November 7, 2023
Estimated reading time: 16 minutes
Compliance Confessionals – Phone a friend: Who wants to be a compliance officer in the era of WhatsApp?
We all have read about the recent SEC enforcement actions levied against some of the largest financial service firms in the US for illicit off-channel communications. Over the last two years, these enforcement actions have totaled almost $1.5bn.
For those who have not been following, there isn’t really a regulation titled ‘off-channel communications’. It’s defined as electronic communications on an employee’s personal device and/or outside of the organization’s approved communication methods that cannot be backed up, restored, or reproduced as per record-keeping requirements.
The Securities and Exchange Commission (SEC) has referred to these violations as “widespread recordkeeping failures” in violation of the Securities Exchange Act of 1934 Section 17(a)(1) and Rule 17a-4(b)(4) as well as the Investment Advisory Act of 1940 Rule 204-2(a)(7), taking a very broad view in their interpretation and application of these rules.
In reviewing a few of the administrative orders, the same findings are repeated over and over:
- Senior Managers, executives, group heads, and supervisors engaged in the practice. Thereby not setting the appropriate behavior for junior employees.
- Settlements required admission of liability not allowing for settlement on a “no admit or no deny” basis.
- Requirement that firms retain independent compliance consultants to review the firm’s policies, procedures, and practices.
As always some of the financial services organizations caught up in this enforcement action are the usual suspects. If you are going to be in the top 10 institutions, you will always be caught up in these types of enforcement actions.
However, these enforcement actions were not considered part of different exams or requests. The SEC has been conducting a targeted sweep focused on this specific topic “off-channel communications” and since this has been going on for over two years, it speaks to how hard it is for some organizations to understand where they are against managing and measuring a particular risk. At least, in the last round of enforcement actions, three firms were given credit and smaller fines for self-reporting.
What compliance officers are saying
As a compliance professional, I reached out to my network trying to figure out how we got here.
Given that my peers and I have been in this game long before the advent of bringing your own device (BYOD) and for some of us long before the advent of cell phones. It is probably easier for us to reflect on the changing dynamics in communications in organizations that in hindsight we could have seen this coming.
Earlier in the year I wrote an article on “Compliance in the work from home environment”. I believe my thoughts reflected in that article apply here.
I do not believe the vast number of these individuals (yes, even the executives) were trying to commit any nefarious activities.
“As referenced in my previous article, I believe that the lines between work and home have become so blurred and our general culture of casualness has made it very easy for individuals to forget or ignore corporate protocols.“
Back when cell phones (they weren’t called mobile devices back in the day) became a thing, most individuals, at a certain level, were issued a company-paid-for device not to be confused with their personal device. There were clear lines of distinction on which device could be used for different purposes. A client never had your personal number, and you used your corporate-issued device for all corporate-related communications.
The same concept is typically applied to your laptop. Work laptops were for work and home laptops were only for personal use. There were seldom issues. If the lines were crossed, it typically led back to some intentional misbehavior on the employee’s part.
As we rolled into the era of tighter corporate budgets, too many devices to carry around, and the advancement of technology providing secured portals for work on your personal device, BYOD became the reality.
It was cheaper and more efficient to push the secured portals to someone’s device and less complaints about all the equipment an employee had to carry around. When a new employee started, they may have signed a statement acknowledging that the organization could take your personal device, if needed, for legal purposes.
The employee received guidance on how to use the secured apps and maybe, in some companies, an annual reinforcement about using the secured app for all communications (that may be a stretch for some organizations). Now add BOYD to forwarding your office phone to your mobile device, and logging into work on your personal laptop using a Virtual Private Network (VPN), and viola, employees are
completely mobile and can work from anywhere.
What we may have missed is the monitoring and surveillance to support all these processes. Yes, if you are using the secure portal on your mobile, or the VPN on your laptop, and only giving out your office phone number, ideally these channels have some level of monitoring.
