POST WRITTEN BY Devin Redmond
Devin is CEO of compliance startup Theta Lake, and a patent holding multi-time founder and multi-time public company executive.
In light of the release of FINRA’s “2019 Report on Examination Findings and Observations,” it’s worth discussing the rapidly growing compliance challenges and risks for financial institutions (FIs) in their increasing use of unified communication and collaboration tools. The report states, “If a firm permits its associated persons to use a particular application — for example, an app-based messaging service or a collaboration platform — the firm must preserve records of business-related communications and supervise the activities and communications of those persons on the application.”
FINRA’s statement will be a precursor to more questions about how FIs are supervising evolving communications platforms as the world of electronic communications surveillance moves beyond text in emails or social posts and becomes about what is shared, shown, spoken and written in an integrated chat, voice and video communication.
For financial services firms, adhering to the stringent SEC, CFTC, FINRA and FCA requirements regarding the capture, retention and supervision of electronic communications is paramount. However, compliance strategists are struggling to keep pace with increasingly complex collaboration applications.
Conservative approaches apply antiquated standards of paper-based communications to electronic mediums. This approach struggles with the expansion and increasing usage of platforms that contain a multitude of collaboration features like whiteboarding, file sharing and chat that challenge conventional notions of “electronic communication.”
Although these interpretive distinctions may sound pedantic, camps of lawyers and compliance teams will cite exceptions and conjure reasons videoconferencing doesn’t present significant regulatory, compliance and information security risks around electronic communications. Those explanations range from, “We’ve never had to do it before” and “They’re not specifically called out in the regs” to “We’ll wait for the SEC, FINRA, FCA or CFTC to weigh in.”
On its face, this pushback seems fair given the cost and complexity of trying to figure out how to supervise these new tools with legacy compliance technology. Leaving aside empathy for those explanations, let’s talk about reality and the need to protect sensitive information as well as the consumer in these increasingly unsupervised communications channels that FIs are using.
The most obvious reality is that written electronic communications are all over a videoconference. Moreover, because they are so intertwined, retaining the written aspects of a videoconference per electronic communications rules essentially requires retention of the entire video.
Also, in an environment where regulations have new privacy and cybersecurity dimensions and personal accountability regimes are growing, regulators are doubling down on their scrutiny of firms that aren’t proactive and hide behind abstract justifications for permitting the use of certain tools and preventing others. This is particularly concerning if you rely on a historical interpretation of “electronic communication” only to discover you missed a bunch of obvious exchanges within a videoconferencing application that any auditor could easily find.
Digging into the first reality further, videoconferencing is second only to face-to-face meetings for creating personal connections and facilitating clarity of expression. These new platforms are second to none in terms of the amount of information that can be easily shared. What many compliance and risk teams may be ignoring is the reason the top video collaboration platforms are the top, which is that they make information sharing clear and easy. If you’re a stickler about the distinction between spoken and written communications as determinative for regulatory record-keeping purposes, you’ll likely miss risks that regulators would frown upon.
For example, there are more than half-dozen ways written electronic communications manifest during a videoconference, including:
• In a conference chat.
• In a conference file transfer in a chat.
• In a conference collaboration space (a.k.a. virtual whiteboards).
• In a conference screen share.
• A physical whiteboard shown on camera.
• A document shown on camera.
If you restrict these features, what’s the point of investing in the collaboration platform in the first place? If you decide to use 50% of those capabilities (realistically, you should use them all), the only way to optimize compliance is to do some degree of recording, retention and review.
Given the current regulatory climate, knowingly permitting certain types of communications to occur or ignoring that they are happening is going to be massively detrimental both to your bottom line (read: fines) and the credibility of your control functions (hello, new on-site compliance monitors). During an exam or investigation, if you answer the question asking about your policy for video collaboration by saying you didn’t know you had to do anything or that you considered it out of scope, there’s an accountability regime with you in mind.
Before, the easy fallback was to say we can’t retain, capture and supervise collaboration tools at scale. However, most platforms now have the basics you need to get started, and some have integrations with partners that exist solely to solve this compliance challenge.
The bottom line is to keep regulatory intent in focus. The overarching regulatory concern is how your financial firm can monitor how representatives interact with customers to ensure they are not misled or taken advantage of. To address this concern, from my experience, you should record a subset of users periodically and review those recordings to determine how to set risk-based policies and controls. You might also want to look for technology that can more effectively and efficiently provide compliance supervision and retention at scale.
Firms need to ensure that every communication channel their representatives use has corresponding supervisory controls. If you want to hold out for a specific “video communication” record-keeping requirement, you’re missing the spirit of the regulation and, furthermore, letting technology pass you by. Don’t be that team at that firm that becomes the example of getting fined for “missing the intended plotline.”