Clipping the Ticket – A Failure to Capture Communications Costing Banks

By Paul Cottee, SME, Financial Markets Compliance, NICE Actimize

 

Since December last year, three major global investment banks have paid out, or provisioned for, regulatory fines for failing to properly monitor employees’ conversations with clients. Interestingly, the fines and provisions have all been for the same amount: $200 million, although the split between the Securities and Exchange Commission (SEC) and the Commodities Futures Trading Commission (CFTC) vary from bank to bank.

So what are these banks doing wrong? In announcing one of the fines, the SEC pointed to violations of books and records preservation requirements under the Securities and Exchange Act ; and also to a failure to reasonably supervise its employees so as to detect or prevent further violations of these rules. Similar provisions under the Commodity Exchange Act (1936) were mentioned in the CFTC’s Order as having been violated. But what exactly do these rules address?

Communications on Personal Devices

Paul Cottee

These SEC and CFTC Rules require banks and brokers to capture and retain communications related to their business, including sales and trading-related communications, and be able to show these to regulators if needed. In this case, bank employees had communicated with clients on their personal devices, which were not being captured for preservation and potential surveillance. Going further, not only did the bank fail to capture, record and retain business-related communications made by employees, it also failed to take reasonable steps to ensure that staff were making business-related communications only over registered and monitored devices and applications.

In a way, these fines give the banks a degree of cover against stakeholder pushback. Fines of $200m are sufficient to show that these are serious offenses, but they are unlikely to have an impact on the banks’ long-term profitability or balance sheets. They do, however, give the banks’ compliance departments ammunition to change employees’ actions through demanding certain measures of employees. These measures could include:

  • Banning business-related communications with clients via non-approved channels
  • Requiring business-related communications take place only over company-provided devices
  • Loading applications onto personal devices, which can then route communications through company systems where they can be captured and retained

The problem of business-related communications being conducted over personal or non-monitored channels has been around since mobile phones have existed. Having identified this risk in the early 2000s, many financial services firms banned the use of personal mobiles on trading floors. However the problem has snowballed in recent years, and recent fines dating back  to 2015. Beyond simple texting and email applications, a plethora of  applications arose in the years prior to that date; for example: Messenger (2008); WhatsApp (2009); Viber (2010); Snapchat (2011); WeChat (2011); Telegram (2013); Slack (2013); Signal (2014). Most of these apps make much of their end-to-end encryption, meaning that it is intentionally difficult to hack into a conversation, but also meaning that such platforms are attractive to someone who might want their communications to be un-hackable.

Did the banks realize the problem? 

While most business was conducted on a bank’s premises, and where personal devices were banned, communications tended to take place over established infrastructure and so perhaps this problem didn’t get the attention it deserved.

The fines to date do not suggest widespread deliberate conspiracies, indeed, the SEC makes clear that in the context of several investigations, bank employees have co-operatively provided communications from unrecorded channels on their personal devices. It would therefore appear that the majority of  staff  simply didn’t realise that there was a problem.

This regime might have continued, if not for the Coronavirus pandemic, which caused the widespread move to be working from home. At that time, many financial firms were unable to deploy recorded-line infrastructure to all of their  employees, meaning that there was little alternative to using personal devices for work communications. Regulators recognised this, and for a time, permitted handwritten records of transactions to be made, subject to certain requirements.

It was also clear that regulators would be looking to ensure that proper records were being kept, but one can conclude that when the regulators eventually did come searching , they might’ve found more than they expected.

This has exposed pain points for any firm under  requirement to record communications. Many firms have not been monitoring channels like WhatsApp, Slack, Telegram and Signal. But it is now clear that the SEC and CTFC mean it when they say  that all devices and channels must be tested, approved and connected to recording and preservation systems.

So what do firms need to do?

Firms are tackling the problem head-on, either by issuing mobile devices with approved channels; or installing communications monitoring apps on employees’ personal handsets.

Capturing and retaining relevant communications is only the first step; regulators expect such communications to be monitored to help uncover potential wrongdoing. This means  that the communication has to make it back to HQ and be saved as a data file that  is processed through a surveillance system looking for evidence of potential wrongdoing within the communication. It must then be stored securely, but must also be easily retrievable if the SEC come looking.

There is no reason financial institutions can’t monitor communications and stay compliant with the guidelines. The advanced surveillance and monitoring technology is there, no matter the channel employees choose to adopt.

Using AI and advanced analytics, the industry has revolutionised the way financial firms comply with global regulation and address conduct-related risks by uniquely capturing, retaining and analysing all of these communications, along with trade and behavioral data using AI and advanced analytics. Powerful technology makes it possible to correlate employee actions, including both trades and behavioral data, with their communications to help understand what employees said, heard and did to uncover hidden risk more accurately and efficiently than ever before. There’s no reason to risk huge fines and more importantly, loss of reputation when the solutions are there to protect an institution and just an important, its customers.

spot_img

Explore more