Small- and medium-sized wealth management firms might be tempted to think that the $1.8 billion in fines recently handed out by the SEC are related to issues that don’t concern them. After all, what does the misuse of WhatsApp at publicly traded banks have to do with a regional broker/dealer or a one-office RIA?
In the eyes of the regulators, the answer is “everything.”
Nowhere to Hide
The reality is that millions of people worldwide use messaging and social apps every day to communicate with friends, colleagues and business associates. That includes financial professionals and their clients.
Can firms effectively prohibit certain apps? Sure. But that isn’t realistic, given how prevalent some have become. What’s more, it could be counterproductive, with a move like that prone to make attracting top talent and winning new business more difficult. Beyond that, many will simply find a workaround, choosing to conduct business on their personal devices, as the SEC fines prove.
All of this seems to suggest that nipping this issue in the bud comes down to investing in technology capable of monitoring and keeping records of digital communications. And, to some degree, that’s correct.
But just having technology isn’t enough. It must be the right technology. Equally important, however, is your processes, procedures, training and attestations. Here is how to protect your firm today.
Building a software or services solution that can integrate seamlessly with each approved app is a complex process for even the most experienced regulation technology expert. For financial firms, it’s a near-impossible task. This isn’t their core competency and trying to take this on internally is likely only to result in costly errors and a host of inefficiencies.
Instead, firms need a third-party platform customized to deliver solutions unique to this industry. Yet being able to capture digital communications directly from native apps across the enterprise is just the start.
Firms must also store those communications with high fidelity, allowing the reviewer to consider the context behind each message. The more advanced systems take the added step of harnessing machine learning and advanced analytics to solve this problem.
Deciding which apps to allow and which to prohibit is a crucial, ongoing part of this process. Generally, frontline personnel at a financial firm will ask for access to a specific app. Then, management must do a benefit-risk analysis.
Whatever firms decide on an app-by-app basis is up to them. The important thing is to outline policies that stipulate what is permissible and what is not, along with what workers can and cannot do on personal devices.
The next step is determining how employees and affiliated financial professionals use apps. For instance, management may bless the enterprise version of an app or, in some cases, approve a select number of features within one. In the spirit of trust but verify, firms must know if staff stays within the guidelines, which can prove especially difficult with apps unveiling upgraded versions/features several times a year.
Firms should require workers to read and sign documentation verifying that they are not using unapproved devices, apps or app features to communicate about business. If workers reveal they have, firms need to review and retain that information immediately.
Additionally, it’s critical to have supervisory monitoring policies that reflect that the use of unofficial communications tools is not limited to regulated users. The SEC considers senior executives, compliance staff and everyone else across the business as an information risk as well.
Meanwhile, it’s still far too common for firms to utilize outdated lexicon or a small subset of keywords when scouring work-related digital communications for potential red flags. Phrases and acronyms change over time, and terminology or communication styles can vary depending on the app. For help, supervisors can consult what is often their best resource: the staff. Ask younger workers, or even clients, about this to discover what’s new and relevant.
All financial firms, from RIAs to broker/dealers to banks, have communications compliance gaps. The only question is the extent of those gaps.
Firms, therefore, must identify the tools their workers and clients are using today, assess current compliance controls and recognize where discrepancies exist—and then implement the best technological capabilities, compliance processes and supervision methods for their businesses. It’s the only way to approach today’s digitally dominated age of communication and live to tell about it.
Robert Cruz is vice president of information governance at Smarsh, the global technology leader in digital communications intelligence and compliance.