Security Experts:

Financial Firms Struggle on Compliance for non-Email Communications

Financial services is perhaps the most regulated sector in industry. SEC, FINRA and Gramm-Leach-Bliley are merely the better known of a raft of regulations. Key to all of them is the requirement to manage and retain communications. But just as regulations tend to increase and become more complex, so too have the different methods of communication that need to be monitored ballooned. What was once just email now includes SMS, public IM, a variety of social media and more. At the same time, regulators are becoming more active.

The 2017 Electronic Communications Compliance Survey (PDF) from Smarsh demonstrates continuing industry concern over its ability to capture and retain relevant staff communications, especially from mobile devices. Interestingly, Europe's GDPR will add to the regulation mix, but will expand the industry coverage from finserv to any organization doing business with Europe. While finserv regulations are concerned with financial data in communications, GDPR is concerned with personal data in communications. Different detail, but same basic problem: the control of regulated data getting dispersed in uncontrolled communications.

The problem is the same. So it follows that the difficulties and concerns voiced by finserv organizations over communications compliance will apply to all industry sectors by the end of May 2018.

Smarsh surveyed 119 finserv individuals in compliance supervisory roles ranging from c-level to operations. It found that the top three concerns for regulatory compliance are non-email communications, mobile devices, and simply understanding new and challenging regulations. In each case, the level of concern has increased dramatically over 2016 levels.

Non-email and mobile device communications overlap. Employees are increasingly using personal devices for non-email quick communication with customers, potential customers, colleagues and friends. Text/SMS messaging is considered to pose the greatest compliance risk (52% of respondents). Noticeably, in December 2016 FINRA fined a Georgia firm $1.5 million partly for failure to retain approximately one million text messages sent using firm-issued devices.

All of this is against a backdrop of more frequent, deeper and broader regulatory examinations. In 2015, 27% of firms were examined in a 12-month period; in 2016 it was 42%; and in 2017 it rose to 47%. The biggest single change in the examinations has been the regulators' increasing requests for social media communications. In 2015, 19% of examiners requested social media comms -- but by 2017, this had increased to 44% for LinkedIn, 27% for Facebook, 21% for Twitter, and 6% for Instagram.

The examiners are also looking at firms' mobile communication policies. In the last year, 21% of the examined respondents had to provide their mobile device communications policy. Policy, however, has its own issues. Of those firms that allow text/SMS messaging, 36% do not have a written policy governing its use. Smarsh suggests, however, that any firm not supervising mobile use should now expect to be fined.

The problem for business is that mobile communications is not a risk that can be avoided. "Firms need to leverage new and emerging channels to communicate with their customers and stay competitive, but they're failing to manage the risk," explains Stephen Marsh, CEO and founder of Smarsh.

Simple prohibition is not a solution. Where it is used, survey respondents' confidence in its effectiveness is low. Asked if they would be able to prove that prohibition is working, the confidence gap over text/SMS, and also LinkedIn, stands at 67%. For Twitter it is 57%, and for public IM it is 55%.

"This year's survey," comments CEO Stephen Smarsh, "reinforces that policies of prohibition are a barrier to growing business and workforce productivity. They do not deliver compliance confidence, and they simply don't work. Early 2017 examples of text-related firm penalties all have one thing in common: all prohibited its use for business communication. More than two thirds (67 percent) of respondents have no or minimal confidence that they could prove their prohibition of text messaging is actually working."

There is a bonus. While compliance is the primary driver for communications archiving and supervision, 88% of the respondents recognize that communications data can also help identify more general security risks to the organization. "More than half of respondents (59%)," notes the report, "confirm that their organization uses this data to identify fraudulent activity, among other purposes, such as supporting e-discovery and HR issues, and detecting market abuse."

It is worth stressing that the 2017 Smarsh survey relates directly to compliance in the financial services industry. The arrival of the General Data Protection Regulation in May 2018 will create the same basic communications content compliance requirements across all industries. In preparing for GDPR, all industry sectors can learn from the non-email communications compliance problems already being experienced by Finserv.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.