By Jennie Clarke, Senior Manager at Global Relay, the electronic communications compliance specialists.
Regulatory obligation and guidance surrounding the capture, monitoring and surveillance of digital communication channels is far-reaching and increasingly robust. The Financial Conduct Authority’s (FCA) Handbook SYSC 10A, for example, requires firms to “take all reasonable steps to record telephone conversations, and keep a copy of electronic communications” that relate to financial activities. Moreover, it asks that firms take all reasonable steps to prevent an employee from “making, sending or receiving relevant telephone conversations and electronic communications on privately owned equipment” if the firm is not able to record or copy that information.
Obligations around compliant communications are not limited to the UK. In the U.S., for example, FINRA Rule 3110 requires firms to “establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations”. As compliance teams will be well aware, firms are under increasingly strict instruction to manage their business communications to ensure compliance.
Staying in the US, few will have missed the mammoth $125 million fine issued by the Securities and Exchange Commission (SEC) to JP Morgan in 2021 for its failure to “maintain and preserve written communications”. What UK-based folk may have missed, however, is the near-constant publication of similar regulatory messaging surrounding business communications.
In the past few months alone, FINRA issued fines to two senior managers who continued to use text messages for business, which had been prohibited by the compliance team. Then, the U.S. Department of Justice alluded to new rules in the pipeline surrounding the use of personal communication devices, listing senior manager involvement in non-compliance as an “aggravating factor”. As well as this, the SEC has made significant amendments to recordkeeping Rule 17a-4, aimed at modernizing the 25-year old framework, as well as announcing that nearly 20% of fines issued in 2022 concerned recordkeeping failures.
Again, this has all taken place over the course of three months. One thing is clear in the U.S., communication is top of mind for the regulators.
As with all financial regulation, this wave of regulatory scrutiny will not be limited to the U.S. for long. The tide is slowly shifting, with regulatory focus slowly crossing the Atlantic and making its way to the UK.
Despite this, many firms across the globe still do not have a compliant, watertight strategy to enable compliant communications. In light of increased regulatory scrutiny, most firms have moved to banning certain channels for communication – whether it’s SMS or WhatsApp. However, if continued enforcement tells us anything, it is that the banning of channels is not an effective solution. In many instances, employees continue to use banned channels to communicate, the problem then being that none of this information is captured. These illicit communications are not compliant.
As was recently reported, Morgan Stanley has taken to fining individual employees for their use of illicit communications, with fines apparently ranging from the thousands to millions. What is interesting is that none of this would be necessary if the firm had an effective, compliant solution in the first place. Instead of using ineffective channel bans – and then fining employees who do not comply – firms could enable WhatsApp, SMS, or any other communication channel for business and employ effective compliance technology to capture those messages and store them in a way that would stand up to regulatory scrutiny. Solutions are undoubtedly more effective than restrictions.
Many are expecting that the waves of enforcement for non-compliant communication will soon be lapping at the feet of UK firms. Most are standing at the water’s edge, waiting with bated breath for a big-bang enforcement before they take action, and crossing their fingers that they won’t be the test case.
Instead of looking out to sea, these firms should be looking for effective solutions while the UK regulatory focus is still in its nascent stages. Compliance teams should be bolstering their defences and battening down the hatches to ensure their communication policies, procedures and controls are watertight. Only then, when the waves finally come crashing down, can the compliance team sit back knowing that they’re home and dry.
Subscribe to our newsletter
