For the sixth consecutive year, the Smarsh Electronic Communications Compliance Survey illustrates the key trends and concerns facing compliance around the retention and oversight of electronic communications. While many of the concerns highlighted by respondents remain consistent year-to-year, such as increased regulatory scrutiny and new communications channels, the responses also showed supervision practices are not sufficiently keeping pace to address the new compliance implications of these ongoing trends. Gaps in policy, enforcement capabilities and retention remain high, leaving firms vulnerable to undetected fraud, errors, and regulatory enforcement penalties.
For instance, supervision of non-email communications types, such as social media, text messaging and website content poses a real challenge, because the sheer volume of email firms must retain and review already overwhelms most organizations. Resources needed to address the ever-expanding compliance perimeter are growing too slowly, if at all. Against this backdrop of tough challenges, compliance professionals have to somehow align the benefits of modern communications with the critical need to protect their firms, their clients’ data, and even themselves against compliance risks.
These concerns are steady, irrespective of whether a firm allows usage of new communications channels or not, indicating that simply prohibiting employees from using a channel is not sufficient or confidently controlled. Compliance must also ensure employees are not using unsupervised channels without the firm’s permission or knowledge for business purposes, and communications outside the compliance perimeter represent the most significant source of compliance vulnerability and risk.
It’s no wonder compliance professionals are expressing new levels of growing concern that their current programs do not effectively identify potential compliance violations and true risk.
Electronic Message Supervision
The primary purpose of electronic message supervision is to satisfy regulatory requirements designed to protect investors. In addition to retention, firms are required to perform risk-based review of all business correspondence and internal communications, even when messages reside on an employee’s personal devices and social media accounts.
The compliance function must ensure the firm is compliant with these mandates, thereby minimizing the business risks of non-compliance, such as fines, reputational damage, and loss of license to operate. However, the value of electronic communications retention and supervision extends beyond the regulatory checkbox. Sixty-five percent of the Smarsh survey respondents reported that the compliance function is responsible for handling requests to produce electronic communications data for e-discovery or other business purposes, bringing compliance into more aspects of business operations. Increasingly, electronic communications supervision also plays a role in broader risk management, including cybersecurity.
The Road Ahead: Greater Focus on Cybersecurity
Recently, FINRA and the SEC identified cybersecurity as the number one threat to financial institutions, and introduced new regulations in 2015. This year, both regulators also began including cybersecurity in their exams.
Firms around the world are recognizing that the holistic oversight enabled by the comprehensive archiving of electronic communications can greatly reduce risks that would otherwise go undetected in the ‘dark corners’ within firms. These could be described as situations where a rogue employee, third-party supplier, or unmonitored social media account wreaks havoc on a firm’s reputation, business, or regulatory compliance without the firm knowing.
Comprehensive archiving and supervision of electronic communications can proactively help identify ‘bad actors’, dissatisfied customers, and other potentially negative incidents before irreversible damage occurs. Client and employee communications that may pose risk can be flagged, reviewed or analyzed, and escalated for any concerning language or trends, ultimately enhancing risk management and overall cybersecurity efforts.
While the Smarsh survey reveals the majority of firms still struggle with continually evolving regulations and new communications types, progressive ones are now paying even closer attention to the way they retain, archive and supervise email, social media, text messaging, and website communications. Taking full advantage of specialized, advanced technologies such as comprehensive archiving (which can automate message capture, and help a firm perform policy checks and message review) can create new levels of efficiency for compliance teams so their capacity can extend beyond email alone. These firms are also performing security cybersecurity assessments in line with new regulations, implementing solutions that mitigate any identified risks, obtaining certifications where needed, and then reporting on progress in preparation for SEC and FINRA cybersecurity exams.
There is a growing need for firms of all sizes to rethink traditional or legacy approaches to communications supervision, especially when considering finite resources and the evolving strategic role that compliance teams can play moving forward in organizational risk management and cybersecurity initiatives.
About the Author
Mike Pagani is a seasoned IT professional and recognized subject matter expert in the areas of mobility, identity and access management, network security and virtualization. Prior to joining Smarsh in November 2014, Pagani held executive-level corporate and technology leadership/spokesperson roles for Stay-Linked, Quest Software, NComputing, Dell Software and others.