Bank outages lead to welcome increased regulatory scrutiny on operational resilience. Yet, business communications continue to migrate to digital channels and firms struggle to balance regulatory requirements with demand from customers and employees to use their preferred social media channels. What is the real solution?
In the shadow of Musk injecting his share price with a solid dose of confidence pre-privatisation via Twitter, never before has a regulatory framework driven by culture seemed so critical. Whilst digital communications clearly enable awesome business growth, this blinding light of opportunity has a dark side of potentially catastrophic, often inadvertent, maddening mistakes. Whether it’s the ones we are aware of such as:
- Reed Hastings of Netflix informing a closed community before the markets and receiving a SEC Wells Notice;
- Christopher Niehaus being caught on WhatsApp, on his personal device, sharing confidential information;
- or Rory Cullinan sharing a photo via Snapchat of him in a board meeting, which his daughter then shared on Instagram.
Or the ones that didn’t hit the news, often as significant with their impact on the operational security of an organisation.
Why? Because the intelligence constructed from the information shared from employee’s social accounts, specifically Instagram. Images and videos with passwords on post-it notes, computer screens with trades, white boards with product information, we see it all. The impact of a simple tweet, office selfie, ‘chilling at work’ picture, video of grads breakdancing on Instagram or market sensitive pre-IPO information on WhatsApp can poses a risk to operational resilience, as The UK’s regulators know.
Operational resilience and managing inadvertent risks
Building operational resilience was the focus of the gathering of the FCA, PRA and BoE in September 18. Their thoughts and joint discussion paper are available via this link: ‘Building the UK financial sector’s operational resilience’. It’s the evidence of their diligence and focus on scrutinizing any impact these channels are having on weakening organisational structures. Reflected across the pond, US regulators are also voicing a focus on scrutiny of data exfiltration from employee’s personal social media accounts.
Regulators are focused. So what does this mean for organisations today? Are regulators evolving their thinking to ensure firms are safely managing this often inadvertent risk?
This issue was discussed in detail at an FCA dinner event hosted by the CEO, Andrew Bailey, with a handful of carefully selected industry experts in attendance. According to fellow attendee Jonathan Davidson (Executive Director of Supervision for Retail & Authorizations at the FCA), if a firm were to be investigated, employees would need to show that they had taken “reasonable steps” to prevent and remedy potential data loss. The hope is that the prospect of this ‘enforcement’ mechanism should encourage individuals to take personal accountability for their conduct. The FCA’s intention: to consult and drive change by transforming culture and behavior in financial services.
Culture change, not more regulation
From all my discussions with leaders in industry I believe one of the most significant issues for firms needing to comply with regulation has been the frequent overlay of more and more regulation. Further to this, regulation can be not only overly onerous, they can also conflict one another. To name one: MiFID II article 16(7) ‘firms must keep records of telephone conversations or electronic communications’ vs Art. 17 GDPR ‘Right to erasure’ vs FINRA 2451.
On top of this, regulation conflicts reality today, as technology and behavior advances. One excellent example is FINRA 11-39 – which states: ‘Technology that automatically erases or deletes the content of an electronic communication would preclude the ability of the firm to retain the compliance with their obligations under SEA Rule 17a-4. Accordingly, firms and associated persons may not sponsor such sites or use such devices.’
An example: Snapchat immediately causes a minimum of 40% of executives to be in breach of this very regulation as they have devices used for work (even if only a text/calendar or email) on which they use Snapchat, thereby deleting data. Of course, the reality we are faced with is overwhelmed compliance departments firefighting to meet regulatory standards, instead of focusing on a culture that innovates to meet regulatory standards.
There are two significant consequences from this. Firstly, the reverse of the goal: a driver for compliance standards to be the responsibility of the compliance department alone, rather than the individuals working in the business every day. Why? Because everyone else wants to wash their hands of the intense knowledge needed and potentially life changing ramifications of breaching regulation. So we have reached a battle where painful (long, dull and unengaging) compliance training modules are sent around to the firm increasing individuals’ adversity to behaving in line with regulation. This is exacerbated with the constant belief that the regulation is no longer written with enough awareness of the reality of life and industry.
Secondarily: compliance departments are having to continually ‘cull’ excellent business growth initiatives. Take WhatsApp. The smart banks are talking to their client relationship managers and figuring out a solution. (And anyone that comes up with WhatsApp for Business as this solution has seemingly missed the point. WhatsApp for Business may be useful for a small family run bakery, but as we know, it is essentially irrelevant to large financial institutions. It simply won’t work.) Organisations must start putting in processes to enable teams to build relationships positively in a compliant manner. There are always solutions, we and many other RegTech solutions are the proof.
As communication channels gain speed in their evolution, regulation needs to innovate at the same speed. It’s about safeguarding risks. Back to the ‘firefighting’ analogy. A fire station is prepared for the worst, ready to put out the fire. Mistakes happen and will continue to as new channels evolve. Solutions are needed that are built to manage these very risks.
From Social Media Compliance to DeepView
This was the genesis for our thinking five years ago. Our objective, to provide a solution to answer this: How could a solution meet the need for unknown risks, with often inadvertent errors? How could firms evidence their commitment to managing a risk they knew was posing a significant cyber and compliance threat, yet not knowing exactly how it may play out? Alongside that, how to utilize digital channels for client support whilst meeting the needs of client communication all being recorded?
(Explore our website if you want to know the answer…)
So how do we and regulation now progress in this conflicting mesh of regulatory standards and evolving technology? The FCA are working hard to meet this very problem, having put in place the ‘Senior Managers Regime’, which has actively raised the importance of personal liability and accountability within the financial services industry. With this new regime, the FCA is now rightly placing a heavy focus on encouraging individuals to take accountability for their own actions. The possibility that any investigation into a firm’s conduct could result in a Senior Manager having to personally prove what ‘reasonable steps’ they (and their teams) have taken to prevent such issues – certainly encourages improved behavior on a more individual and personal level. This could be a standard driver with so much opportunity, and could be an incredibly powerful evolution.
So how does the concept of ‘reasonable steps’ work – does it really have the strength and power to shift the compliance from firefighting to proactive analysis and prevention? Well, inadvertent data loss through current digital channels is a start: I believe so.
A safety net is needed – like a seatbelt, strong and advanced enough to meet the speed by which communications have accelerated. Something that, when employees request, can capture encrypted communications. A solution that reads images and videos for data leaks. A solution dynamic enough to continually evolve with technology development and behavior change. That’s us, DeepView. We have built a solution that meets the standard of ‘reasonable steps’ across Instagram, WhatsApp and it goes on. It has taken us a good few years but we are pretty excited about what we now have.
I wholeheartedly support the concept of reasonable steps. It allows for a practical compliance. Now we need regulators and industry to form a dialogue of this around digital and social communications, thereby shifting the onerous burden of nearly impossible regulatory standards to a reasonable structure of lists and ‘reasonable steps’ to enable firms to stop firefighting and playing catch up (thereby missing data and compliance risks occurring today) and start positively innovating for effective solutions. This way compliance teams work on today’s legacy issues.
If you would like to discuss any of the issues raised in this article, please get in touch via our contact page.