A new use case in the annual refresh of Cisco Portfolio Explorer for financial services is e-communication compliance. This hot button issue is in the news it seems almost weekly. Financial institutions, mainly Wall Street firms, have been heavily fined for using unauthorized communication channels and not recording these communications.
The punitive financial damage to these Wall Street firms so far has been over $2.5 billion dollars. More fines are likely to come and to a wider base of financial institutions as regulatory bodies are just getting started in enforcement in this age of hybrid work and plethora of communication channels.
Communication compliance regulations
Compliance requirements for communications in financial services has always been very strict and certain sub verticals such as capital markets, trading and investing and insurance even stricter. Fast forward to today, and the financial services sector faces more regulations than ever. This is due to different regulatory bodies but also district, state, national, zonal and even industry agencies. With the vast array of digital communication channels, mobile phones, text and chat, video, social media, it is overwhelming.
The most common compliance laws fall into two camps:
- Surveillance and supervision. These laws govern internal policies, review, audit trail, retention and internal monitoring.
- Digital communications. These deal with content, audiences and communication channels.
The main U.S. laws that impact financial services are:
- Securities & Exchange Act, Rule 17a-4(b)(4). This law requires broker-dealers to keep the originals of all the communications they receive. They must also keep copies of all communications they send that are related to “business as such” for at least three years. The first two years of these records must be kept easily accessible. Updated Rule 17a-4 requires firms to retain and preserve all transactions and official business records, which includes all communications. These electronic records must be stored in a secure, non-erasable place.
- Commodities Futures Trading Commission, CFTC SEA 15 F (g) (1). For the trading of commodity futures broker-dealers must keep all daily trading communications related to security-based swaps, including email, instant messages, phone calls and social media. All regulated records must be kept for the period required by the commission.
- FINRA Notice 10-06. This law requires firms to adopt policies and procedures to ensure that people who communicate for business via social channels are properly supervised. Anyone communicating through these channels must also be provided with training. And they must not put investors at risk.
- FINRA Notice 07-59. Similar to 10-06, this notice provides additional guidance on reviewing and supervising electronic communications.
The SEC and FINRA are serious about enforcement. Noncompliance has led to fines and brand damage. While the actions were caused by broker-dealers and investment advisers who kept poor records and used unapproved tools the institutions were unable to record and preserve their messages.
It is not due to lack of internal controls, company policies, or related trainings, but most often it’s due to unauthorized use by employees. Unfortunately, the companies are then at fault and liable for the fines. Not all companies are standing by.
An American investment firm has taken action against its own employees in the form of claw backs. They held training sessions explaining when bankers should move communication from personal devices to company communication channels, and instituted a penalty system. Penalties are scored according to a points system that considers the number of messages sent, the banker’s seniority, and whether they received prior warnings. When warranted, they either claw back funds from previous bonuses or deducting money from future pay—with a few penalties approaching seven figures.
Sometimes claw backs aren’t enough, and losing one’s job is a possibility for breaking compliance rules and putting the institution at risk. Another large investment bank fired its transaction banking executives, including the head of a business unit, over compliance lapses. Correspondingly, they terminated several leaders from this unit who communicated on unauthorized channels and didn’t comply with an internal review. A handful of companies have fired some of their top commodities traders over their use of personal apps.
Fines are spreading
It was once thought that the administration of fines would be limited only to financial regulators or just in the United States, but that has not proven to be the case. Ofgem, the U.K.’s energy regulator, fined an American investment firm £5.4M ($6.9M) due to communications on energy market transactions made by wholesale traders on privately owned phones in a breach of rules designed to protect consumers, ensure market transparency, and prevent insider trading.
This fine and the source of the penalty may send “shock waves” through the banking industry, Rob Mason, the director of regulatory intelligence at Global Relay, told Bloomberg. “It puts firms on warning that it’s not just the financial regulators they need to be wary of,” said Mason. The energy traders discussed transactions over WhatsApp on privately owned phones between January 2018 and March 2020, and the bank failed to record and save those communications.
Compliance laws for digital communications are complex and constantly changing. To stay compliant, consider adopting these best practices:
- Determine which laws are relevant to your organization
- Have a clear understanding of how those laws are evolving
- Hire compliance officers or consultants to help you understand how those laws impact your management of digital communications
- Evaluate your enterprise compliance solution with all stakeholders to see if it meets compliance requirements for all your communications channels
- Review corporate policies and procedures for the use of communication devices and platforms, including “bring your own device” (BYOD)
- Implement and review employee compliance training programs
In reality, one of the most effective ways financial institutions can safeguard themselves is by training employees to never use their personal devices for business. Taking that a step further recently one European bank has started disabling text capabilities on company-issued phones.
We’ll likely see more regulators in the United States and abroad focus on both global financial services and smaller institutions. Regulators will probably increase fines for repeat violators and cite more instances of “failure to supervise” as well.
So how do companies strike the right balance between securing communications and allowing convenience? Implementing some of the best practices mentioned above and finding a partner that can help you comply with laws related to recording and recordkeeping is an important next step in the process.
Cisco can help
Cloud calling allows institutions to move their phone systems to the cloud, enabling users to access their phone system from anywhere, on any device, and eliminates the need for on-premise physical infrastructure. With Cisco Cloud Calling, gain flexibility, scalability, cost savings while preserving key features such as call recording, call forwarding, voicemail transcription, and analytics. It helps businesses streamline their communication infrastructure, reduce costs, and enhance productivity across their workforce.
Cisco Cloud Calling can now take your business calling and collaborative experiences on the go with Webex Go with AT&T. This joint partnership extends Webex Calling capabilities to AT&T provided data plans and mobile phones via a single business phone number that becomes your identity for all your phone and messaging Communications.
Pairing with Theta Lake a leading provider of compliance and risk management solutions for video and audio communication is a great next step. Their AI-powered platform helps financial institutions automatically detect and mitigate risks in their communications. Theta Lake’s technology focuses on areas like data loss prevention, regulatory compliance, and surveillance, enabling institutions to streamline their compliance processes and ensure secure and compliant communication across all channels.
Cisco Webex Connect a centralized, enterprise-grade CPaaS platform helps you deliver richer customer experiences across numerous digital communication channels. It includes a flexible integration framework that lets you connect the information in your backend systems with digital channels such as WhatsApp, SMS, email and more. Integrating with Webex Connect, you can easily access and apply the data you need to trigger contextual interactions across the customer journey.