Maintaining rigorous compliance standards around electronic communications remains a significant challenge for capital markets firms. Following a period marked by substantial regulatory fines globally, the industry is taking stock of its surveillance programmes and adapting to both evolving technological landscapes and shifting regulatory priorities. A recent webinar hosted by A-Team Group in May, sponsored by NICE Actimize, brought together experts to discuss the current state of play, the practical hurdles firms face, and strategies for fostering a robust compliance culture.
Assessing the Enforcement Landscape
The conversation began by addressing the sheer scale of recent regulatory interventions. Over $3.5 billion in fines have been levied since 2021 for off-channel communications failures alone, a figure that underscores the seriousness with which regulators have viewed these breaches. However, panellists debated whether the peak of this enforcement wave may have passed. One observation was a potential “levelling off” of enforcements. Recent regulatory actions have shown variations, with some remediation requirements being scaled back compared to earlier, more stringent cases. This might indicate a pause or a period of reassessment from regulatory bodies. One panellist highlighted this as an example of US regulators stated intent to move away from “regulation by enforcement.”Several factors might contribute to this perceived shift. Deregulation efforts in some jurisdictions, coupled with regulators signalling a desire to collaborate more closely with the industry on tricky issues like the use of specific messaging platforms, could influence the approach. Furthermore, the focus of lawmakers appears to be shifting towards emerging areas such as Artificial Intelligence (AI) and cryptocurrencies, potentially diverting some attention from more established, albeit still important, technical compliance domains. While the era of multimillion-dollar fines might be plateauing, communications compliance is expected to remain a standard item on regulatory checklists.
Balancing Monitoring Needs and Privacy
A persistent tension lies between the need for comprehensive surveillance and the increasing complexity of global privacy regulations, notably GDPR. Financial services operate under specific carveouts that permit the recording and monitoring of data. These include explicit consent, often secured through employment contracts and service agreements. Crucially, monitoring is also permissible where regulations specifically mandate it, such as under MiFID II or MAR. Finally, a “reasonable requirement for the business” can also serve as a justification. In the UK, the obligation to monitor for non-financial conduct also necessitates access to electronic communications. While privacy is paramount, attempting to use privacy laws to obstruct monitoring for misconduct would likely be ineffective. Firms also have an obligation to demonstrate that they are actively monitoring for other financial crimes like market abuse.Defining Business vs. Personal Communications
The practical challenge of separating business and personal communications was explored, particularly in the context of device policies. A clear trend has been the move away from Bring Your Own Device (BYOD) models towards company-issued devices and networks, as these offer greater control over imposing monitoring requirements. However, the panellists noted that geographical differences in privacy interpretations can complicate matters, especially regarding platforms like WhatsApp where personal and business use might be mixed on a device.
From a technology perspective, it was argued that both BYOD and corporate-issued devices can be effectively managed provided the “right controls, governance, and monitoring capabilities” are in place. The rapid emergence of new communication channels means firms must adapt; outright prohibition might hinder business. The focus should be on ensuring “vendors that can record” these new channels are available and integrated into a robust control framework. While platforms like WhatsApp carry inherent risks, monitoring is feasible if supported by appropriate infrastructure, governance, controls, and training. However, the difficulty in accessing personal communications on business devices within a European privacy context remains a significant factor influencing policy decisions.
Evaluating Business Demand for New Channels
Integrating new communication channels requires a delicate balance between meeting business needs and ensuring compliance. A crucial element is fostering a strong “working relationship between the front office, compliance, and IT”. Open dialogue is essential so that potential new platforms or features within existing ones are flagged early.
From a technology standpoint, Compliance IT should ideally manage vendor relationships and stay informed about updates to ensure recording and governance are maintained. The onboarding process for new channels should be a collaborative effort involving review, testing, compliance training, and establishing ongoing monitoring controls. This process contributes to building a “defensible playbook” that can be presented to regulators or exchanges if inquiries arise. Regular testing of channels and controls by internal audit is also vital. Beyond process, culture is paramount. Compliance and IT should be perceived as partners enabling business where possible, only saying “no” when absolutely necessary. This collaborative approach builds trust and discourages employees from trying to circumvent controls.Cultivating a Culture of Compliance
Embedding compliance into daily operations requires more than just rules and monitoring; it demands a strong culture. Leading by example, particularly from senior management, was highlighted as perhaps the most effective strategy. If leaders do not adhere to policies, their teams are unlikely to follow suit. Recent enforcement actions have underscored the importance of “tone from the top,” with regulators specifically pointing to senior figures flouting rules in some cases.
Furthermore, firms must provide employees with the necessary tools and platforms to communicate via the channels their clients use. Simply restricting channels without offering alternatives can inadvertently push staff towards unmonitored personal devices. Employees must also understand the individual risks of non-compliance, including the possibility of regulators examining personal devices. Compliance should be viewed as a “partner and not as a business preventer”, helping rational individuals understand the ‘why’ behind policies and the benefits for both the firm and themselves.
Navigating AI and Transparency
The increasing use of AI and Machine Learning (ML) in surveillance brings its own set of challenges, particularly the industry’s wariness of opaque ‘black-box’ solutions. Regulators are actively focusing on AI risk management, with frameworks being developed to govern AI use in financial markets. