White Compliance Hub Compliance Insights text on black background

The Slack Financial Compliance Manual

23 May 2024 8 mins read
By Jennie Clarke

The Slack Financial Compliance Manual for Legal, eDiscovery, and Compliance Teams


What is the Slack App?

Offering an array of features to organize and manage conversations, such as both individual and channel instant messaging (IM), voice and video clip recordability, and live video conferencing (a.k.a. “Huddles”), Slack is an all-in-one messaging channel to help boost business operations. Slack’s goal is productivity, which is demonstrated within the platform’s layout.

Slack combines elements of multiple communication channels to allow for efficiency while stimulating engagement and natural conversation within chats. With the ability to share files and schedule meetings or use emojis and reactions similar to a social media application, Slack appeals to a range of users.

As the financial industry transforms, Slack has been embraced by firms to streamline business functionality. With its far-reaching use across financial services, Slack message retention is non-negotiable. Regulators have been hot on the trail of firms who fail to maintain a proper archive of their business communications, and the implementation of IM within the industry means that it’s now essential that firms cover their compliance bases when using the Slack App.

Slack Compliance

Slack has outlined its adherence to compliance and regulations, and can be utilized by financial firms with the assistance of a configurable archiving system. Thus, your firm has the ability to utilize Slack as a messaging application and maintain compliance with the Financial Industry Regulation Authority’s (FINRA) guidelines, as long as you are retaining a complete record of conversations.

Financial firms have to adhere to Rule 17a-4, which is a rule imposed by the Securities and Exchange Commission (SEC) around electronic data retention, indexing, and accessibility for regulated entities. Rule 17a-4 obliges that firms retain and preserve all business records, including communications data such as that produced through Slack.

Slack has its own retention practices, including the ability to store messages and files indefinitely, or adjust filters so that data automatically deletes after a certain period of time. In addition, firms can elect to authorize certain approved devices and individuals to utilize the Slack App with identity management measures. Making use of these features is a good first step towards compliance, though may not necessarily meet the breadth of requirements that governing entities require. During an investigation, for example, firms will need to locate and access information instantaneously. By only relying on the retention properties offered within each internal platform your firm uses, data retrieval becomes complicated, time-consuming, and unstructured.

Slack and GDPR

In acknowledgment of the General Data Protection Regulation (GDPR), Slack confirmed that it has enhanced safety measures to assist in meeting privacy requirements. GDPR came into effect in 2018 and protects the privacy of those within the European Union (EU) by setting clear rules around personal data usage and transparency.

To meet the law’s requirements, Slack has bolstered its security infrastructure and certifications, made updates to relevant contractual terms, implemented Standard Contractual Causes to support international data transfers, and expanded its range of data management tools.

Slack also keeps up to date with regulatory guidance in the case it needs to modify any of its security and privacy settings. The platform has confirmed that it is compliant with security standards from recognized agencies, such as SOC 2, SOC 3, ISO 27001, ISO 27017, and ISO 27018.

The Process of Slack Legal Hold and eDiscovery API 

To export and sort through digital data, users can opt to use Slack’s eDiscovery API. Slack eDiscovery API allows you to connect an external eDiscovery solution to its Enterprise Grid per your organization’s approved channel owner.

For example, in the case that a firm is being investigated for breaking client confidentiality and failing to protect sensitive information, it will become necessary to quickly search through messages to find any evidence connecting to the incident. In these instances, having immediate and organized access to all of your firm’s data – whether it’s from Slack or other platforms used internally – is imperative.

After defining the scope of your eDiscovery needs and the data you’re looking for to support your case, you can elect to utilize a third-party provider to work alongside internal legal teams. Then, Slack’s eDiscovery API can be used to gather, collect, and export data from any workspace.

Should your firm need to implement legal holds to prevent required data from being deleted, those with the Legal Holds Admin role can elect to preserve messages. When a Slack legal hold is placed, admins can retain messages from all conversations or direct messages an individual was specifically involved in.

