The recent surge in regulatory fines combined with increasing reliance on digital communication channels, such as email, instant messaging platforms, and social media, have converged to make electronic communications (“E-Comms”) a critical and often times lagging piece of the compliance control framework for financial institutions. There is significant regulatory pressure on firms to effectively monitor and regulate these channels to ensure compliance with industry regulations. The increased regulatory expectation is complicated by the common use of non-approved or off-channel means of communication by firm employees.
Recent years have seen a surge in regulatory fines imposed (over $1 billion since 2021 in the US alone) on financial services firms for inadequate electronic communication surveillance. These fines are often a result of non-compliance with the books and records requirements imposed by the SEC, CFTC in the US and the FCA in the UK. They further emphasize the need for E-Comms data collection, retention and robust surveillance systems to prevent market abuse and manipulation. In this environment, firms must understand the regulatory landscape and implement comprehensive surveillance programs to avoid costly penalties and reputational damage.
To mitigate risks, financial services firms are increasingly establishing more prescriptive policies and procedures for electronic communication surveillance. These uplifted policies generally cover data retention, archiving, monitoring, and review processes. By implementing well-defined policies, firms help ensure that employees know their responsibilities and the consequences of using off-channel communication methods. Regularly updating these policies in line with changing regulatory requirements is essential to maintaining a strong surveillance framework.
Employee attestation plays a critical role in electronic communication surveillance. Firms are now implementing processes to ensure employees acknowledge and understand their obligations regarding communication monitoring and compliance. This includes obtaining explicit consent for monitoring activities, raising awareness about the acceptable use of communication channels, and educating employees about the risks and consequences associated with non-compliance. Robust training and attestation procedures serve as further evidence of the firm’s commitment to regulatory compliance.
Even with clear policies and procedures and employee attestations, the rise in the use of non-approved communication channels, such as WhatsApp, poses significant challenges for financial services firms. These platforms may lack the necessary security features and archival capabilities required for compliance. Firms must take proactive measures to address the use of such channels by educating employees, implementing technology solutions that detect unauthorized usage, and enforcing appropriate disciplinary actions for non-compliance. Clear communication about the approved channels and their importance is crucial in mitigating risks associated with non-compliant communication.
While emerging technologies like AI and ML offer immense potential for improving electronic communication surveillance, they also introduce new risks. As a threshold matter, firms that have yet to implement comprehensive data retention mechanisms could be distracted from the promise of AI systems even though they cannot yet benefit from these solutions. For mature firms, AI and ML systems can automate the detection of suspicious patterns, enabling firms to identify potential compliance breaches more effectively. However, the complexity of these technologies requires careful consideration of biases, false positives, and false negatives. Firms must invest in robust training and validation processes to ensure accurate results and minimize the risk of regulatory breaches.
Effectively explaining the intricacies of AI and ML technologies to auditors and regulators is also crucial for financial services firms. Clear documentation on the design, implementation, and validation of the surveillance systems is necessary to demonstrate compliance. Firms should maintain transparent communication channels with regulators, providing regular updates on technology enhancements, risk management strategies, and ongoing monitoring processes. This collaboration fosters trust and helps regulators gain a deeper understanding of how technology is being leveraged to ensure compliance.
Electronic communication surveillance in financial services firms is a complex and evolving area. Recent regulatory fines highlight the importance of proactive compliance measures, robust policies and procedures, employee attestation requirements, and mitigating the risks associated with non-approved channels. While emerging technologies like AI and ML offer immense potential, firms must first focus on collecting all E-Comms data and eliminating off-channel communications before they can benefit from these new technologies. AI and ML also introduce new challenges that firms must address through careful training and validation processes. By effectively explaining these technologies to auditors and regulators, financial services firms can foster trust and maintain compliance in an increasingly digitized business environment.
