Compliance Confessionals – Compliance in the work-from-home environment

Compliance expert and former Head of Compliance, Sylvia Yarbough, shares secrets and insights from the heart of the compliance team.

If you have a compliance confession or are worried about emerging regulations, visit our Compliance Confession Booth.

I was listening to a radio talk show (yes, not a Podcast) concerning employees’ disenfranchisement from their employers caused by the work-from-home (WFH) environment. Beyond the lack of socializing aspects of remote working, I was surprised to hear a lot of employees do not feel like they get enough direction, support, or training, don’t understand the bigger picture of what goes on in their departments, etc.

Although they like the flexibility of WFH and are not looking to go back to the good old days, they were starting to really feel the downside to remote working. The drawback to the employers was a lack of loyalty to the company and employees just putting in the minimum effort required, especially newer or younger workers. 

For those of you familiar with my articles, this started with me thinking about how this evolving work model can impact our abilities, as leaders, to have oversight on regulatory compliance and ethics.  

WFH is not new. However, COVID-19 forced our hand in our ability to re-imagine all aspects of the organization working remotely from customer service reps to loan processors. Back in the day, when remote working first started, it was a day or two per week for exempt employees who were in corporate functions like marketing, finance, risk management, etc. – not the employees who interfaced with customers or handled customer transactions.

Fast forward to 2020 and everyone was being issued laptops or being given remote access through their personal devices to log in so that they could keep working – with some companies more prepared with the appropriate technology in place for information security than others.

My mind then jumped to last fall when the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) fined several firms a total of $1.6 billion for using their personal devices to discuss deals and trades with these call records not being retained – violating records retention requirements.

The regulators found that in some cases it was employees’ carelessness and in others, it was a deliberate attempt to violate the law. This widespread abuse goes back to 2018 so COVID-19 was not to blame.

However, it goes back to my point that WFH is not new. Since mid-2000 when we evolved from the corporate-issued Blackberries to smartphones putting computing power in our pockets. Companies began sanctioning bring your own device (BYOD) to cut costs since most employees had smartphones, laptops, high-speed internet, and eventually, video conferencing.

At first, these capabilities were only afforded to management and senior personnel but eventually became more commonplace as more and more individuals started leveraging WFH.

So, what are the compliance or ethics issues that continue to surface with WFH and/or BYOD?

1. Email

Most employees do not do this intentionally but we all have experienced the glitch connection when we remote in from a personal device or login issues from the corporate email apps. You’re in a hurry and you remembered the email address so just this once you send an email from your personal email. The individual responds back and may add someone else to the communication. Next thing you know you have an ongoing chain within your personal email. And, because all our email systems are so smart, the client, vendor, or co-worker now has your personal email auto-filling in once they start typing your name in the “To” line, so the issue randomly continues. I don’t believe everyone that has this problem is a bad actor, most are good employees rushing to get something done.

2. Documents

Forwarding documents to your personal email or finding ways to print documents so you can read them later while you’re waiting for your kid to finish soccer practice, etc. Another angle on documents is taking documents when the employee leaves a company sometimes inadvertently or sometimes deliberately. I believe we have a few Presidents and Vice Presidents having to deal with that issue right now.

3. Screen privacy

A lot of individuals really have nowhere to work privately in their homes so whatever is on their computer screens is often in full view of the dog, the kids, and the neighbor who just dropped by unexpectantly. Or, the computer screen that doesn’t log out and anyone passing can move the mouse and see your emails or the presentation you were reviewing.

4. Phone calls

We all love our ability to do conference calls, sometimes we will take advantage of these and do those calls from anywhere. I am not referencing the occasional “flush” heard over the line either. How many people are taking potential confidential business calls in the grocery store, the Doctor’s office waiting room, or a Starbucks coffee line – with the speaker on the highest volume? Imagine the call is on due diligence for a potential acquisition (Yes, I overheard one of those recently in the line at UPS).

5. Written notes

For customer service reps and other customer transaction-related employees who must jump from screen to screen to enter information on how many are writing customers’ names, addresses, and account numbers so they can quickly re-enter on the next screen. Those little scraps of paper may or may not make it into the trash for days from that unsecured kitchen table. Again, no bad intent just a good employee trying to be super productive.

What causes non-compliance in a WFH environment?

These are just a few examples that I have heard about. I am sure each of my readers could add to the list. Now, let’s loop back to my intro about the talk radio show on employees’ discontent with some aspects of the WFH environment.

I don’t believe WFH or BYOD efforts are the cause of the problems employers may be having with ensuring compliance and ethical behavior in this new era. I do believe it ties back to the talk show statement “employees do not feel like they get enough direction, support, training, don’t understand the bigger picture of what goes on in their departments, etc.” I think this statement squarely relates to training and practicing compliance and ethical behavior.

I came from a time when you did your work at work on a company-issued device (yes, laptops existed back then). You were trained in information security, compliance, and ethics. In addition, you were surrounded by coworkers and a manager who received the same training. This was a time when employees understood corporate policies and were expected to follow them and for lack of a better term – we kept each other honest and accountable.

As technology evolved and we gained more freedom in how and where we did our work, it was already entrenched in people of pre portable technology decade, the expectations around confidentiality, privacy, and information security.

Fast forward to individuals who may have joined the workforce during COVID-19, who barely had a supervisor to train them, and who were given  15 – 30-minute courses on Ethics and Information Security (we hope). These employees may not be well trained and they may not fully understand, the concepts that were drilled into me way back when.

Beyond the younger new employees, I also believe the level of casualness that has entered the work culture and the world, in general, makes it hard for employees, of any age, always to have compliance and ethics front of mind. The same person on the speakerphone conference call in the grocery store this week is the same person that is on the speakerphone with their bestie next week.

WFH and BYOD have basically blurred the lines between business and work and individuals often forget that they are not the same thing until something significant happens to make them remember.

Adequate training can promote compliance when remote working

It is incumbent on compliance professionals and InfoSec teams to reinforce and double down on training and monitoring activity. I would also encourage managers to spend a little more time reinforcing compliance and ethics expectations. Managers should get a better understanding of each employee’s WFH setup, help them resolve their tech issues instead of giving the quick workaround you discovered, incorporate discussions about confidentiality and customer privacy in team meetings, and instil good compliance habits.

I doubt we will ever go back to having to be in the office all the time, but we don’t want to lose good employees over a stupid compliance mistake. Let’s try to help them sketch those lines between work and personal behavior by understanding good compliance and ethics practices in a remote working environment.