Law firms and other organizations need to dramatically update their compliance functions around how they collect and report communications data coming from new tech like messaging and chat apps
Modern unified communication (UC) tools have become a critical part of the communications infrastructure for many organizations. The use of Short Message Service (SMS), collaboration, and chat applications to conduct business is powering the work-from-anywhere era.
Yet, mistakes, data breaches, and data exposure tend to happen when people communicate and share information digitally, and firms need to make it as straightforward as possible for employees to leverage modern UC tools while remaining compliant and secure.
“Increased reliance on simple, easy-to-access but unauthorized chat and text platforms will pose a significant challenge for many types of entities operating in our markets. Internal compliance programs must adopt internal controls consistent with this new landscape. Firms must inculcate a culture of compliance at all levels of their organization to mitigate the risks associated with using unauthorized chat and text platforms.”
— Kristin N. Johnson, commissioner, US Commodity Futures Trading Commission (CFTC), September 2022
In its 4th annual survey report on modern communications compliance and security, security and compliance software firm Theta Lake highlights the complex challenges faced by those professionals tasked with maintaining compliance, security, and data privacy within firms and companies. The report is based on the views and experiences of more than 500 compliance and security professionals from the heavily regulated financial services, healthcare, and government sectors across the United States, the United Kingdom, and Canada. The report provides a snapshot of how communication platforms are being used and the issues with which organizations are struggling and can help organizations benchmark their own practices and expectations against those of the wider industry.
Heightened regulatory focus on modern communications
The survey findings come against the backdrop of fines of more than $2 billion already levied by the US Securities and Exchange Commission (SEC) and the CFTC for failures of organizations to capture, retain, and supervise communications. The situation underscores that a lack of visibility and oversight is one of the biggest risks faced by firms in a modern hybrid workplace. For example, the survey showed that two-thirds (66%) of financial services leaders believe employees are using unmonitored channels, posing heightened compliance and security compliance risks.
“As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications.”
— Gary Gensler, chair, SEC, September 2022
The crackdown on non-compliant communications is the clearest indicator yet that regulators have lost patience with firms that have yet to address supervision and record-keeping risks that were exacerbated by the pandemic.
Attempts to offset these risks is made harder by the limitations of legacy supervision and archiving approaches, which also pose real risks and costs to businesses. As a case in point, 39% of survey respondents cited gaps in coverage as a top challenge with their existing archiving tools, while only 9% reported having no issues. Another 45% said they needed to be able to selectively archive written in-meeting communications like chat without having to record the video or audio. A mismatch between legacy tools built for email and today’s workplace, where 81% use chat and 63% use video equally or more than email, has created critical gaps in records. It has also put a spotlight on dated compliance tools that are unable to capture, retain, and supervise dynamic communications data.
“The time is now to bolster your record retention processes and to fix issues that could result in similar future misconduct by firm personnel.”
— Sanjay Wadhwa, senior associate director of enforcement, SEC, September 2022
As a result, organizations face growing challenges to both enable communications across the platforms that employees and customers use while deploying technologies to appropriately capture, retain, and supervise these interactions to meet regulatory obligations.
“The [survey report] findings show just how integral modern communication platforms have become in today’s workplace, but there’s a lot of catching up to do when it comes to the compliance and security tools currently being used. The more than $2 billion in fines is the biggest wake-up call yet that compliance and unified communications teams need to be in lockstep to ensure a comprehensive approach to record-keeping and supervision.”
— Stacey English, director of regulatory intelligence, Theta Lake
Proactive compliance needs modern tools
The views and experiences of survey participants highlighted numerous challenges that organizations need to overcome in order to stay safe and compliant in an increasingly complex communications environment.
Organizations are seeking specific capabilities in modern compliance tools, including the ability to capture contextual information such as reactions, emojis, GIFs, edits, or deletions as well as features like whiteboards. Tools also need proactive compliance functionality, including the capability to automatically post disclaimers and remove problematic content.
“Let me be clear here: I am talking about more than putting together a stock policy and giving a check-the-box training. This requires proactive compliance, and this type of approach has never been more important than today — a time of rapid and profound technological change.”
— Gurbir S. Grewal, director, SEC Division of Enforcement, October 2021
Unsurprisingly, the control environment across all organizations is varied and complex, as approaches evolve to meet the rapid and constantly changing nature of communications and regulatory expectations.
Some 66% of survey respondents in the financial services industry are using documented usage policies as controls, with 65% using internally built platform controls, and 62% using specialist software to enforce policies. Almost half (45%) of organizations take a more draconian approach, however, by disabling features to limit the risk of new channels. Perhaps not surprisingly, the most frequently disabled features are camera functionality, file sharing, and screen sharing.
In the short term, bans and blocks may work as a control. Given that the features being disabled are essential, however, it is only a matter of time before employees circumvent such policies — an observation reinforced by the recent regulatory enforcement action.
Organizations need modern compliance and security technology to give them the confidence and assurance to unlock the value of the platforms in which they have invested, rather than disable them, allowing staff and customers access to the features they want to use.