Regulators around the globe are taking a firm stance against off-channel communications. In the US, the SEC recently charged 26 firms related to extensive record keeping failures, resulting in around US$390 million in penalties. In the UK, the FCA has issued comparatively smaller fines—though the regulator is now calling on banks to report staff breaches of encrypted messaging policies. The move reveals the FCA’s intent to gain a much deeper understanding of how apps like WhatsApp, Signal, and Telegram are currently used within financial services.
Although other authorities in regions such as APAC have yet to explicitly address eComms controls and surveillance, the increased global focus is undoubtedly a sign of what is to come. There is also real value in “learning the lessons” from other regions’ enforcement actions and applying best practices now.
In reality, the need for effective electronic communications (eComms) controls and surveillance is more than a matter of complying with differing regulations per region. It is a more complex mix of preventative measures and identification of red flags. However, firms that achieve that right mix can significantly reduce the risk of severe operational, reputational, and fiduciary impacts.
A recent webinar shared key insights from MyComplianceOffice (MCO) and Wright Consulting & Coaching, delving into the challenges and practical solutions that firms can apply now. This article provides a quick overview of how firms can actively prevent unethical and unlawful communications while staying a step ahead of regulatory change.
Understanding Today’s eComms Challenges
A Changing Landscape
The eComms landscape has evolved rapidly in recent years. Flexible working arrangements and bring-your-own-device (BYOD) policies have created long-term impacts on surveillance.
We have also seen a proliferation of various comms channels, including email, instant messaging apps (e.g., WhatsApp, WeChat), video conferencing tools, and social media platforms.
Firms also face a balancing act of customer expectations and effective policy. It is not uncommon for customers to engage employees on personal numbers or messaging apps. Firms must then ask themselves: will the prohibition of certain eComms channels make it more difficult for employees to connect with clients—and potentially impact revenue?
Amid more flexible, BYOD-normative workplaces and the rapid rise in popularity of instant messaging and social media messaging, firms must take a considered approach. Even more importantly, they must remain nimble and stay ahead of trends to maintain oversight and set relevant policies.
The Data Volume Challenge
Financial firms can grapple with an overwhelming volume of data from diverse eComms channels. APAC Director at MCO Kelly-Ann McHugh notes, “The most reported challenge revolves around data— so different items of data across different channels being the largest challenge that these firms were facing.”
Firms face extensive challenges in handling these extensive data volumes across disparate communication channels, including email, social media, and instant messaging platforms.
Language and Context Complexity
Language diversity in global communications adds further complexity. Senior Solution Sales Consultant at MCO Benjamin Frenette explains that only 18% of surveyed firms support 10 or more languages, while the average surveillance team spends 81% of its time reviewing alerts. See the 1LoD report for more detail about the state of surveillance. These eye-opening figures highlight the industry-wide challenge to accurately monitor a wider range of languages and dialects.
“There’s definitely a global need in regards to supporting all languages, not just the Latin-based languages that are very prevalent here in the US or in the UK, but also character-based languages that we see in the APAC and EMEA region,” points out Frenette. This need is especially pronounced in APAC, where language switching, such as Singlish, a Singaporean English creole spoken natively in Singapore, creates unique roadblocks to effective surveillance.
The Regulatory Perspective: A Global Approach to Compliance
In discussing global regulations, McHugh highlights recent enforcement actions by the SEC, FCA, and APAC regulators. Regulatory bodies are increasingly scrutinising how firms actively monitor and store eComms while taking steps to prevent off-channel comms. The SEC, for example, has imposed hefty fines, totalling US$390 million, specifically for record-keeping failures. Independent Coach and Consultant at Wright Consulting—Emily Wright stresses the value of adopting a global compliance approach: “If you can take somebody else’s enforcement action and apply the best practice outcomes to that in your own institution, then obviously you’re ahead of the game.”
The key takeaway is that such proactive measures can help mitigate risks long before they become regulatory issues.
Wright further explains that, while APAC’s regulatory approach differs from other jurisdictions, there are valuable lessons to be leveraged. “These are global markets with relatively consistent global expectations. Even though there are significant differences in the way the regulations might be drafted or enforced, you can really draw from those general principles of what best practice looks like,” she notes, emphasising the need to establish high compliance standards across all jurisdictions in which a firm operates.
The notion of applying best practices is particularly important for firms with cross-border operations. Firms need to apply a consistent standard across global operations, which may include the lessons learned from enforcements and regulatory developments across the US, UK, EU, or APAC.
Local Developments: ASIC Releases Information Paper 283
In Australia, ASIC recently released Information Sheet 283 with critical guidance around firms supervising their representatives’ business communications. The regulator cites “concerns that the use of unmonitored communication channels and encrypted communication applications in business communications can significantly increase the risk of misconduct going undetected.”
ASIC expects market intermediaries to take reasonable steps (in line with the potential harms from misconduct) to actively monitor and store business communications in keeping with their obligations.
While the regulator’s focus leans towards reducing the risk of misconduct occurring, the ever-growing issue of preventing and detecting unethical communications leading to misconduct is of high importance in this regard.
