Electronic recordkeeping continues to confound many companies, even as they struggle to comply with an increasingly demanding regulatory environment. New communications channels are only multiplying compliance risks, reinforcing the need for a comprehensive approach to electronic message compliance.
According to a survey conducted by Smarsh, a provider of e-mail archiving and compliance solutions, 79.6 percent of 223 corporate executives in the financial services industry ranked new and changing regulations as their top concern related to electronic message compliance. New communication channels (such as social media and text messaging) came in a close second, cited by 78.6 percent of respondents.
Their concerns are well-founded, as regulatory bodies like the Financial Industry Regulatory Authority make social media an area of heightened scrutiny in the examination process. FINRA guidance issued last year specifies that not only should companies have policies in place if they're going to use social networking Websites like Twitter, LinkedIn, and Facebook; the guidance also requires that social media content be archived and audited.
In addition to the regulatory environment, the speed at which new social media platforms and devices emerge is presenting additional compliance burdens. “It really is a race against a constantly moving and evolving environment,” says Tom Caraher, vice president, LIMRA Regulatory Services Strategy Center, an association of insurance and financial services companies.
This wave of additional regulations, plus the emergence of social networks and mobile devices, has “ultimately translated into a huge burden for compliance departments,” says Steve Marsh, chief executive officer and founder of Smarsh. “It's a pretty complicated and challenging environment right now.”
Compliance executives in the financial services industry often struggle with a host of common questions: How much data do we need to keep? How long do we need to keep it? How do we get all that information, and store it somewhere without taking up a ton of space? “There is not really a whole lot of guidance around that,” says Erika Del Giudice, a risk manager at Crowe Horwath, an IT risk and public accounting firm.
One compliance officer at a financial services firm offers another explanation. “The rules are the rules, regardless of the form of communication. Granted, most of the rules were designed before the era of cloud computing when companies needed to run their own communications infrastructure,” says the executive. “Without the ability to control the infrastructure, any recordkeeping is at the whim of the service. Most have been resistant to allowing the kind of recordkeeping and supervision required in the financial services industry.”
Additionally, most financial firms are small shops that don't necessarily have sophisticated compliance departments, Marsh says, stressing that his survey represents “only a small fraction of the overall compliance picture.” In many cases, he adds, the founder of the firm is also the chief compliance officer trying to address these complex needs.
The study also showed that increased scrutiny and enforcement ranked as compliance officers' third-highest concern related to electronic message compliance, cited by 70.4 percent of respondents. Statistics displayed on FINRA's Website prove out those worries: FINRA performed 2,151 examinations and filed 1,310 new disciplinary actions in 2010, up from the 1,158 disciplinary actions filed in 2009.
Examiners' and auditors' requests are also becoming more sophisticated. “Overall, the examination process is getting a lot more difficult and a lot more intense as the examiners elevate their expectations,” Marsh says.
“It's going to be increasingly important for compliance officers to use technology processes that make them more efficient and effective in their day-to-day reviews.”
—Steve Marsh,
CEO, Founder,
Smarsh
Historically, examiners only wanted to know that you had an archiving system in place. Now, financial firms must be able to show how they're protecting consumer data, that they have business continuity plans, and that they're archiving their messaging platforms.
According to those firms audited in the last six months, auditors haven't just requested electronic message data, but written supervisory procedures (78.1 percent), and business continuity plans (71.9 percent), and more. Requests for supervision activity reports and company Website pages also increased 12.6 percent and 20.5 percent, respectively, for firms audited in the last six months versus those that were audited in 2009 or earlier.
“It's harder and harder for an organization to fake it,” Marsh says. “You can't just coast through an audit without being asked for all of those things.”
In February, FINRA's annual Regulatory and Examination Priorities letter to member firms made clear: “In 2011, firms can expect FINRA examiners to review supervisory systems and recordkeeping for electronic communications like social media.”
“So it's going to be increasingly important for compliance officers to use technology processes that make them more efficient and effective in their day-to-day reviews,” says Marsh.
Pre-emptive Measures
The survey results reveal that much work still needs to be done. Many executives in the financial services industry say they understand their obligations regarding electronic communications, but fewer actually practice compliance. “There is a big gap between what organizations are actually doing and what they should be doing,” Marsh says.
For example, 75 percent of respondents acknowledged their regulatory obligation to preserve and monitor social media communications, but only 42 percent had a policy in place and less than 32 percent actually retained and supervised those messages.
This gap between knowledge and actual practice is reflected in the executives' level of confidence. Eighty-seven percent said they were “mostly or completely confident” in their ability to provide requested e-mails within a reasonable time frame. In contrast, 46 percent had minimal or no confidence in their ability to provide requested social media and mobile messaging data.
The survey identified a similar gap between e-mail and other message types when it comes to corporate policies. Seventy percent of respondents said their compliance policies address e-mail use for business purposes, but less than half have policies to address other forms of electronic communication, such as instant messaging (45 percent), text messaging (35 percent), LinkedIn (47 percent), Facebook (42 percent), and Twitter (34 percent).
Financial services experts say they, too, are observing this lackadaisical approach by the industry. “Many financial services companies have not addressed it proactively and have been laggard in terms of wanting to address it,” says Anthony Reid, a principal in the Forensic & Dispute Services practice of Deloitte Financial Advisory Services. “I think in many cases, they don't really know how, so they don't address it at all.
Even if a company doesn't have all its practices thought out, it should at least implement a high-level policy objective for what social media activities are allowed and not allowed, “so that employees are not left in the dark or to their own devices to deal with it,” says Reid. For example, maybe they can use Facebook, but aren't allowed to endorse certain products.
“In creating those polices, employers should consider all different types of risks—such as information security risks, employment risks, and legal risks—and how they're going to mitigate those with the policies they are enforcing,” says Erika Del Giudice. They should also keep training and constantly reinforce those policies to their employees.
WHAT FINRA, SEC WANT
The following chart from the Smarsh report details the types of information survey respondents provided to FINRA and the SEC during a regulatory examination:
Source: Smarsh Electronic Communications Compliance Survey.
Once a company does implement a policy, they should then “proactively have a strategy to identify, preserve, manage, and, ultimately, collect and produce that information when it's needed,” Reid adds. This means working with IT, legal, and regulatory departments to have access to that information when necessary.
Fight the desire to not have a policy just because you don't believe it concerns your firm. “Whether you think you are involved in social media or not, chances are, you are,” says Caraher. Social media is such an open environment that an employee or associate can put you at risk without you even knowing about it, he says.
As executives continue to deal with social media, they are, at least, getting better at recognizing their weaknesses. “They're getting very smart, very quick,” Caraher says.
Nearly 70 percent of respondents said they have increased in the past year resources—both time and money—devoted to overseeing electronic communications-related compliance. In addition, nearly all respondents (98 percent) said they expect those resources to increase or stay the same in the next 12 months.
They also expect regulatory burdens and scrutiny to continue to increase. Says Reid: “I think it's going to be very difficult not only for financial services companies but other industries to continue to stay on top of this.”
“The environment on both sides is going to continue to intensify; regulators are not going to stop looking or expecting this technology to be supervised by the industry,” agrees Caraher. “This is not a time to have your head in the sand.”
No comments yet