Almost half of financial firms reported being examined by regulators in the last 12 months, according to Smarsh’s 2017 Electronic Communications Compliance Survey, and examiners are looking more closely at firms’ communications.
However, although firms have increased their efforts to meet compliance requirements regarding electronic communications with clients, significant gaps remain, the report found.
(Related: Staying Out of the Technology Penalty Box)
After jumping from 27% to 42% last year, the percentage of firms that reported being visited by an examiner in the last 12 months rose to 47% in 2017.
Email was the most requested type of communication from examiners, the survey found, but over half of respondents to Smarsh’s survey said examiners requested website pages.
Social media communications are increasingly more likely to be on examiners’ radar. Just 19% of respondents said examiners requested social media communications. Requests have increased and gotten more specific. In 2017, 44% of respondents said they’d been asked for LinkedIn communications, 27% for Facebook and 21% for Twitter. Six percent of respondents said they’d even been asked for Instagram communications.
Written supervisory procedures are the most commonly requested type of documentation, up 30% over last year. The survey found 58% of respondents said they were asked to provide proof of supervision of electronic communication, up 25%.
Smarsh found that since 2016, the percentage of firms that have archiving or supervising solutions in place for their LinkedIn communications and corporate instant messaging system has increased 35%. Text message supervision has increased 28% and Facebook supervision increased 26%.
“Given the growing breadth, depth and frequency of exams, it is unsurprising that increased scrutiny/enforcement by regulators is a concern for 44% of respondents,” according to the report.
However, 30% of firms in 2017 said they still don’t have monitoring solutions in place for LinkedIn. A third of respondents said they aren’t monitoring Facebook and 48% have no system in place to archive or supervise text communications.
Over three-quarters of firms have a solution in place to monitor their corporate IM communications, but just 60% are monitoring public IMs.
“Even when supervision is happening, compliance teams must decide where and how to best allocate their finite resources to efficiently and effectively identify and address non-compliant communications and other actions that pose risks to their firms,” according to the report.
Monitoring non-email communications like social media and texting was the biggest challenge that the survey identified. Mobile communications and keeping up with regulations tied to round out the top three concerns of compliance professionals.
FINRA issued guidance in May to help broker-dealers stay in compliance regarding social media and digital communications use. The guidance, issued as a Q&A, clarifies that text messages and IMs related to a firm’s business must be retained just like social media communications.
The Smarsh report found that texting is the most requested channel for business communications, with 42% of firms noting their employees have asked to use texting for business purposes.
“It’s no longer realistic for a firm to believe that its employees don’t use text messaging to communicate with clients. Text messaging continues to surface on FINRA’s enforcement radar,” according to the report.
Most worrying is that over a third of firms that have prohibited their employees from texting about the business have “no or minimal confidence that they could prove that their prohibition is working.”
In December 2016, FINRA fined 12 firms more than $14 million for failing to retain electronic communications, including a $1.5 million fine for SunTrust, which had prohibition policy in place.
The prevalence of smartphones makes it more difficult to monitor employees’ communications for compliance, but firms could be doing more. Almost half of firms allow workers to use personal and corporate-issued devices, while 35% don’t even bother issuing a corporate device.
“With more than eighty percent (83 percent) of firms allowing employees to use personal devices for business communications, the supervision ramifications of bring-your-own-device (BYOD) are a reality for most compliance professionals,” the report noted.
Firms could adopt a Choose Your Own Device (CYOD) or Corporate-Owned Personally Enabled (COPE) strategy to retain more control over the type of communications made by employees about the business. Smarsh noted in a white paper, "5 Steps to Eradicate Text Messaging Risk," that a CYOD scheme can help reduce hardware costs by limiting the types of approved devices and the IT support needed, although it can be slow to deploy across the organization and employees may not be happy about the limited choices, especially if they have to pay for the device.
“CYOD provides more latitude for compliance and legal teams to govern data, and apply more policies and technical controls to ensure proper handling of text messages. CYOD also provides other security options for organizations that are concerned about potential BYOD ramifications, which is a key reason CYOD continues to receive attention,” Smarsh wrote.
A COPE strategy keeps ownership of employees’ devices with the organization but allows workers to make personal communications on them. It also requires firms to do more to keep up with mobile technology, but from a compliance perspective, “monitoring and archiving policies for electronic communications, including text messages, are easier to put in place and supervise with COPE.”
--- Read Connected Capital: Financial Services in an Always-On World on ThinkAdvisor.