Regardless of retention settings or if data is deleted afterwards, messages and files sent within a conversation will be saved. To access this data, legal teams can perform a JSON export using Slack’s eDiscovery API. Though, Slack notes that if a channel included in a legal hold is deleted, messages and files won’t be saved. As such, firms should consider implementing a robust archive solution that can instantly capture all data in one system and keep it secured regardless of later deletion.

Key steps in Slack eDiscovery API:

  1. Determine the approach: When facing a legal investigation, define the scope of messages that your firm needs to examine and assemble to support your case.
  2. Team identification: Determine which internal teams will oversee the eDiscovery process, including those who have admin access to communication platforms like Slack. In addition, identify where external eDiscovery providers will need to come in to assist with data collection.
  3. Gather information: When searching on Slack, internal teams and external providers can utilize the Slack eDiscovery API to gather information to be used as evidence. 
  4. Export data from Slack: Once gathered, export data and compile it with information from other platforms to build your defences.
  5. Review and finalize: Finalized cases will then be reviewed by legal teams and sent to the opposing counsel.

Slack Data Loss Prevention (DLP)

Privacy is of the utmost importance in the sphere of finance given the sensitivity of the data that firms must handle. Slack’s data loss prevention (DLP) measures help organizations ensure that personnel don’t disclose sensitive information that could compromise client privacy and trust.

With Slack DLP, your organization can create a set of rules to monitor conversations occurring within the Slack platform, and by scanning the contents of a message, can flag violations that require review. Rules can be customized based on your firm specifications and can be applied to only certain conversations and workspaces to narrow in on surveillance efforts.

Slack admins are provided with a daily overview of rule violations and can then choose to send violators a warning. In addition, files and messages can be hidden until they are needed for review at a later time.

Slack message retention

When it comes to Slack’s internal retention policy, the platform stores all messages and files indefinitely, though if preferred, you can choose how long messages should be kept before deletion. Once messages and files are deleted from the Slack App, they cannot be recovered. Message retention processes vary depending on the Slack plan.

With the Business+ plan, workspace owners have the ability to retain all messages and files while also tracking any edits or deletions. Slack’s Business+ plan users can also choose to delete messages in channels, but maintain accessibility with export tools, which is a special feature that applies to those legally obligated to maintain data records. Slack data exports allow owners and admins to export information from public channels, private channels, and direct messages using a self-service tool.

With the Enterprise Grid plan, which is designed for companies in regulated industries, org owners can set policies that apply to all workplaces within the Slack App, which overrides the ability for any workspace admins underneath to adjust retention settings for messages or files. Using this plan, firms can also keep a record of all files, including deleted files via export tools and Discovery API.

In addition to utilizing these retention processes, firms should weigh the advantages of an external archiving solution. Whether it be messages from Slack or another communications platform, this recordkeeping security assures that you stay in line with regulatory requests and offers enhanced searchability, instant access, and data classification across all channels utilized by your business.

How to download and export Slack conversations

Slack has an inbuilt feature to download and export conversations occurring within your workspace. Depending on your plan, you can export data from public and/or private channels, schedule recurring exports, or export all conversations that include a single user. Workspace owners, organization owners, and those with admin rights are the users granted the ability to perform this procedure.

Once all data and date ranges are selected, Slack will begin exporting data and send over an email when the process is complete. Upon completion, you can access a zip file with message history and files links stored in JSON format.

When firms choose to utilize Global Relay’s Connectors, which collect and export Slack messages to your archive of choice, they can be confident that data is structured and organized. Beyond just collecting and storing information, Global Relay’s composition method helps firms make sense of their data. Beneficial in the matter of internal investigations, analytics, eDiscovery, and more, Global Relay’s archiving system allows firms to leverage the potential of their messaging data.

< Back to the hub

About Article

Published 23 May 2024

About Author

Share Article