Each individual is entitled to privacy. Across countries and within industries, comprehensive privacy rules have been written to protect individual rights and personal information.
Understandably, this practice is fundamental in the financial industry. Without privacy, consumers wouldn’t trust financial institutions to keep their assets and information secure. However, it is worth considering what happens when it comes to the privacy of conversations occurring amongst a firm’s personnel and the gamble that critical information is exploited. When communications relate to business, what should privacy expectations be?
Firms should recognize the primary concerns that arise when considering communications surveillance and its interaction with privacy, and determine what measures should be taken to ensure communications surveillance is performed properly while accounting for the concerns of those within an organization.
The surveillance vs. privacy equilibrium – quantity control
The idea that surveillance can encroach on privacy rights when overseeing employee communications is a familiar argument. In addition to the ability for communications to switch between professional and personal, one-on-one conversations feel innately private, which provokes a sense of trepidation.
While it is understandable for hesitation to lie in the idea of communications oversight, the bottom line remains that information related to business is something that a firm need to have awareness of to prevent misconduct that could jeopardize its wellbeing.
When considering evermoving factors, such as the rapid surge of modern communications platforms preferred by clients and personnel, as well as the intensifying pressure of regulators to recognize and control these communications, surveillance needs expand. As technology evolves, it’s not just emails and texts that firms need to oversee – it’s instant messaging (IM) platforms, video channels, and social media applications.
Within these conversations, there’s the ability for firms to conduct illicit activity, such as in the case of professionals cheating on mandatory internal training exams through electronic communications, or misrepresenting data on social media, such as with hypothetical performance advertisements.
The Securities and Exchange Commission made clear that it expects firms to “reasonably supervise” personnel to prevent these violations, as “widespread and longstanding failures” have the potential to hinder the ability to uphold market integrity.
In this case, a firm’s priority should be clarification. When it comes to communications monitoring, the main objective is analyzing comms for a narrow range of market conduct issues that align with regulations, such as verification that sensitive information is not being impermissibly shared. Assuring employees that only a sliver of communications is being appraised provides visibility that can dissipate privacy concerns.
Emphasizing both regulatory expectations and effective firm oversight is the first step in shedding light on the need for monitoring and surveillance. Without it, firms’ ability to maintain compliance may greatly diminish.
Whether BYOD or corporate-owned, don’t make it personal
Corporate-owned devices have been the predominant way to manage communications and make clear surveillance intentions, as they ensure that firms have complete control over the settings programmed on a particular device. Yet, offering a corporate device to each customer-facing employee entails an upfront fee for firms.
On the other hand, Bring Your Own Device (BYOD) policies are growing in popularity. BYOD permits employees to utilize their own devices when at work, making communication more convenient while also eliminating the cost factor.
According to Global Relay’s 2024 Industry Insights report, 54% of compliance teams utilize BYOD policies as opposed to 34% in the year prior. The report specifically illustrates that North American firms heavily lean toward BYOD policies, with 63.4% of firms electing to use BYOD, but monitor business-related communications channels.
It seems the divide between BYOD and corporate issued devices lies in the population scope that needs to be monitored. Within the report, Alex Viall, Chief Strategy Officer and Global Relay offered insight into this distinction:
“Many firms are separating their corporate populations into high-risk and not so high – it is the high-risk monitored population that are all being moved to corporate devices and BYOD is good enough for the rest.”
Whether corporate device or BYOD policies are implemented, firms must clarify exactly what’s permitted when it comes to communications channels, communications that are business-related, those who perform surveillance, the risks surveillance teams are looking for within communications, examples of behavior that would be flagged as high-risk, and how information will be documented.
Lift the veil on surveillance strategies
The most effective measure in addressing privacy is establishing what communications surveillance entails. It is critical to communicate the objective in conducting surveillance and position it in the most straightforward and non-imposing way possible. By doing so, firms retain the ability to maintain transparency, which lends itself to a strong culture.
What’s also paramount is investing in education and training. Clarify the reason behind surveillance and that it is not utilized as an autocratic scheme to intimidate employees or due to a lack of trust, but rather to confirm that operations continue to run smoothly and safely. The bottom line of communications surveillance is providing employees with a secure perimeter to operate.
Senior management should be setting the right example and describing what is and isn’t permissible in training. Using examples that specify what’s appropriate, inappropriate, and veering on the edge prompts thought about how to approach conversations as opposed to outlining obscure generalities. In addition to this, it is necessary to emphasize that the consequences of noncompliance are significant.
In the know, key to grow
Above all, the main point to stress relating to the conversations that employees have internally and with clients is that there is an expectation to act appropriately in workplace settings. In any workplace, it should be ensured that each employee is meeting a certain level of professionalism.
Should a firm fail to create a thorough code of conduct that outlines what is expected of personnel when they’re interacting with colleagues and clients, this will likely lead to violations, meaning there is a conduct and culture issue as opposed to a flaw with surveillance.
When employees are communicating about matters that impact a business and its functions, as well as when they’re taking part in external conversations with clients or stakeholders as representatives of a business, they should always be acting in their firm’s best interest.
In an LSEG webinar entitled “Surveillance in the Age of WhatsApp,” Carroll Barry-Walsh, Founder of Barry-Walsh Associates, summarized this sentiment:
“If you use your work channels for private [conversations], it’s not private anymore. If you want to keep something private, you don’t mix it with work.”
Super supervision and monitoring
The balance between preventative surveillance and privacy is particularly delicate. To thwart illicit activity within business conversations, which can compromise the security of sensitive information a firm is trusted to protect, defensive steps must be taken. In the same sense, detailing the scope of what will be monitored to avoid confusion and mistrust amongst personnel is equally essential.
Surveillance is a requisite that employees must accept when handling business communications, regardless of the intention of a conversation. Communication, transparency, and training are all proponents that clarify intentions, and are key to striking a balance between workforce concerns and firm obligations.
The bottom line remains – as long as employees are following rules and abstaining from any suspicious behavior, there is no cause for concern. When this message is infused in policies and thoroughly understood by personnel, firms can be assured that they have done their part in properly approaching communications surveillance.
