$6.4 billion represents the total fines that the Security and Exchange Commission has issued over fiscal year 2022. Since then, regulators have shown no sign of slowing down.
The influx of fines charged over the past couple of years has “moved the dial” on regulatory attention, suggesting that the time is now to focus on capturing and supervising business communications.
The spotlight on surveillance
On September 19, 2023, The London Stock Exchange Group hosted a webinar with Rob Mason, Director of Regulatory Intelligence at Global Relay, and Carroll Barry-Walsh, Founder of Barry-Walsh Associates, entitled “Surveillance in the Age of WhatsApp.”
The webinar covered a suite of key themes for compliant communication, including the evolving electronic landscape, regulatory scrutiny across financial markets, how to conduct a constructive internal investigation to account for compliant communications, and ways firms can structure their policies and strategies to detect and manage risk.
Throughout the conversation, both speakers addressed how the past several years has marked a rapid change for the financial industry. Communication compliance has long been a challenge, though the shift to a hybrid environment, bring your own device policies, and proliferation of messaging channels means that we’re at a crucial point in time.
Regulators have expressed their “zero-tolerance” stance on noncompliance, yet despite this firms are still facing enforcement action for recordkeeping rule violations. So why do bans against these emerging messaging applications fail to prevent noncompliance? Mason says:
“Effort from compliance to block these apps are being ignored because they interfere with the effective running of the business.”
While the technology has changed, Barry-Walsh says, human conduct has not. Maintaining compliance is “twofold” and depends on how firms manage the use of emerging communication channels, as well as the tactics they implement to mitigate associated risks.
The ripple effect of regulation
The topic of regulatory scrutiny arose during the session, with panelists noting that US regulators have accounted for a large portion of recordkeeping fines. Though regulators such as Ofgem have indicated that there may be a “new sheriff in town,” it seems that UK and Euro-regulators’ general approach isn’t as defined.
Despite this, firms shouldn’t assume that recordkeeping expectations are any different across markets. Fines are often “the least of your problems,” Barry-Walsh says, as misconduct still has a tremendous influence on reputational fall out and business stability. Regulatory action has a ripple effect across markets and sets the stage for how other regulators will approach compliance.
So, how can firms focus on communications surveillance and mitigate risks in the case that regulators come knocking?
Mason and Barry-Walsh go on to discuss how firms can mitigate risks in a multijurisdictional environment. First, firms should assess how they communicate their values – simply distributing generalities of appropriate behavior in policies is different than demonstrating what is expected of employees on a daily basis.
A useful way to communicate ideas amongst multijurisdictional staff is by using real-world examples so that they have a more complete understanding of expected behavior, what could come across poorly, and what could be on the border. Too many generalities may not have the same effect.
Be well prepared and spared
Within the discussion, the speakers tackle the age-old question – “what do regulators assess when conducting investigations, and what mitigation tactics can firms implement?” Firms are moving toward systematic approaches when monitoring communications to ensure they’re capturing all the correct channels, assessing risks, and making changes. Barry-Walsh explains that regulators want to know if firms have evaluated risks and taken reasonable steps following their assessments:
“If you have a thoughtful approach to [risks], you are taking steps, and you have a plan for dealing with any matters that are not yet covered, you’re going to be in a much, much better position with your regulators and other stakeholders.”
Barry-Walsh encourages firms to remember that the use of communications channels is not an intolerable burden, especially considering the benefit they present to business processes. The focus needs to shift away from banning applications, which can inevitably make “wrongdoers” of employees who have off-channel conversations, and instead reinforce professional communications.
She continues by saying compliance officers must set clear guardrails around messaging. Even if misconduct arises, firms who clearly detailed their expectations will be better protected from regulatory repercussions.
Sound, structured surveillance
One of the final points Mason emphasizes during the webinar is strengthening surveillance to prevent misconduct and remain compliant:
“The key practical pillars around a surveillance solution are data, engine, and people.”
These pillars constitute an indestructible surveillance strategy. A complete inventory of data ensures firms are capturing the whole channel, which should be fed into an engine that can analyze and identify risk. The final piece of this process is building a talented team of people who can analyze these outputs.
As a key takeaway, Mason urges organizations to remember that it “doesn’t matter if you’re big or small,” as noncompliance risks concern all firms. Though now, a range of surveillance tools are available for firms to confidently use and observe communications without sweating about what could be happening on illicit channels. Barry-Walsh says in summary:
“Remember it could be you. Don’t be complacent. Know your risk and manage it. Remember to tell your staff it’s not just what you say, it’s how you say it…Above all, think of this as part of essential risk management.”
