With the fast adoption of evolving technology across industries, the surface area of risk continues to grow rapidly. And, while firms in the financial industry must be ready to adapt to meet customers on the channels they prefer to communicate with, they also need to remain compliant with their recordkeeping and supervision obligations.
Regardless of the firm’s size, having the proper safeguards in place is crucial. It only takes one employee’s actions to pose significant risks — especially when it comes to the use of off-channel communications.
Off-channel communications refer to any form of communication not carried out on a company’s approved communication channels.
Given the 2023 examination priorities from both Financial Industry Regulatory Authority (FINRA) and the US Securities and Exchange Commission (SEC), and recent enforcement actions from the SEC, FINRA and CFTC, the regulatory focus on off-channel communications is clear. Small firms and RIAs should expect the same regulatory scrutiny larger organizations have faced in recent months and must remain hyper-focused on their recordkeeping. Off-channel communications that are not captured and preserved leave the firm unable to meet their responsibility to reasonably supervise employees’ electronic communications. Also, off-channel communication cannot be reviewed during an audit or examination, making it more difficult to identify bad actors and penalize for policy violations.
Firms must be prepared — as soon as possible — to demonstrate an effective and robust recordkeeping program that includes a careful review of policies and how those policies are implemented.
The risks of off-channel communications
Off-channel communications pose a significant risk for financial firms. Employees may use these channels to circumvent the firm’s compliance measures or policies or to engage in other unwanted activities. Prohibition policies alone are not enough. If employees are communicating with clients on prohibited channels, those firms are at risk for regulatory violations and fines.
As an example, suppose an employee uses their personal email to share confidential client information, and the email account is hacked. In that case, the firm will be held responsible for the breach, even if they had no knowledge of the off-channel communication. Moreover, firms are still responsible even if the employee had no ill-intentions while sharing the confidential client information.
Off-channel communications pose several real risks for firms, including:
- Non-compliance:FINRA noted that off-channel communications fall under the firms’ books and recordkeeping obligations laid out in the SEC’s Exchange Act Rule 17a-4. FINRA advised that it will focus on firms’ supervisory procedures governing off-channel communications, including what steps are taken to address issues, what technologies are used to ensure employees can communicate in a compliant manner, and whether all appropriate personnel are provided the technology, and the quality of the training programs in place.
- Loss of control:Off-channel communications can be difficult to monitor, control, or retrieve. This lack of control can lead to the loss of critical business information, intellectual property, or confidential client data.
- Reputation damage:A single inappropriate off-channel communication can damage the reputation of the firm. This damage can be compounded if the communication is shared publicly via social media.
Managing off-channel communications
To effectively manage off-channel communications, firms must ensure that they have the right policies and procedures, training, and tools to help capture, preserve and supervise properly. The regulations governing business communications vary depending on the type of financial service offered, the location of the firm, and the types of clients served.
FINRA Rule 3110 requires firms to establish and maintain a supervisory system that is reasonably designed to achieve compliance with applicable securities laws and regulations. FINRA also requires firms to establish procedures for the review of incoming and outgoing written (including electronic) correspondence with the public.
Here are some strategies that firms can use to manage these risks:
- Establish clear policies and guidelines: A firm’s policies should clearly state what is and is not allowed, which channels are acceptable, how communication should be secured and monitored, and who is responsible for these procedures and consequences of violations.
- Train employees: Employees should receive thorough training on the firm’s data security and privacy policies — including which channels are sanctioned for use.
- Monitor approved communication channels: Firms should conduct ongoing and comprehensive monitoring of all sanctioned communication channels for compliance and data security.
- Monitor for unapproved communication channels: Firms need to check-in regularly to ensure employees are not using unsanctioned channels and they understand why not to use off-channels communications. Firms also should document how they plan to monitor for off-channel communications and be able to provide evidence of that review.
- Conduct regular supervisory reviews: Regular reviews can help a firm identify and address risks associated with off-channel communications. This should include a review of policies and guidelines, training, communication tools, and monitoring practices.
While larger firms have made headlines, smaller firms also need to be mindful of off-channel communications. The failure to comply with regulations can be far more devastating for smaller firms. Unlike their larger counterparts, they often lack the resources and expertise to effectively manage these channels, making them more vulnerable to risks. Moreover, it’s not as easy for smaller firms to absorb large-scale fines for violations.
The bottom line: regulators will penalize all offenders — big and small. Now is the time to be proactive in addressing these issues.
WhatsApp: What Recent SEC Fines Mean for Small Firms – Listen to Podcast
Smarsh® is the recognized global leader in electronic communications archiving solutions for regulated organizations. Smarsh provides innovative capture, archiving, e-discovery, and supervision solutions across the industry’s widest breadth of communication channels.
Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.
Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit www.smarsh.com.
Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.
Need A Regulatory Marketing Compliance Consultant? A Bit More About Us
Why Not Download our FREE Brochures! Click here.
Call Us Today on 020 8087 2377 or send us an email.
We welcome individual bloggers / Professional Writers / Freelancers to submit high quality contents. Find out more…
Connect with us via social media and drop us a message from there. We’d love to hear from you and discuss how we can help.