2020: Extending the Vision of Supervisory Review

Well, the New Year and next decade has arrived – along with an endless series of prediction posts that will connect the terms ‘2020’ and ‘vision’. So, let me contribute mine to the fray.

The start of 2020 does have significance, albeit symbolic, to the field of supervision – otherwise known as regulatory-driven supervisory review. One could argue that it is an inflection point – where those faced with the historical challenges of addressing FINRA, SEC and CFTC rules for the review of communications are all asking similar questions about 2020 and beyond, such as:

• How can we be more efficient in the review of increasingly unique content sources such as those created on mobile apps and collaboration tools?
• How can our team use advanced ML and surveillance technologies to spot patterns and unknown risks?
• How should we adjust our compliance processes to comply with CCPA and other new privacy requirements around the world?

For those in the middle of these challenges, stay tuned to this channel. We will stay focused on these topics throughout the course of 2020, starting with our annual review of the upcoming FINRA Annual Risk Monitoring and Examination Priorities letter (https://www.finra.org/rules-guidance/guidance/exam-priority-letters) when it is released later this month.

For those that do not have an explicit regulatory-driven supervision requirement, practices for inspecting employee communications for potential policy violations vary widely, and often entail simple ad-hoc search and review, or the use of data loss prevention (DLP) tools to look for the use of specific words or phrases. It is within this group that we expect to see big changes in 2020, with cases such as these driving the increase in demand:

1. Away CEO resigns after “Slack bullying” is revealed - https://www.theverge.com/2019/12/5/20995453/away-luggage-ceo-steph-korey-toxic-work-environment-travel-inclusion
2. The Wall Street Journal warns of the risk of text misfires - https://www.wsj.com/articles/texting-moves-to-the-workplace-as-do-the-awkward-misfires-im-here-i-luv-u-11555511509
3. Apple warns employees of leaking information to media via LinkedIn and Twitter - https://www.bloomberg.com/news/articles/2018-04-13/apple-warns-employees-to-stop-leaking-information-to-media, following a similar message earlier in the year from Telsa, warning against information leaks, and referencing an employee who was fired for sharing confidential information with journalists on Twitter - https://www.cnbc.com/2019/05/03/tesla-email-warns-employees-stop-leaking.html
4. Emojis are increasingly becoming swept up in workplace harassment issues - https://edition.cnn.com/2019/07/08/tech/emoji-law/index.html
5. Antonio Brown fired from NFL team for intimidating text messages - https://www.si.com/nfl/2019/09/19/antonio-brown-accuser-text-messages

All of these examples - Slack bullying, textual harassment, data leaks, etc. - are reasons why 2020 will be the year that will extend the vision of supervisory review. The vision is extended because a seemingly endless set of new communications tools, many of which are released to employees without the policy controls or user training that establish clear usage guard rails. It is extended because each new tool is unique, some with better means that others to capture and control content that can be interactive – or ephemeral. And, finally, the vision is extended because review should now focus not just on regulated users, but any employee whose actions can result in the loss of information that has business value or introduces the company to privacy, security, or other business risk. In short – employees will find a way to do stupid stuff, and the likelihood that those stupid things are happening on a mobile app or collaborative tool will increase dramatically in 2020.

So, what can firms who do not have specific regulatory-driven mandates for formal supervisory programs learn from those that do? Here’s 5 key lessons:

1. Assume risk and value can live anywhere: messaging apps, Microsoft Teams, and Slack can all look like a place to socialize with chat buddies. But every organization using these technologies should take to heart what regulators and the courts are saying consistently in examining written supervisory procedures or in arriving at decisions in litigation: it is the content and context within a conversation that is determinative, not the specific tool or technology that one is using
2. Know your networks: just when you thought you were gaining the upper hand on shadow IT and dark data locations, we start 2020 when a new generation of employees and clients are continually demanding that they do business with the tools they are familiar with. Maintaining an active inventory of acceptable messaging and collaborative apps is not getting any easier, but has never been as important
3. Establish a regular inspection cadence: every organization should establish an on-going process to review employee communications. Start with inspection of keywords, message fragments indicating use of prohibited networks (e.g. WeChat, WhatsApp, Snap, etc), as well as phrases that may be indicators of channel hopping (e.g. LDL (let’s discuss live), TOL (talk off line)). More frequent inspection can be provided for higher risk employees, client-facing staff, as well as executives, and uncovered patterns can be fed back into supervisory policies to help stay ahead of areas of highest risk
4. Train, train, and retrain: identifying areas of potential exposure should start with clear, explicit training programs that provide illustrations of acceptable and prohibited uses of each communications tool. As tool preferences often differ by department, working directly with users to understand how each technology is enabling that area of the business provides a good starting point to help engrain an understanding of the behaviors and consequences of policy violations
5. Ask AI for help: identifying inappropriate behavior across 100+ communications sources (and, for global firms, significantly more than 100), is as easy as finding needles that can move across multiple haystacks, some of which are better organized than others. AI and content surveillance technologies are well suited to uncover patterns and anomalies in behavior to complement policy-based inspection.

 Welcome to 2020. The new era of supervisory review has arrived.