Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy & Compliance

Financial Compliance: Problems are Changing, Solutions are Not

The sixth annual survey from Smarsh on financial services communications compliance issues shows that regulatory scrutiny and compliance difficulties are increasing while resources and solutions are not.

The sixth annual survey from Smarsh on financial services communications compliance issues shows that regulatory scrutiny and compliance difficulties are increasing while resources and solutions are not. Enforcement and retention gaps remain high, leaving companies open to undetected fraud, errors and regulatory penalties.

The survey polled 221 financial services professionals with compliance supervision responsibilities. Less than one-in-ten of the respondents expect to receive any significant increase in resources at a time when BYOD and social media are increasing their difficulties.

One of the main problems is that the compliance perimeter (that is, the communication methods and devices that require regulatory overview) is expanding beyond the organization’s security perimeter (that is, the systems with direct company security and overview control). This is primarily caused by increased use of personal devices and social media, which often go hand in hand. Even where a company has a defined BYOD policy it is difficult to know which messages need to be retained by the company.

It is the content of a message that determines whether it falls under compliance regulations. However, even within the traditional security perimeter 5% of respondents still feel they do not have an adequate archiving or supervision solution in place for email via corporate email accounts. This rises to 68% of respondents concerned about SMS/text messages even where company policy allows them. Forty-six percent are concerned about the lack of control over LinkedIn messages, and 44% over Instagram, Facebook and public IMs such as Skype.

The general lack of oversight capabilities leads to specific risks recognized by the compliance professionals. These include an inability to provide evidence of supervision (32%); failures in policy enforcement (29%); inefficiencies of the supervision process (28%); difficulties in fine-tuning supervision processes to find real risk (27%); inability to produce data upon request (26%); and policy creation (21%).

All of this is happening at a time when regulations and regulatory scrutiny are increasing. Regulations governing electronic communications can be found in SEC rules, FINRA, Federal Rules of Civil Procedure, Gramm-Leach-Bliley, FCA rules, State Data Protection laws and more. And it’s getting personal. In September 2015 SEC warned that compliance officers could be charged for negligently conducting their duties. In the same month it fined Securas Wealth Management’s chief compliance officer $30,000 for failing to implement the policies and procedures that would have caught stock manipulation fraud.

The problem, suggests Stephen Marsh, CEO of Smarsh Inc, is that the nature of the problem has changed, but the solutions have not. This has resulted in three main approaches by compliance officers: ‘prohibition’ (simply prohibit communication through BYOD and social media); ‘head in the sand’ (ignore the problem and respond to regulators, ‘not in my knowledge’); and ‘extend what’s in place’ (that is, increase what already doesn’t work very well). 

“Creating a sustainable, scalable and holistic approach needed for effective electronic communications supervision today can’t be done overnight,” he says, “but it can be done. It requires the coordination of the right processes, technology and human capital across stakeholders from IT departments, compliance, legal and marketing units.”

Advertisement. Scroll to continue reading.
Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights