or updates can help the firm ensure it remains compliant with its obligations and avoids falling into hot water. Cherry recommended one way to achieve compliance may be to have the chief compliance officer or a key IT team member review the collaboration features regularly.

Sit back and observe

Another best practice is for the compliance officer to sit with back-office employees occasionally and ask them what features they use within the collaboration tools. Cherry advises compliance officers have employees demonstrate how they use it, and to do this with a sample of people across the firm.

Compliance officers may be surprised about what they learn. “I think you’ve got less than a perfect net if all you’re doing is sampling what’s being captured,” Cherry said.

Conduct training

When training, don’t just train the back-office employees and IT. Everyone is connected to compliance. Be sure to also train those responsible for onboarding new vendors. When a new vendor is onboarded, for example, they should know when and how to contact the compliance department to determine whether that needs to be captured from a books and records and supervisory standpoint.

Perform ongoing e-communication risk assessments

Perform ongoing e-communication risk assessments on how employees and the firm use these collaboration technologies. Magri recommended reviewing technology features quarterly rather than annually because even if certain features are turned off, they can easily be turned back on — knowingly or unknowingly — by an employee or through an application update or system error.

Also, be sure to conduct risk assessments on the technology features and how employees communicate with one another — and what’s being communicated. For example, emojis in emails and text messages have become a growing enforcement risk in recent years, opening firms up to charges from the SEC for securities law violations. Careful and thorough supervision is imperative to staying ahead of risk.

Expand the scope of oversight

If the firm has all the communications data it needs to satisfy books and records requirements, another best practice is to think about how the firm can analyze that data to identify other types of potential compliance risks that could be lurking. Taking advantage of that and thinking outside of just compliance, you can add more value to your program.

Share this post!

Smarsh
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.