Listening to various FINRA examination-related individuals speaking on the topic of electronic communications supervision at industry conferences this year, there is a key message that seems to be repeating itself.
I think we all tend to think that the regulator is looking for perfection in our plans, systems and actions when it comes to supervision. Refreshingly, they aren’t, and they have been quite clear to point that out lately in open forums on the subject.
What does come through loud and clear, however, is the need to demonstrate the following key elements of a formal strategy for supervising your firm’s electronic communications:
When considering the list above, you can quickly see why the need to automate the retention and supervision of electronic communications is no longer a want, but rather a need given the increased scope of content types now being used by employees – especially with the growing demand for social media and mobile messaging to stay competitive. Provided that FINRA (or any other regulator) can see that you have a system in place to reliably capture and review the content your employees are sending out and sharing that’s related to firm business, you are halfway there.
In the past, it was enough to simply review a random set percentage of messages (e.g., 5 percent) to satisfy the requirements for supervision. But that does not actually accomplish the goal of finding and acting on the specific messages that pose the real issues, as most of the time spent reviewing messages involved looking at noncritical communication and trivial conversations, hoping to stumble onto something that looked out of line.
All that mattered was being able to demonstrate to your examiner that you looked at “enough” messages, not that you had a way to find the ones that posed the greatest risk according to your set policies. And yes, if you were lucky enough to find something that you took appropriate action on, you were good, but that was pretty much it. With the dawn of non-email, public network communications like social media, mobile messaging and blogging, the regulators can come to the table with their own set of messages they are interested in reviewing.
Modern analytics technology is also enabling the regulator to find/determine patterns of violations rather than just “one-offs” which were much easier to explain away because of the singularity of the event. The reality here is that you need to give your employee the same level of sophistication in your proactive supervision and review procedures or else you could be dealing from a disadvantage in your next exam.
Comprehensive archiving systems can help tremendously in this area by automating the capture, supervision and review of all your electronic communications channels being used by your employees and the specific messages for each. The policies you establish in your WSP can be implemented in an automated fashion for flagging individual messages that may be in violation and routing them to specific reviewers for final determination and remediation.
Being able to point to the policies in place and showing the pattern of trapping and acting on specific messages with the individuals involved goes a long way with examiners and demonstrates the right proactive posture relative to supervision – and the culture of compliance so often talked about these days.
In fact, even if an examiner does find a set of messages that constitute violations that your policies may have missed by not being tight enough, the simple fact that you can adjust them electronically for all future communications in an automated system will be a positive interaction. Yes, the violations will exist, but you and the examiner can move forward post-exam, knowing that the situation will not occur again and you have the proper safeguards in place, which is the real goal.
The one thing I have heard over and over this year is that the worst thing you could do is to have a system in place and ignore violations when detected. This is where diligence is key and is needed beyond having the right policies and systems in place to apply to your communications. In fact, the clear message I hear from the regulator is that the enforcement actions will be most severe if the firm had knowledge of ongoing violations and did nothing to remediate the situation once discovered.
So, the bottom line here is to create the right policies, train your employees, implement a system to automate the capture and review process and have an audit trail of remediation to point to when violations are discovered. It’s not necessarily the violation itself that determines the severity of the enforcement action by the regulator. In many cases, it’s whether you had an adequate system in place for supervision – given the volume and types of communication being used and what corrective action you took to make sure that the situation did not repeat itself going forward.
Again, without an automated system and self-documenting procedures in place, you will be hard-pressed to come to the table with the adequate data to support any claims you have in this area, should the examiner have a list of potential violations in hand to go over with you.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Mike Pagani is the Senior Director of Product Marketing and Chief Evangelist for Smarsh. Mike is a seasoned IT professional and recognized subject matter expert in the areas of mobility, identity and access management, network security and virtualization. Prior to joining Smarsh in November 2014, Mike held executive-level corporate and technology leadership/spokesperson roles for Stay-Linked, Quest Software, NComputing, Dell Software and others.