Regulators in the United States and the United Kingdom are continuing to focus on the compliance consequences of hybrid working.
While government regulators may be geographically neutral — it doesn’t matter to them where staff members are working within a jurisdiction — all compliance and security controls must be equally effective regardless of location.
As the UK Financial Conduct Authority (FCA) stated, “Any form of remote or hybrid working adopted should not risk or compromise the firm’s ability to follow all rules, regulatory standards and obligations, or lead to a failure to meet them.”
A specific concern is that of communications. In October 2021, Gurbir S. Grewal, Director of the Division of Enforcement at the US Securities and Exchange Commission (SEC), warning that companies “need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices , new communications channels, and other technological developments like ephemeral apps.”
Integral to hybrid working and the communications compliance challenges across the industry, of course, are dynamic collaboration tools, such as Zoom, Microsoft Teams, Webex by Cisco, RingCentral, and Slack. These platforms were rapidly adopted to ensure that businesses could stay connected throughout the pandemic, and now, they continue to be the mainstay of communication methods regardless of where staff work.
The ever-growing volume of video, voice, chat, and document content, however, makes being able to actively detect risks to compliance or security and losses of data more challenging than ever. Particularly where existing controls or tools are designed for email.
The communications conundrum
For many firms, there still remains a lot of catching up to do to ensure interactions across these modern methods for meeting, communicating, and sharing information have the same level of oversight and controls as those conducted in physical offices or more traditional text-based communication methods such as email.
Three of the more challenging issues relate to the ability to have a clear line of sight into communications themselves, include:
1. Inability to find or produce records of communications
Compliance, risk, and legal teams need to ensure they can quickly and comprehensively identify and extract relevant records from collaboration tools. That includes audio, video, chat, and document content as well as whiteboards and polling, along with contextual information such as GIFs, reactions, and emojis. This is a particular challenge with tools built for email that would not identify offensive images or account information on-screen, for example.
Being able to swiftly search for records relating to customers, staff, products, meetings, or transactions is critical for regulatory requests supervision, legal investigations, HR matters, internal audits, or to respond to customer complaints or data deletion under the European Union’s General Data Protection Regulation (GDPR) and other privacy rules.
2. New modes of communications such as in-meeting chats are not recorded
Existing requirements for recording and supervising electronic communications apply to the wider communication modes now available, from in-meeting chat and whiteboards to comments in Sharepoint, for example. Regulators have been quick to clarify the scope of rules, and firms must ensure their recordkeeping and supervision processes and controls have kept pace.
The widening scope is evident from the European Securities and Markets Authority’s (ESMA) confirmation that electronic communications “includes among others video conferencing, fax, email, Bloomberg mail, SMS, business-to-business devices, chat, instant messaging and mobile device applications ,” adding, that it “will not produce an exhaustive list of electronic communications because of the continuing innovation and advancement in technology which would mean the list frequently becomes out-of-date.”
Another example is the US Financial Industry Regulatory Authority’s (FINRA) response regarding the supervision of “visual aids, such as a whiteboard or dynamic charts, or a chat or instant messaging feature during a live, unscripted online conference,” which confirmed that, “ the use of these visual aids may be correspondence, retail communications or institutional communications, and the firm must supervise them as such.”
3. Inability to supervise the context or history of chat conversations
The ability to view a complete audit trail of a chat conversation is fundamental to effective supervision and detecting compliance and security risks such as misconduct, collusion, or data leakage. Reconstructing continuous and fluid conversations involving multiple participants that can span days or even years while capturing the full content as well as the context of conversations, presents firms with complex compliance challenges.
This is particularly the case with tools built for email that would not identify reactions or emojis that indicate collusion, for example. Firms need to ensure that they can fully capture the text, audio files, links, images, GIFs, emojis, and reactions — all of which can alter the communications of communications — as well as the native view showing how the chat interpretation conversation flowed.
Another use for artificial intelligence?
In an environment where it has never been so easy for anyone to digitally record and share externally what is happening across modern communications, it is essential for organizations to be ahead of the curve in detecting and dealing with potentially reputationally damaging risks, ranging from data loss to threatening behavior.
Comparable to finding a needle in a haystack, purpose-built risk detections using artificial intelligence that’s been trained to detect conduct, compliance, or security issues should enable firms to find the risks across their communications quickly, while benefitting from significant efficiencies and cost savings.
Season 4, episode 4 of the Compliance Clarified podcast, by Thomson Reuters Regulatory Intelligence, features a discussion on the continuing regulatory challenges of hybrid working.