Published on Thomson Reuters 14-Dec-2022. By Stacey English, Theta Lake
Theta Lake’s fourth annual survey highlights the growing challenges financial services firms face in managing compliance, security and data privacy risks across their use of modern unified communications (UC).
The findings from more than 500 compliance and security practitioners who took part in the independent study reveal how heavily regulated organisations across the United States, UK and Canada are using tools to communicate, the approaches they are taking to manage compliance and the biggest risks they need to address.
Modern UC tools, which include video meetings, mobile messaging, whiteboards, project tools, cloud voice, chat and workstream collaboration tools, have become a critical part of firms’ communications infrastructure. Platforms such as Slack, Zoom, RingCentral, Microsoft Teams and Webex by Cisco, as well as consumer apps such as WhatsApp, are powering the work-from-anywhere era. History has shown, however, that mistakes, breaches and data exposure happen when people communicate and share information digitally.
Growing lack of visibility into communications in the hybrid workplace
The need to offset compliance and security risks across rich, dynamic communications is proving all the more difficult with the limitations of legacy supervision and archiving approaches, built for email, which are posing real risks and challenges to businesses.
Set against a backdrop of more than $2 billion in fines levied by the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) for failures to capture, retain and supervise communications via WhatsApp, SMS, chat and mobile messaging, the survey findings underscore how a lack of visibility and oversight remains one of the biggest risks for firms. Given the continuing regulatory scrutiny, the report findings highlight the importance of supporting the communication channels that employees and customers use for critical business, and the modern technologies required to enable their compliant use.
Key findings
Unmonitored communication channels remain the biggest risk
The survey found that two-thirds (66%) of respondents believe employees in their organisations are using unmonitored communications channels, posing heightened security and compliance risks to businesses. Almost half of organisations are taking a draconian approach by disabling features in an attempt to limit the risk of new channels being used.
New communications need a new approach to compliance
More than two-thirds of respondents expect the use of modern platforms such as Microsoft Teams, Zoom, Webex, Slack and RingCentral to increase. Simultaneously, employees are showing a growing preference for the feature-rich tools available through these platforms over legacy methods of communication, with 81% using chat and 63% using video as much, or more, than email to communicate. This transformation in working practices is creating challenges for those reliant on dated approaches that are unable adequately to capture, retain and supervise dynamic communications data, prompting firms to consider future-proofing compliance frameworks by incorporating modern technologies to address emerging communication risks.
Widespread concerns about gaps in record keeping and supervision
For example, nearly half of organisations stated that they would like their legacy archiving solution to be able to capture all communications channels including mobile, SMS, and messaging tools such as WhatsApp. This frequently-cited concern about gaps in coverage was summed up by one technology director in the United States who said: “I’m afraid technology has fallen behind the ability to capture all the communications necessary.”
Increased regulatory expectations
More than a third of respondents believe video conferencing and webcams create the greatest risks in terms of data privacy and employee misconduct. Consequently, four out of five respondents anticipate there will be heightened regulatory expectations in terms of supervising video.
Critical information is hard to search and retrieve
Modern communications platforms are proving difficult to oversee, with 85% of organisations experiencing challenges in retrieving records. While a third are using significant manual resources to search multiple systems and modes of communication, more than half find it difficult to search modern channels outside of traditional email. This lack of search capabilities increases exposure to potential fines and sanctions for being unable to provide timely, complete data for investigations, litigation, data privacy or other compliance purposes.
The ability to retrieve information “swiftly and without delay” has become even more critical in the wake of the U.S. Department of Justice’s revisions to corporate criminal enforcement policies, which clarified their expectations about the prompt and complete retrieval of information.
Compliance approaches — changing mindsets from disabling to unlocking features
In response to these challenges, firms have taken different approaches to stay safe and compliant across an increasingly complex communications environment. The Theta Lake survey reported that 66% of respondents in the financial services industry are using documented usage policies as controls, while almost half are disabling features as a result of inherent gaps in legacy compliance approaches that are unable to capture, retain, supervise, search and retrieve across all communications platforms.
Disabling key features that users want and need in their UC tools in turn exacerbates the risk of employees adopting unmonitored channels to engage with customers, increasing the danger of compliance and data security breaches and substantial enforcement action. Moreover, recent fines signalled that policy-based controls are an inadequate compensating control when it comes to off channel communications.
In practice, with modern unified communications underpinning all of today’s business, the need for compliance and UC teams to work together in lock step is crucial to enabling the use of essential functionality. Implementing modern compliance and security technology not only allows organisations to unlock the value of the communication platforms in which they have invested, and that staff and customers want to use, but it also ensures regulatory obligations are met, and risks reduced.
Regulatory expectations
It is a point not lost on regulators.
“Let me be clear here: I am talking about more than putting together a stock policy and giving a check-the-box training. This requires proactive compliance, and this type of approach has never been more important than today — a time of rapid and profound technological change,” said Gurbir S Grewal, director of the SEC’s Division of Enforcement.
Following reports that U.S. and UK regulators are expanding their review of communications compliance, risk and compliance functions need to (re)assess the effectiveness of their current approaches and tools and think proactively about building compliance frameworks that encompass new and necessary modes of interaction.
Stacey English is director of regulatory intelligence at Theta Lake
Produced by Thomson Reuters Accelus Regulatory Intelligence 14-Dec-2022