Off-Channel Communications Top 3 Considerations: Define, Capture and Oversight


INSIGHT
Published
Jun 25th '24
Share
Facebook

By Robert Cruz. Vice President, Information Governance at Smarsh.

 

We’ve spent the better part of the last two years monitoring the industry’s response to regulatory off-channel communications enforcements. We’ve conducted one-on-one meetings, webinars, industry presentations and written about policy and procedure adjustments, training programs, as well as investments in capture and oversight technologies.

 

So, what have we learned?

 

  • This is not over:
    As the SEC’s Zachary Sturges noted in our recent ComplianceWeek’s Financial Crime Summit panel in New York, “The off-channel communications issue will be us for the next 50 years.”
  • Best practices continue to evolve:
    In a recent webinar, Helen Gugel, Partner at Ropes & Gray noted what started out with the SEC asking global firms to “tell us about your practices,” has evolved into a much more comprehensive undertaking for a variety of firms. That undertaking includes continued engagement with independent consulting firms that will make this an ongoing process — even after firms have settled with regulators.
  • It’s about culture:
    Radical Compliance founder Matt Kelly noted in a recent webinar, “Given the statements from the US Department of Justice, the requirements to examine compliance programs can be ‘exacting and onerous,’ given the wide-ranging purview over surveillance programs, technologies being used, records preservation, and how firms are managing enforcement.” All of these questions will ultimately point at the presence, or absence of, a culture of compliance.

 

These observations beg the question of where we stand as an industry. For one indicator, we surveyed attendees across all our off-channel programs asked how enforcement actions have changed their firm’s behavior and culture related to off-channel communications. This is how the responses broke down:

 

  • It has changed firm behavior – 24%
  • It remains a cost of doing business – 6%
  • Steps are being taken to demonstrate a proactive posture – 48%
  • It’s too early to tell – 14%
  • Views vary by function and business unit – 8%

 

So, what are the implications from an operational perspective? Amongst the many considerations to keep in mind, three fundamental questions remain:

 

  • How business communications are defined
  • Which employee communications should be captured and archived
  • Whose communications should be supervised and surveilled

 

1. Define: Redefine business communications

This question is among the most complex regulated firms face, highlighting a fundamental disconnect between regulation and technology. Nowhere is this more evident than for broker-dealers and their endless attempts to define and clarify FINRA’s “business as such” language. Firms battle between what is explicitly defined within regulation and what are reasonable practices to manage risk.

 

Further complicating the challenge is:

 

  • The blurry line between business and personal communications
  • The ever-expanding set of modalities, including voice, video, whiteboards, breakout rooms, and the use of generative AI that lacks clear regulatory guidance

 

In response to enforcement, we see several changes occurring in this area.

 

First is a more explicit definition of business-approved applications and devices, such as one that can support a BYOD mobility strategy with solutions that partition business and personal communications.

 

Second, we see firms focusing on behaviors and context in determining where business recordkeeping obligations apply instead of focusing on the technology, tool or application. For example, decisions about whether a whiteboard discussion should be preserved are focused on the risk and value of the content being shared and not on the tool itself. This posture is consistent with regulatory guidance, which focuses more on adherence to policy versus specific technologies.

 

2. Capture: Determine which employees to capture and archive

Like #1, this question is being reassessed considering the “widespread and pervasive” language of enforcement. In the days of email, the question was straightforward: any employee with a corporate email account was subject to the firm’s retention policy and, therefore, to their communications being archived.

 

Today, that question is more complex. The storage cost of large data objects is a significant consideration, and firms are exploring the alternative of managing communications content in place and retrieving it on demand.

 

This is interesting in theory, but meeting all of the conditions of SEC 17a-4, including not impeding on an off-channel regulatory sweep, will require significant testing to operationalize at scale given today’s communications data volume and variety. However, we have heard via audience surveys that roughly a third of respondents are either evaluating new archival systems or have selected or deployed modern technology to address today’s communications.

 

Overall, we continue to see varying archiving practices, with firms archiving 40-90% of their employee base depending on:

 

  • Their mix of financial products and specific regulators
  • The persistence of legacy archiving systems, geographic markets served
  • Other factors

 

3. Oversight: Redefine the populations for supervision and surveillance

Another critical consideration of off-channel enforcement has been the “failure to follow up on red flags.” For most firms, this directly points to the processes and procedures for communications oversight across the entire employee population.

 

For FINRA-regulated firms, level 1 supervision policies are defined within written supervisory procedures (WSPs) for ‘associated persons.’ This is defined within FINRA 3110, primarily consisting of broker-dealers and those carrying dual registrations.

 

This supervised pool continues to be 10-25% of the employee base when factoring in higher-risk individuals added to supervisory processes. Despite the ‘widespread and pervasive’ nature of off-channel communications, we have not yet seen significant changes in supervisory pools. Firms continue to manage that supervisory process by what is specifically mandated by regulation.

 

However, for many firms, level 2 surveillance priorities are defined by financial and other risk categories, which can happen anywhere across the firm. In this area, we have seen firms attempting to deploy solutions that could leverage captured and stored communications beyond the levels experienced for supervisory review.

 

This improves visibility into traditionally non-supervised staff and to avoid the time and complexity of ingesting and normalizing heterogeneous content sources on demand. As a result, we expect to see “surveilled” or “monitored” percentages continuing to grow in relation to employee count.

 

What do these top 3 off-channel communications considerations mean?

The widespread and pervasive nature of off-channel communications has caused firms to rethink their strategies to capture, store and provide oversight of employee communications. This challenge will live amongst us for the duration given the non-stop pace of innovation.

 

Firms attempting to keep pace and demonstrate a culture of compliance need to continually examine where business is being done, they ensure that they have visibility into where their existing controls may be inhibiting them from following the red flags.

 

FEATURED E-BOOK: Off-Channel Communications: Exploring Impact and Emerging Best Practices

 

Source & image: Smarsh

 

About the author:

Robert is Vice President, Information Governance for Smarsh. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and discovery cost and risk reduction.

 

Need A Regulatory Marketing Compliance Consultant? A Bit More About Us

 

About us

LS Consultancy are experts in Marketing and Compliance, and work with a range of firms to assist with improving their documents, processes and systems to mitigate any risk.

 

We provide a cost-effective and timely bespoke copy advice and copy development services to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose.

 

Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.

 

Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.

 

Explore our full range today.

 

Need A Regulatory Marketing Compliance Consultant? A Bit More About Us

 

Contact us

 

Why Not Download our FREE Brochures! Click here.

 

Call Us Today on 020 8087 2377 or send us an email.

 

FOLLOW US

Connect with us via social media and drop us a message from there. We’d love to hear from you and discuss how we can help.

 

Facebook | Instagram | LinkedIn | X (formerly Twitter) | YouTube

 

Contact us