Risk-based Supervision and the Hybrid Workplace
Our recent Summer Forum Series explored how to increase risk resilience around new communication tools, and embed a culture of compliance in a digital-first era.
With remote work here to stay, Global Relay recently brought together senior compliance professionals and industry experts to discuss the evolving dynamics of the so-called “distributed enterprise” as organizations grapple with the unique challenges of the hybrid working model.
The Global Relay Summer Forum Series – held in London, Chicago, and New York respectively – featured a dedicated agenda and expert panel of speakers to explore the impact of increasing compliance policies in the face of new and expanding digital communication tools.
Please read more for some of the insights and recommendations we heard from our compliance community to address growing electronic recordkeeping requirements around established regulations, including Rule 17a-4 from the Securities and Exchange Commission (SEC), and FINRA Rule 3130.
The rising case for BYOD (Bring Your Own Device)
We heard a common theme throughout our Summer Forum discussions that supervision policies are not keeping up with the current realities of remote, hybrid, or “work from anywhere” models. In New York, our panel discussed some BYOD statistics, including that some 87% of organizations allow employees the ability to access mobile business apps from their personal smartphones.
But for a majority of regulated firms this approach is simply not viable as business communication left uncaptured and unsupervised on employee-owned devices creates compliance and security concerns. The long-established rule applied as blanket policy by many firms forbidding the use of personal devices for business-related communication is much harder to physically oversee, and enforce, as remote working has become the norm. Moreover it does not allow for how their employees are actually working.
Louise Rodger, Director of the Compliance and Policy Division at AFME (Association for Financial Markets in Europe) – which provides expertise across a range of regulatory and capital markets issues – underlined these challenges during her panel discussion. “Regardless of the location – home or office – the rules remain the rules,” she emphasized.
The $125 million fine imposed on J. P. Morgan by the SEC late last year remained a hot topic for attendees at each event and is a prime example of the growing need for measures that address non-adherence to compliance policy.
Closing the compliance gap with solutions that can record regulated conversations, protect the firm’s data, and enable monitoring and recordkeeping of disparate data was also discussed as central to empowering regulated firms to execute BYOD programs that meet stringent information governance requirements as well as:
- Reduce exposure to the risk of policy infringement by employees
- Save on the cost of corporate devices
- Provide competitive benefits, with employees able to be more responsive to customers, and communicate compliantly on the go.
Think like a regulator
The spread of communications data across new channels becomes even more challenging for firms facing a time-critical or high-stakes data request, or investigation. As one panelist was quick to state when it comes to such requests, it is vital to plan for “when” rather than “if”.
“There is little worse start to an investigation than having to ask the court or regulator for an extension because you are struggling to place your hands on the data”, said Simon Hargreaves, a consultant, and former regulator.
Demonstrating that you have practices in place to access the required data in a reasonable timeframe is key to giving the regulator certain assurances regarding your management and approach. The inability to do this can inflame the situation and incur further penalties. This contributed to the severity of the above-mentioned J.P. Morgan fine, where the regulator found that, in addition to violations of policy through the use of non-compliant channels and devices across the organization (including by those who wrote the policies), the physical lack of recordkeeping had impeded the regulator’s ability to investigate.
A ‘top-down’ culture of compliance
We also heard how building a culture of compliance, particularly one that can be established both in-office and remotely, must be the panacea for compliance teams, regardless of their jurisdiction.
As our participants shared, this culture needs sponsorship from the very top of the organization, ideally from the CEO. Being able to evidence this commitment via “tone from the top” communications direct from the CEO will be increasingly important for firms looking to prove they have taken reasonable steps to prevent an employee or contractor from making, sending, or receiving business correspondence on privately owned equipment which the firm is unable to record or copy.
In New York and Chicago sessions, Global Relay’s Executive Vice President of Compliance, Chip Jones, also stressed the timely nature of this conversation during a week that saw the Department of Justice put forward proposals to make company CEOs and CCOs personally liable for attesting to the effectiveness of their compliance programs, a move that is understandably creating ripples of concern amongst the senior compliance community.
Hybrid working has undoubtedly intensified the need for firms to plug gaps in compliance polices that no longer serve the realities of how their employees are engaging with customers and colleagues. A unanimous take away from all our Summer Series events was that data governance polices are only as good as the actual processes that then must be followed. Moreover, with enforcements like J.P. Morgan unlikely to be the last – and with policymakers and regulators tightening the screws – firms need to consistently revisit their policies and risk assess practices for electronic communications compliance to ensure policy reflects the reality – or they risk paying the price.