The Global GRC Risks of Unauthorized Business Communication Channels
Communication has always been integral to the investment world and, as technology evolves and expands, the need for adequate and equally evolved surveillance mechanisms has grown. More widespread use of mobile apps and communication tools such as WhatsApp became increasingly prevalent during the various COVID lockdowns as professionals sought to maintain connection with one another. Habits are quickly formed, and so convenient mobile app usage has become an integrated part of work communications.
The Financial Conduct Authority (“FCA”) in the U.K. openly noted the challenges for authorised firms to maintain surveilled and recorded methods of communication during lockdowns; they provided relief from the requirements for transactions to be conducted on a recorded medium, provided contemporaneous notes were taken at the time that could be maintained. This relief has now passed as firms adapted to and adopted varieties of hybrid working models.
In the U.S., scrutiny of this area by the Securities and Exchange Commission (“SEC”) has fast evolved. It has grown from the investment banking world to include investment advisors in Q1 2021, incorporating information requests into wider scope examinations alongside one-off type examinations.
In August of this year, following these examinations and the gathering of data, the SEC took one of its first enforcement actions against a private fund manager and its founder for various alleged failures in this area. This enforcement action, which involved a comprehensive corrective-action plan, draws sharp focus on why managing risk in this area is essential and using comprehensive and cutting-edge Regulatory Technology (RegTech) software tools more and more critical.
The SEC alleged that even though the private fund manager’s compliance manual restricted business communications to firm-provided email accounts and certain messaging platforms (like Microsoft Teams and Bloomberg Chat), multiple personnel (including the founder) communicated via various mobile apps on personal devices (such as iMessage and WhatsApp) that were neither authorized nor archived. These communications included recommendations and advice made for clients, the movement of client funds, and securities sale and purchase orders.
The SEC further alleged that restrictions in the compliance manual relating to permissible business communication channels (and related record-keeping requirements under the Investment Advisers Act) were not enforced. Additionally, the SEC alleged that by not updating its compliance manual to permit and archive business communications through the above-mentioned additional channels, the fund manager violated the Investment Advisers Act’s requirement to adopt and implement an adequately tailored compliance program. Further, apart from not producing any text messages in response to an SEC staff’s investigative subpoena — before the fund manager was made aware of the SEC investigation — the founder, on multiple occasions, allegedly instructed at least one officer of the fund manager to delete all text messages.
SEC-Stipulated Corrective Action Plan
Perhaps even more noteworthy than the SEC’s allegations is the corrective action plan that the fund manager and its founder had to agree to. This plan (described below) indicates the expectations the SEC has for private fund managers to manage these risks and forms solid actionable takeaways.
Under the SEC-mandated corrective action plan, the private fund manager in question is required to retain an independent compliance consulting firm to assist it with the following tasks:
- A review of the private fund manager’s surveillance, compliance, and archiving policies and procedures (and employee training) designed to ensure that its electronic communications, including those conducted via mobile apps on personal devices, are conducted in accordance with applicable regulatory requirements. A review of employee certifications as to compliance with the foregoing policies and procedures to ensure these are being submitted quarterly.
- An assessment of the technological solutions that the private fund manager has begun implementing to assist with the above tasks, including an assessment of the likelihood that employees will use such technological solutions going forward. A review of the measures employed by the private fund manager to track employee usage of new technological solutions.
- A review of the private fund manager’s electronic communications reviews to ensure that they are covering business communications undertaken via mobile apps.
- An assessment of the steps taken by the private fund manager to prevent the use of unauthorized communications channels for business communications.
- A review of the framework adopted by the private fund manager to address instances of non-compliance by employees with the foregoing policies and procedures. This review should include corrective action taken in instances of non-compliance, an evaluation of who violated policies and why, what penalties (if any) were imposed, and whether penalties were handed out consistently across business lines and seniority levels.
FCA overview and considerations
Following the $1.1bn fines issued by the SEC to 16 banks, the FCA appears to be focusing on the usage of WhatsApp across the market. In early October, the FCA confirmed it had begun holding discussions with several authorised and regulated firms on the topic of personal device usage for business purposes. The FCA was then still at a “supervisory” stage and recent economic events may well have resulted in a shuffling of priorities for the regulator. It should be noted though that the FCA had warned authorised firms of the need for electronic communications to be recorded and auditable prior to confirmation that discussions had commenced.
It is not unusual to see the UK regulator take this approach. Often supervisory conversations with certain institutions are used as an indication to the wider market as to where the focus of the FCA may be at a given time. The FCA repeatedly states that firms must implement surveillance tools and mechanisms that are tailored to their structure and business, and that a simple “plug and play” solution may not be appropriate. Although ostensibly discussing market abuse surveillance systems, it is not hard to read these warnings across all types of solutions.
What steps can firms take?
The SEC-mandated corrective plan discussed above obviously gives clear immediate steps for firms, irrespective of the regulator. The initial (and natural) reaction to such regulatory scrutiny may be to aggressively clamp down on employees’ use of various electronic communication channels and monitor them for violations. However, it is worth reflecting that such an approach is increasingly becoming antiquated and unlikely to manage risk effectively in the longer term because:
- the use of non-email-based apps for business communications has significantly increased across the investment management industry. Reversing course appears futile.
- the ability to archive non-email communication channels has significantly expanded over the past several years. Many private market fund managers’ policies restricting business communications exclusively to firm-provided email accounts were often drafted when archiving capabilities were quite different from what they are today.
As such, private fund managers may wish to re-visit their historic policies by:
- Comprehensively polling their employees on which apps they and their industry contacts use to conduct business
- Working with their archiving vendors to determine if communications via these apps can be archived
As an example, numerous managers became comfortable with employees using Microsoft Teams’ chat feature to correspond internally on business matters and discovered they can (and are) effectively archiving these communications.
Further, as evidenced by recent regulatory scrutiny, it has become increasingly critical to supplement old school electronic communication reviews with machine learning based holistic surveillance tech tools. These tools combine behavioral and natural language processing (NLP) machine learning algorithms to detect potential inappropriate employee behavior early in an effort to prevent (or at least minimize) damage.
These tools can holistically integrate surveillance of business communications across all apps into a single unified view so communications can be understood in context, detecting risky behavior patterns more readily, irrespective of what apps are used or even how these apps are accessed (e.g., via firm-provided desktops/other devices or personal hand-held devices). This is a significant advantage over “reviewing” communications app-by-app in isolation.
Additionally, with the increasing adoption of Bring Your Own Device (BYOD) programs, firms should have enterprise-level technological controls on both firm-issued and personal handheld devices. This helps prevent employees from inappropriately copying, downloading or otherwise moving sensitive work-related data from work accounts set up in applications used to conduct business.
Finally, employees should be reminded that to the extent they receive or initiate communications through unauthorized electronic communication channels (whether via their personal devices or firm-issued devices), these communications should not be deleted without the prior approval of their compliance departments. Instead, they should be forwarded to their firm-provided email or firm-approved communication channels that are subject to archiving. This latter step will ensure these business communications are archived.
The modern technological world is evolving rapidly with different communications options being adopted and discarded seemingly at the drop of a hat. While the various regulators fight to catch up and maintain pace with the market, it is essential that firms implement appropriately sophisticated and targeted solutions to embrace this technological evolution. As former U.S. Deputy Attorney General Paul McNulty famously stated; “If you think compliance is expensive, try non-compliance.”
How we help
Employees’ increasing use of electronic platforms like Teams, Zoom, Slack, WhatsApp, and WeChat to communicate with colleagues and clients can lead to increased conduct risks at your firm. We have multiple options to help your firm detect and mitigate these risks effectively and efficiently to protect your business.
Technology: ACA’s eComms Surveillance Solution is an integrated natural language processing surveillance and investigations platform that ingests eComms, messaging, mobile traffic, and voice calls to provide firms with a complete view of potential high-risk activities and behavior across their organization. By reducing false positives and delivering more precise, meaningful alerts, our solution increases the effectiveness and efficiency of an eComms surveillance operation while reducing the time needed for teams to review electronic and voice communications. Our intuitive interface allows end users to focus on reviewing results and addressing risks.
Managed Services: We specialize in conducting risk-based reviews of eComms to help firms meet their regulatory obligations and assist with identifying the effectiveness of existing trainings, policies, and procedures. Analysts conduct eComms reviews at a determined regular cadence via Boolean methodology and our proprietary lexicon in any archival platform our clients utilize. This service is suitable for all archived messaging platforms and can include email, messaging, and voice recording reviews.
Clients looking for the optimal best practice and investment in risk mitigation will benefit further with our combined managed services and eComms Surveillance RegTech Solution in our ACA ComplianceAlpha® platform.
If you have any questions or would like to discuss how ACA can help your firm strengthen its surveillance program, increase efficiencies through technology, and ensure that your regulatory obligations are met, please reach out to your ACA consultant or contact us here.