Governance and Policy Foundations
The Role of Policies and Risk Assessments
A foundational risk assessment is a vital first step in developing robust controls and surveillance policies. This assessment ensures alignment with your firm’s unique risks and requirements.
Before defining surveillance policies and procedures, it is good practice to start with a comprehensive risk assessment. “From a policies and procedures perspective, my advice and certainly my strategy is always to start with a risk assessment. So you want to understand the business and where the risks sit and then build the program to detect the risks,” says Wright.
Firms should prioritise high-risk areas and determine which channels need the most stringent monitoring.
Clear policies around approved and unapproved channels are also essential. By delineating which channels are permitted for business use and ensuring that unauthorised channels are restricted, firms can significantly reduce the volume of false positives and irrelevant alerts.
The Importance of Employee Training and Attestations
Employee training and attestations are key components of preventative controls. Frenette underscores the value of regular employee attestations to reinforce policy compliance. He also highlights how continuous policy attestations can “validate employees’ understanding of compliance protocols, ensuring a documented audit trail for regulatory audits.” RegTech solutions like MCO’s Know Your Employee (KYE) module enable firms to implement ongoing attestations and training.
Balancing Data Privacy with Surveillance Obligations
Firms face yet another balancing act between data privacy requirements, such as GDPR in the EU and PDPA in Singapore, with eComms surveillance requirements. What can firms do to get that balance right? They should be diligent in ensuring compliance data does not include unauthorised personal information while maintaining transparency with employees as to what is considered surveillable data. “It’s important to ensure total transparency, as many employee contracts clearly state that if you’re doing something on work systems, it’s really not your data,” Wright explains.
For global firms, this often means adopting data-handling measures that filter sensitive personal data while retaining necessary compliance information. It is also advisable to incorporate data privacy provisions into your firm’s policies and training. By doing so, employees gain greater clarity over what is deemed personal or business data.
How Technology Can Help
Frenette underlines several advancements in surveillance technology that can lighten the load on compliance teams. “Firms are looking for key features along the lines of intelligent deduplication, message threading, and efficient review processes,” he notes. By threading messages and applying AI-based analysis, systems can now consolidate alerts related to the same conversation, providing a clearer narrative for surveillance teams. Solutions like MCO’s eComms Review help teams understand the full context of conversations—even when first appearing disparate due to resumed conversations throughout the day.
Frenette also details how modern eComms tools are fully equipped to detect subtle language cues. MCO’s ability to differentiate between phrases like “Let’s take this offline as I have to go pick up my kid from school” and “Let’s take this offline to avoid Big Brother” demonstrates how technology can identify potential compliance issues without flagging benign communications.
Implementing Technology to Support Compliance Goals
Evaluating Technology Vendors
For firms looking to enhance their eComms compliance programs, selecting the right technology is crucial. Frenette advises that firms should choose integrated solutions that combine archiving and surveillance capabilities. A unified system can further streamline alert management and provide holistic data visibility. “Selecting a vendor that specialises in both archiving and surveillance saves time and improves oversight,” he notes, stressing that a single platform can enhance efficiency and drive better outcomes.
Harnessing the Risk Management Power of AI
AI plays a truly transformative role in modern eComms surveillance. In particular, RegTech solutions that incorporate machine learning (ML) and natural language processing (NLP) can underpin an effective risk management strategy. Frenette suggests that “AI-driven tools offer dynamic risk identification, with capabilities that improve over time as models learn from new data.”
AI holds significant potential to reduce false positives and free up surveillance resources, using an approach that becomes even more valuable as the system identifies additional risks.
Your Practical Guidance Re-Cap
In light of the webinar discussions, compliance teams can take several practical steps to optimise their eComms surveillance approach:
- Conduct regular risk assessments: Begin by assessing which communication channels pose the highest risks and adjust surveillance policies accordingly.
- Establish clear policies and controls: Clearly outline approved communication channels, develop blocking measures for unapproved platforms, and incorporate regular policy attestations.
- Invest in scalable and configurable technology: Look for tools that support dynamic surveillance needs, offer extensive channel coverage, and are backed by AI for enhanced risk detection.
- Prioritise employee awareness and buy-in: Ensure employees understand surveillance policies, data privacy obligations, and the importance of using authorised channels.
- Adopt a proactive approach to regulatory changes: Utilise horizon scanning tools to stay updated on global regulatory developments, particularly for firms operating across jurisdictions.
Staying a Step Ahead
By investing in AI-driven tools, prioritising risk-based policy development, and fostering employee awareness, firms can build a more resilient compliance framework. Solutions like the MCO suite of compliance management technology, including eComms Archive, eComms Review, Employee attestations, and Regulatory Change Manager with Horizon Scanning, offer surveillance and compliance teams the tools to manage current and future challenges more effectively.
With the right mix of tech, employee engagement, and governance, financial firms can achieve a robust eComms surveillance program that not only meets global regulatory standards today—but also stays a step ahead of local and global regulatory change.
Ready to hear more insights and strategies to reduce your firms risk?