The Future of Digital Communications Compliance is Now

July 14, 2022. A day to remember for digital communications compliance. The day that ended any doubt of regulatory focus on the tools used to reach investors.

While the headlines focus on the staggering fine total related to the use of a specific social media application – WhatsApp – the outcome should not be a complete surprise as the SEC signaled its intent to examine social media practices last October. However, issue is not limited just to WhatsApp and mobile devices, and its impact will be felt across the entire financial services industry, impacting firms large and small both in the US and abroad. It is already causing firms to reevaluate the processes it uses to evaluate tools that it will allow for business purposes. And, it is causing a re-assessment of the oversight programs firms have in place to identify prohibited tools that may be in use in spite of defined policies and employee training and attestations.

Just Say No?????????????

As we’ve discussed many times, the issue is not that simple. Even prior to the pandemic, we saw firms struggle to make prohibition policies work – and that was in an era when the top concern was personal email accounts. Today, we have a virtually limitless supply of social media, collaboration, and mobile apps from Signal, Discord, Telegram to WeChat and Instagram that are much easier to access by remote work teams.?However, the simple reason why these policies will not work is more fundamental – a rapidly growing portion of firm’s employee and client bases are familiar and prefer to engage on these networks – and they have been proven to demonstrate results. Whether it is increasing assets under management, driving deeper levels of client engagement with TikTok, or engaging on Telegram to pursue crypto business – it is clear that the way that consumers of financial services chose to engage has been fundamentally changed.

Furthermore, this is not a simple ‘yes/no’ decision point. Even the most rigorous up-front process to approve a new communications tool based upon an ‘acceptable’ level of risk can be ineffective as a result of 1) the continued accessibility of tools that are not addressed under policy (which would typically imply prohibited), 2) the accessibility and use of tool versions other than those that are approved (e.g. free or outdated versus current enterprise versions), 3) the failure to modify retention and supervisory policies (“WSP”) to require inspection for prohibited networks, 4) the inability of existing oversight tools to capture, preserve, or playback the unique features, modalities and conversational syntax of individual networks, or 5) the actual inspection occurring too infrequently or ad hoc only when an issue has surfaced. And, ultimately, in spite of these policy and oversight safeguards and more high profile fines, the issue is largely about employee conduct, where training, attestations, and clear explanation of the consequences of violating policies are only the beginning of the oversight task.

Shining Light on your Compliance Gap

A compliance gap is defined as the difference between the tools approved for use and defined within policies by your firm versus the tools that are actually used in practice. Given the nature of technology innovation, that gap can expand, contract, or move, but it doesn’t go away. We’ve monitored the industry for years via the Smarsh Compliance Survey, and had most recently seen that gap focused on the unapproved use of text messaging. Post-pandemic, that has clearly has shifted to mobile applications. So, how can firms – in particular, those that more resource constrained – improve visibility into where today’s communications risks may reside? Here’s a few tips to start:

1. Rethinking your benefit/risk/cost equation. As regulatory fines have moved from $50K slaps-on-the-wrist into multi-million dollar territory, every firm is re-asking themselves again about the level of communications risk they are willing to accept. Conceptually, this had expressed as expected benefits to the business (more effective pursuit of retail investors and growth markets) versus expected risk (likelihood of potential regulatory infraction x the average size of those fines). With the increased risk level, this analysis is now longer just about approving those with an acceptable benefit/risk ratio, it is about defining and prioritizing the investments to reduce risk levels from both accepted and prohibited communications sources.
2. Increasing frequency and systemic monitoring for use of prohibited networks Many firms have continued to use processes to periodically inspect for the use of prohibited tools (e.g., looking for breadcrumbs indicating that a specific platform like Discord is being used), but practices remain ad-hoc and semi-automated. The need to move toward a proactive posture of surveilling employee communications has never been greater, given regulatory focus not just on the tools themselves, but other activities that can harm the firm such outside business activities (OBA) that are likely happening on dark-corner platforms. Those with intent on wrongdoing will go where they believe they can avoid detection.
3. Updates to your acceptable use and retention policies. For most firms, communications policies are very likely out-of-date with employees working from everywhere.?When considering the unique feature sets that each social media platform utilizes (e.g., video recording, auto-generated transcripts, whiteboards, bots, etc.), policies should address not only specific modalities, but also how capabilities can be used by specific job functions
4. ?Looking around the corner. The second element of the compliance gap – what tools are actually used in practice – is by far the most challenging aspect of the gap analysis. Most employees simply want to get their jobs done, but hybrid work and the proliferation of mobile apps that have crossed over from personal lives has created the visibility challenge never seen (or unseen) before. The basics will help here, starting with maintaining an automated inventory of supported tools, available functionality, current method of capture, as well as tracking of those been prohibited in order to feed into surveillance programs for period inspection. However, the problem is dynamic. So, talk to your GenZ employees, engage social media influencers, track social media business adoption, and talk to your teenage children and their friends about the apps they are using.

Mind the gap. The challenge is moving. And the stakes have never been higher.