Managing Off-Channel Communications with Policy, Accountability and New Technologies
Summary of a Roundtable Discussion with Senior Compliance Executives
Recent statements from regulators point to a few shifts in how they view compliance. For one thing, regulators are now willing to fine firms simply for incomplete record retention, regardless of whether or not there was actual wrongdoing. They understand that many firms have gaps in their records due to the proliferation of communications channels, and expect firms to plug those gaps. For another, regulators care about the culture of compliance that firms are setting, and expect firms to hold non-compliant employees accountable.
In our second CCO and Surveillance Leadership roundtable, hosted by NICE Actimize and Guidepost Solutions, senior compliance executives from various major financial institutions discussed how to manage off-channel communications when they happen, accountability in monitoring and surveillance, and advances in surveillance technology.
As always, our discussion was meant to provide a safe space for compliance professionals to talk through solutions and help each other out, without attribution and under "Chatham House Rules".
Below is a summary of responses to three key questions addressed in the discussion.
1. You simply can’t capture every conversation an employee has - especially when they happen in person. So how do you protect the firm from off-channel communications when they happen?
Sometimes, employees don’t follow the rules for cultural reasons. Their client prefers to communicate on WhatsApp, for example, and the firm doesn’t have a way to capture and record this communication channel. Because the employee wants to deliver good client service, or is afraid to say no, they use their personal phone and start conversing through the Meta platform.
Other times, employees circumvent authorized and monitored communications channels because they intend to break the rules and don’t want to leave a record.
Regulators care about both scenarios, because even if there isn’t misconduct, they have to waste time investigating the gaps in your monitoring. Your firm is now on the hook for the time wasted, and you might get a fine just for having incomplete records.
It’s impossible to truly capture every communication that ever happens, however, so how do you protect the firm from these fines?
One way is to make sure your compliance policies are crystal clear and well-communicated, and that you’re auditing your process. Policy not only helps with prevention, it proves to regulators that your firm takes the rules seriously, and works hard to build a culture of compliance. You should also follow up on your policy with checks and balances. Have a whistleblower line in place, as well as regular auditing. You can then demonstrate to regulators that your controls are working even if, say, some conversations happen face-to-face, or a rogue employee acts unethically.
Another way to satisfy regulators is to hold bad actors accountable, proving your commitment to compliance. Regulators don’t want firms to just pay the fine and continue what they’re doing. They expect to see accountability for and an end to violations. We’ve seen that reflected in the press with terminations; employees are losing their jobs for "not cooperating with compliance." In the future, accountability may even extend to leadership, and we may see senior executives being terminated for being too lenient with policy or neglecting to foster a culture of compliance.
2. With increased pressures to reduce costs, do all employees need to be monitored with such rigor?
Compliance programs are expensive. It takes a lot of time to monitor employee communications, and the supporting technologies can be expensive. If you’re issuing company phones, that alone is hundreds of dollars per employee. So, is it really necessary to monitor every employee – especially in a large bank, where you might be talking about hundreds of thousands of people – or is it smarter to limit monitoring to those who are required by regulation?
Obviously, we’re all facing cost constraints and you now need to do more with fewer resources. Many of our panelists have found that company issued phones aren’t cost effective, even for traders, so they definitely don’t feel that every employee should have one. But other panelists do think they make a difference, as discussed in our last roundtable, and depending on a cost/benefit analysis, might recommend issuing them firmwide.
Our panelists generally agreed that investment bankers and traders, should also always be closely monitored. But for all other employees, they felt it depends on each individual firm’s ongoing risk assessments and risk appetite. In other words, firms need to evaluate where there is potential in their organization for non-compliance, and put appropriate monitoring in place even if regulators don’t require it. Panelists also pointed out that surveillance depends on where a firm is doing business, as different regions have different privacy laws to abide by.
3. How are new technologies improving surveillance or saving resources?
As technologies advance and communications channels continue to increase, regulators will expect firms to improve their surveillance methods to keep up.
One way firms can augment their surveillance technologies is with AI and Natural Language Processing (NLP). These technologies help add context to communications, so that as records increase, compliance has a better idea of which ones to pay attention to.
AI can also help compliance teams monitor and analyze an employee’s habits. If a trader is doing a lot of deals, but doesn’t have many communications to support those deals, then they’re likely to be using off-channel communications. AI can flag this for compliance teams so that they know an investigation is needed.
Some of our panelists also talked about proprietary technologies they’ve built, or supplemental apps they’ve purchased, that make it possible for employees to use channels like WhatsApp in a firm-sponsored way. This empowers employees to deliver exceptional client service while remaining compliant and retaining the complete records that regulators expect to see.
Thanks very much to everyone who participated in our conversation. We all come from organizations with varying sizes and management structures, but it can be reassuring to hear that our peers are facing the same challenges, and eye-opening to learn how they handle them. We hope to hear from you at the next session!