Keeping Pace With Electronic Communications Compliance

Fines levied by the Financial Industry Regulatory Authority in electronic communications cases have more than doubled, from $2.7 million in 2008 to $6.2 million in 2015.

That number jumped out at me as I was reviewing Smarsh's recently released 2016 Electronic Communications Compliance Survey.

The annual survey found that compliance officers are struggling to align the benefits of "modern communications" with their duties to protect firms against compliance risks, just as SEC and FINRA examiners are increasingly knocking on their doors. At the same time, compliance officers' budget increases aren't keeping pace to grow and modernize surveillance procedures.

Not only are firms overwhelmed by the sheer volume of email they must retain and review, but resources to monitor compliance officers' expanding electronic compliance perimeter — electronic communications channels and devices in use at an organization that require governance policies and retention/supervision solutions — "are growing slowly, if at all," Smarsh reports.

The survey notes that the "current, linear approach of layering new content types on top of the supervision policies and processes originally designed for email is inefficient and ineffective."

If the procedures firms have put in place to identify risk in email are "ineffective and waste time," the survey notes, "extending those same procedures" to other electronic communications compliance content "only exacerbates those results."

Firms must rethink the traditional approach to communications supervision, the Smarsh survey warns, especially considering firms' finite resources and "growing strategic role of compliance in organizational risk management."

So what are compliance officers most worried about? The survey listed five top concerns:

Increased scrutiny/enforcement by regulators
Balancing employee privacy considerations with oversight obligations
New communications channels, like social media and texting
Cybersecurity threats posed by the use of electronic messaging platforms
Insufficient human resources

That concern over growing scrutiny/enforcement by regulators related to electronic message compliance was the top concern of compliance officers for the third year in a row. There's good reason to be concerned, since 42% of respondents to the 2016 poll reported being examined in the past 12 months, up from 27% in the 2015 survey.

Sixty-five percent of respondents report that the compliance function is responsible for handling requests to produce electronic communications data for e-discovery or other business purposes, bringing compliance into more aspects of business operations.

Resources Not Matching Need for Supervision

The survey listed about 18 rules and regs that can come into play regarding firms' electronic communications compliance. One of the primary rules is SEC Rule 17a-4, which requires firms to archive electronic business communications in non-rewriteable and non-erasable (WORM) formats for at least three years. Others include SEC Regulation S-P, a host of FINRA rules, as well as the Graham-Leach-Bliley Act and state data protection laws.

While the importance of communications supervision is growing, resources are not, the survey found.

More than 87% of respondents expect the resources (time or money) they dedicate to electronic message compliance will remain the same or increase only slightly in the next 12 months, while less than one in 10 expect to receive a significant resource increase. More than a quarter of respondents (28%) cited insufficient budgets as a top concern this year, up from 22% last year. Likewise, 34% of respondents cited insufficient human resources as a top concern, up from 30% last year.

As the survey points out, one of the trickiest aspects of a compliance officer's job is that they must supervise all types of business communications, even when messages reside on personal devices and social media accounts.

"Making this a reality, however, presents challenges, and compliance to-date has not kept up with implementing archiving and supervision systems for all the communications channels employees are allowed to use for business," the survey states.

Almost half of respondents (48%) cited social media as the No. 1 channel of perceived compliance risk. Even for firms that have banned social media channels, risks remain if employees do not adhere to the ban. In fact, the survey notes, the percentage of respondents who claim to have minimal or no confidence that they could prove the policy of prohibition is working ranges from 30% for LinkedIn to 41% for Facebook and 45% for Twitter.

The Biggest Compliance Gap: Texts

Texting was noted as presenting the biggest compliance confidence gap. Thirty-nine percent of respondents who allow such messaging but don't archive them said they are waiting for regulators to issue guidance on SMS or text messaging and Apple iMessage before they will begin archiving them.

But Smarsh CEO Stephen Marsh warns that this "head in the sand" behavior is dangerous. "When regulators ask if a firm allows its employees to use social media, the response 'not to my knowledge' is no longer acceptable. Our survey demonstrates there are still too many firms using new communications channels without retaining or supervising the content." Marsh says this behavior is "a ticking time bomb as examinations are on the rise. These firms are playing the odds, waiting for regulators to provide more guidance, or for their peers to receive penalties, before they get serious about tackling their oversight responsibilities."

Even small firms with one to five employees must up their game, Marsh argues.

But the 2016 survey responses indicate compliance professionals are "not optimistic that business risk is being identified," Smarsh says. Less than half (43%) of respondents are mostly or completely confident their current supervision programs will effectively identify risks for their organization.

"Whether new content types are allowed or not, compliance professionals report low confidence that their firm is in full compliance with regulatory requirements for these communications."

— Read "How Content Management Can Help Advisors Handle DOL Fiduciary Rule" on ThinkAdvisor.