No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

In Electronic Supervision, Perfection isn’t Mandatory

by Mike Pagani
April 19, 2017
in Data Privacy, Featured
multiple social media message icons floating above smartphone screen

…but Reliable Detection and Appropriate Remediation Are

Regulators don’t expect perfection in your compliance systems, but they will require a clear set of policies governing all communications channels, documented evidence of employee training, and safeguards for remediation of any violations. In this piece, Smarsh Chief Evangelist Mike Pagani provides a fresh perspective on supervising electronic communications.

Listening to various FINRA examination-related individuals speaking on the topic of electronic communications supervision at industry conferences this year, there is a key message that seems to be repeating itself.

I think we all tend to think that the regulator is looking for perfection in our plans, systems and actions when it comes to supervision. Refreshingly, they aren’t, and they have been quite clear to point that out lately in open forums on the subject.

What does come through loud and clear, however, is the need to demonstrate the following key elements of a formal strategy for supervising your firm’s electronic communications:

  • A clear set of policies relative to what types of communication channels (e.g., email, instant message, text message, social media, etc.) are allowed and by which specific sets of individuals, as well as which ones are prohibited or restricted in some way
  • Documented evidence that your employees have been adequately trained and understand the policies (e.g., electronic attestation/certification, etc.)
  • How the communication is being reliably retained and supervised proactively for potential compliance policy violations, and who does the reviews/determination
  • When violations are detected, what was the action taken by the firm for remediation and prevention of further violations by the individual or group of individuals in question

When considering the list above, you can quickly see why the need to automate the retention and supervision of electronic communications is no longer a want, but rather a need given the increased scope of content types now being used by employees – especially with the growing demand for social media and mobile messaging to stay competitive. Provided that FINRA (or any other regulator) can see that you have a system in place to reliably capture and review the content your employees are sending out and sharing that’s related to firm business, you are halfway there.

In the past, it was enough to simply review a random set percentage of messages (e.g., 5 percent) to satisfy the requirements for supervision. But that does not actually accomplish the goal of finding and acting on the specific messages that pose the real issues, as most of the time spent reviewing messages involved looking at noncritical communication and trivial conversations, hoping to stumble onto something that looked out of line.

All that mattered was being able to demonstrate to your examiner that you looked at “enough” messages, not that you had a way to find the ones that posed the greatest risk according to your set policies. And yes, if you were lucky enough to find something that you took appropriate action on, you were good, but that was pretty much it. With the dawn of non-email, public network communications like social media, mobile messaging and blogging, the regulators can come to the table with their own set of messages they are interested in reviewing.

Modern analytics technology is also enabling the regulator to find/determine patterns of violations rather than just “one-offs” which were much easier to explain away because of the singularity of the event. The reality here is that you need to give your employee the same level of sophistication in your proactive supervision and review procedures or else you could be dealing from a disadvantage in your next exam.

Comprehensive archiving systems can help tremendously in this area by automating the capture, supervision and review of all your electronic communications channels being used by your employees and the specific messages for each. The policies you establish in your WSP can be implemented in an automated fashion for flagging individual messages that may be in violation and routing them to specific reviewers for final determination and remediation.

Being able to point to the policies in place and showing the pattern of trapping and acting on specific messages with the individuals involved goes a long way with examiners and demonstrates the right proactive posture relative to supervision – and the culture of compliance so often talked about these days.

In fact, even if an examiner does find a set of messages that constitute violations that your policies may have missed by not being tight enough, the simple fact that you can adjust them electronically for all future communications in an automated system will be a positive interaction. Yes, the violations will exist, but you and the examiner can move forward post-exam, knowing that the situation will not occur again and you have the proper safeguards in place, which is the real goal.

The one thing I have heard over and over this year is that the worst thing you could do is to have a system in place and ignore violations when detected. This is where diligence is key and is needed beyond having the right policies and systems in place to apply to your communications. In fact, the clear message I hear from the regulator is that the enforcement actions will be most severe if the firm had knowledge of ongoing violations and did nothing to remediate the situation once discovered.

So, the bottom line here is to create the right policies, train your employees, implement a system to automate the capture and review process and have an audit trail of remediation to point to when violations are discovered. It’s not necessarily the violation itself that determines the severity of the enforcement action by the regulator. In many cases, it’s whether you had an adequate system in place for supervision – given the volume and types of communication being used and what corrective action you took to make sure that the situation did not repeat itself going forward.

Again, without an automated system and self-documenting procedures in place, you will be hard-pressed to come to the table with the adequate data to support any claims you have in this area, should the examiner have a list of potential violations in hand to go over with you.


Tags: Electronic Communications ComplianceFINRASocial Media Risk
Previous Post

Focal Point Data Risk Publishes Inaugural “Cyber Balance Sheet” Report

Next Post

Deloitte Publishes Board Practices Report

Mike Pagani

Mike Pagani

Mike Pagani is the Senior Director of Product Marketing and Chief Evangelist for Smarsh. Mike is a seasoned IT professional and recognized subject matter expert in the areas of mobility, identity and access management, network security and virtualization. Prior to joining Smarsh in November 2014, Mike held executive-level corporate and technology leadership/spokesperson roles for Stay-Linked, Quest Software, NComputing, Dell Software and others.

Related Posts

whistleblower congress

Blowing the Whistle: Exploring Federal Protections After Twitter Testimony

by Katherine Krems
September 28, 2022

Twitter’s been in the news of late thanks to Elon Musk’s (failed?) takeover bid, but another recent bit of Twitter...

sec messaging apps investment firms

SEC Sanctions Warn Investment Firms That Good Intentions Aren’t Enough on Messaging Apps

by Mark J. Tarallo
May 24, 2022

Think your firm’s policies will protect against sanctions for failing to meet the books and records requirements? If your rules...

musk free speech tweet

As Musk’s Tweet Inadvertently Illustrates, the Letter of the Law Has Its Limits

by Christian Hunt
May 11, 2022

Aspiring Twitter owner and current Tesla CEO Elon Musk has indicated that if he succeeds in buying the social media...

elon musk twitter

Know Your Customer? Know Your Human. Compliance Lessons From Elon Musk’s Promised Assault on Twitterbots

by Peter Viksnins
May 11, 2022

Twitter’s new boss is waging war on bots. How he gets it done may offer lessons for GRC professionals. The...

Next Post
Deloitte Publishes Board Practices Report

Deloitte Publishes Board Practices Report

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT