What Tech Traps Are Examiners Looking For?

Monitoring non-email communications like social media and texting was the biggest challenge that the survey identified. Mobile communications and keeping up with regulations tied to round out the top three concerns of compliance professionals.

FINRA issued guidance in May to help broker-dealers stay in compliance regarding social media and digital communications use. The guidance, issued as a Q&A, clarifies that text messages and IMs related to a firm's business must be retained just like social media communications.

The Smarsh report found that texting is the most requested channel for business communications, with 42% of firms noting their employees have asked to use texting for business purposes.

"It's no longer realistic for a firm to believe that its employees don't use text messaging to communicate with clients. Text messaging continues to surface on FINRA's enforcement radar," according to the report.

Most worrying is that over a third of firms that have prohibited their employees from texting about the business have "no or minimal confidence that they could prove that their prohibition is working."

In December 2016, FINRA fined 12 firms more than $14 million for failing to retain electronic communications, including a $1.5 million fine for SunTrust, which had prohibition policy in place.

The prevalence of smartphones makes it more difficult to monitor employees' communications for compliance, but firms could be doing more. Almost half of firms allow workers to use personal and corporate-issued devices, while 35% don't even bother issuing a corporate device.

"With more than eighty percent (83 percent) of firms allowing employees to use personal devices for business communications, the supervision ramifications of bring-your-own-device (BYOD) are a reality for most compliance professionals," the report noted.

Firms could adopt a Choose Your Own Device (CYOD) or Corporate-Owned Personally Enabled (COPE) strategy to retain more control over the type of communications made by employees about the business. Smarsh noted in a white paper, "5 Steps to Eradicate Text Messaging Risk," that a CYOD scheme can help reduce hardware costs by limiting the types of approved devices and the IT support needed, although it can be slow to deploy across the organization and employees may not be happy about the limited choices, especially if they have to pay for the device.

"CYOD provides more latitude for compliance and legal teams to govern data, and apply more policies and technical controls to ensure proper handling of text messages. CYOD also provides other security options for organizations that are concerned about potential BYOD ramifications, which is a key reason CYOD continues to receive attention," Smarsh wrote.

A COPE strategy keeps ownership of employees' devices with the organization but allows workers to make personal communications on them. It also requires firms to do more to keep up with mobile technology, but from a compliance perspective, "monitoring and archiving policies for electronic communications, including text messages, are easier to put in place and supervise with COPE."

— Read Connected Capital: Financial Services in an Always-On World on ThinkAdvisor.