The sixth annual survey from Smarsh on financial services communications compliance issues shows that regulatory scrutiny and compliance difficulties are increasing while resources and solutions are not. Enforcement and retention gaps remain high, leaving companies open to undetected fraud, errors and regulatory penalties.
The survey polled 221 financial services professionals with compliance supervision responsibilities. Less than one-in-ten of the respondents expect to receive any significant increase in resources at a time when BYOD and social media are increasing their difficulties.
One of the main problems is that the compliance perimeter (that is, the communication methods and devices that require regulatory overview) is expanding beyond the organization’s security perimeter (that is, the systems with direct company security and overview control). This is primarily caused by increased use of personal devices and social media, which often go hand in hand. Even where a company has a defined BYOD policy it is difficult to know which messages need to be retained by the company.
It is the content of a message that determines whether it falls under compliance regulations. However, even within the traditional security perimeter 5% of respondents still feel they do not have an adequate archiving or supervision solution in place for email via corporate email accounts. This rises to 68% of respondents concerned about SMS/text messages even where company policy allows them. Forty-six percent are concerned about the lack of control over LinkedIn messages, and 44% over Instagram, Facebook and public IMs such as Skype.
The general lack of oversight capabilities leads to specific risks recognized by the compliance professionals. These include an inability to provide evidence of supervision (32%); failures in policy enforcement (29%); inefficiencies of the supervision process (28%); difficulties in fine-tuning supervision processes to find real risk (27%); inability to produce data upon request (26%); and policy creation (21%).
All of this is happening at a time when regulations and regulatory scrutiny are increasing. Regulations governing electronic communications can be found in SEC rules, FINRA, Federal Rules of Civil Procedure, Gramm-Leach-Bliley, FCA rules, State Data Protection laws and more. And it’s getting personal. In September 2015 SEC warned that compliance officers could be charged for negligently conducting their duties. In the same month it fined Securas Wealth Management’s chief compliance officer $30,000 for failing to implement the policies and procedures that would have caught stock manipulation fraud.
The problem, suggests Stephen Marsh, CEO of Smarsh Inc, is that the nature of the problem has changed, but the solutions have not. This has resulted in three main approaches by compliance officers: ‘prohibition’ (simply prohibit communication through BYOD and social media); ‘head in the sand’ (ignore the problem and respond to regulators, ‘not in my knowledge’); and ‘extend what’s in place’ (that is, increase what already doesn’t work very well).
“Creating a sustainable, scalable and holistic approach needed for effective electronic communications supervision today can’t be done overnight,” he says, “but it can be done. It requires the coordination of the right processes, technology and human capital across stakeholders from IT departments, compliance, legal and marketing units.”