However, this is where glitchy technology, the casualness that has become part of our work culture, and the blurring of lines between appropriate work versus personal behavior become the challenge. This has caused the workforce to lose basic conduct and ethical principles that have gotten lost in translation in a more remote workforce.
Examples of everyday non-compliance
Call transfer didn’t come through because the VOIP had a glitch. You realize you missed a call from a very important client. You tell the client, “Look, just call me on my personal mobile directly next time.” You want to let the client know he is in a valued relationship, right?
Mobile secure portal keeps kicking you out and that two-step authentication to log back in is a pain, so you send customer communication from your personal email on a high-priority deal -just this one time. However, that email gets saved in the customer contacts and the next thing you know, you are always receiving client emails through your personal email account and responding back, saving time but blurring the lines.
You have a buddy at another firm, and you exchange personal phone numbers. He hears some big news on a deal that he knows your firm is working on, so he texts you some info just in case you are not in the loop – after all, that is what friends are for right? Next week you get a bit more information and text him back with additional insights – because you are chums!
Your personal laptop does not allow you to print documents from the secure work portal. You are in a hurry to get to your kid’s game, so you forward the document to your personal email to print and read it during half-time. This document is clearly marked private and confidential, but you leave it lying on your chair while you run up and down the field cheering on your son at his soccer game.
These examples are what happens on a routine basis in most organizations regardless of the department or employee’s responsibilities.
Mobile technology makes it very easy to forget and ignore the company’s policies and regulatory requirements. An annual training session may stop bad practices for a little while but are quickly forgotten in the haste to get things done.
These examples at their core demonstrate how innocuous behavior can tie to the root of the SEC’s enforcement action. In all situations, there is some level of violation of record-keeping requirements. It becomes almost impossible for the SEC to do their job, protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.
How can they perform appropriate reviews investigations and necessary discovery if activity is not being appropriately captured and retained? More importantly, how can any financial organization claim to be operating in the client’s and shareholders’ best interest if they cannot monitor the activities of their employees?
Is there a silver bullet for the own device-off-channel problem?
My compliance peers and I bounced around thoughts on how to minimize if not stop off-channel communications at the micro and macro level with today’s mobile workforce.
Macro extremes we tossed around include:
- Certain employee personal devices are registered and monitored by your employer. Yes, it feels like an invasion of privacy but it’s for the greater good.
- Organizations go back to separating work devices from personal devices. Doesn’t stop the sharing of personal email or cell numbers – so it still leads back to monitoring personal devices.
- Go back to the office work environment only with the enhancement of “clean rooms” (e.g., no personal devices allowed at your workspace) for certain employees. This could potentially lead to a mass exodus of employees.
On the micro level, compliance professionals can play a bigger role. Items that may need to be looked at in your organizations include:
- Enhancement in training with real-life examples delivered in micro modules frequently enough to reinforce the message.
- Partnering with senior leadership to set the tone from the top, driving home the importance of conduct and ethics in day-to-day activities, and leading by example.
- Ensure monitoring and surveillance are done on an independent basis and that the reporting of exceptions engages compliance partners. Often when monitoring and surveillance are embedded in the business, issues raised, especially about senior managers, may be glossed over.
- Monitoring and surveillance were conducted, not just on activities, but gaps in activities. This one is more difficult, but this is where compliance and risk professionals may identify gaps in the use of the secured portals or the recorded line when employees are supposed to be working and further investigate the cause of these gaps.
- Amend the new hire use of personal device agreement to allow the organization to periodically audit all communications on employees’ personal devices.
Regardless of the approach to mitigate risk, we as compliance professionals cannot ignore this problem because the SEC will not let up.
If you have not done a risk assessment or assurance review on this topic for your organization yet, I encourage you to get this done ASAP. As the SEC has stated, they are more lenient on firms that self-disclose.
Contact CUBE so we can help you proactively manage every single regulatory change.