SEE A DEMO
Close
SEE A DEMO
SEE A DEMO

Supervision & surveillance: 10 tips to keep regulators and staff happy

Blog-Supervision-and-surveillance-10-tips-to-keep-regulators-and-staff-happy
July 28, 2021
Stacey English
Blog|Regulatory Perspectives by Theta Lake

Supervision & surveillance: 10 tips to keep regulators and staff happy

Financial services firms have long used technology to supervise the communications and activities of employees, to ensure compliance with regulatory requirements and be able to detect issues such as market abuse, mis-selling or data privacy. It’s a key control for meeting regulatory obligations including MiFID II, CFTC, FINRA, IIROC and GDPR and a standard feature of working in a regulated industry. Likewise data loss prevention tools are commonplace across businesses to reduce the risks of data loss and exposure. All designed to protect consumers, employees, and shareholders.

Scope and purpose of supervision

Considering the scope and purpose of proposed supervision is essential and like any supervisory activity should be validated by compliance, privacy, or security stakeholders. Critical media reports and an investigation by the UK privacy regulator, the Information Commissioner’s Office, into a global bank’s use of software to track how employees spent their time at work, reinforces this. In that instance, the bank deployed a technology platform that sent warnings to staff if they appeared to be idle on computer desktops or spent too long on a single task. Although this case is instructive, the scenario is very different to deploying tools for security or regulatory compliance purposes and protecting sensitive data.

“If organisations wish to monitor their employees, they should be clear about its purpose and that it brings real benefits. Organisations also need to make employees aware of the nature, extent and reasons for any monitoring”

ICO spokesperson

Supervising compliance and security risks

Employees are now using collaboration platforms like Zoom, Microsoft Teams, Webex, RingCentral, and Slack as the primary source for communications and information sharing, driven by a new remote work paradigm. Now firmly embedded, these applications are a key pillar of hybrid, work-from-anywhere and office-based workforces. Whilst their rapid adoption has kept employees connected and productive throughout the pandemic, the focus is now shifting to potential compliance and security risks created by these new ways of sharing information.
The legacy tools in place for monitoring email communications for risks such as data leakage or malware aren’t designed for the way employees communicate and share information today. Consider the dynamic nature of chat; the challenges of interpreting contextual data like emojis and reactions; the potential for risky behaviour on screen; the ease of attaching confidential files or accidentally sharing the wrong screen with sensitive data. The need for oversight of modern communications to protect employees, customers and the organization is paramount.
Given Theta Lake’s role in detecting compliance and security risks in modern communications, supervision is a topic that is frequently discussed in our deployments with customers. It’s important to not only understand how to safeguard communications but to ensure that monitoring controls meet regulatory expectations and don’t adversely impact staff productivity and morale. Here’s what we’ve learnt:

Top tips for keeping staff and regulators happy

  1. Be transparent – establish clear policies on conduct, data privacy, security and acceptable use of communication systems. Communicate policies to employees with periodic reminders which include the purpose of monitoring and the penalties for breaching policies.
  2. Train employees – provide training so that employees understand the expectations and requirements relating to what’s being monitored including data privacy, security, conduct and adherence to regulatory obligations.
  3. Be consistent – act consistently with your policies where breaches are detected. ‘Turning a blind eye’ will create challenges in enforcing or relying on them where needed.
  4. Prioritise – take a risk-based approach. Given the volumes of communications, the potential risks are likely to outstrip the capacity of compliance teams to review everything. Focus on the risks most likely to have serious consequences in terms of customer harm or regulatory, operational, financial, reputational damage, and review a sample of the rest.
  5. Protect data – monitored communications are likely to contain sensitive data. Make sure it can be redacted across video, voice, and chat so that it’s not unnecessarily exposed further during the review process or retained unnecessarily, whilst still keeping a record for your audit trail.
  6. Act quickly – be able to respond and remediate identified issues, whether they’re deliberate or accidental. For example, remove a malware link, a file, an inappropriate comment or confidential information so the issue doesn’t perpetuate whilst it’s being dealt with.
  7. Evidence – be able to demonstrate action taken where potential breaches are identified, whether that’s seeking clarification with the employee or escalation to a compliance team.
  8. Manage the review process – set out the appropriate routing for identified risks to be escalated to. That could be the compliance team and may vary depending on factors such as role, geography or level of risk identified.
  9. Find records quickly – be able to respond quickly and comprehensively to both internal HR matters and internal audits as well as external customer complaints, GDPR and data deletion requests, regulatory reviews or legal investigations.
  10. Integrity of records – ensure that records of communications, supervision and action taken are held securely and can meet legal and regulatory obligations such as legal hold capabilities, specified retention periods or SEC 17a-4 

Author

  • Stacey English

    Stacey English is Director of Regulatory Intelligence for Theta Lake. She has over 25 years' experience in financial services regulation and technology as a former regulator at the now FCA and as a risk and compliance practitioner in global banks and insurers. She formerly led Regulatory Intelligence for Thomson Reuters providing regulatory and industry insight to financial services firms. Stacey is also a qualified accountant, a published author on conduct and accountability and an Honorary Fellow of Cambridge Judge Business School providing expert guidance on regulation.
By Stacey English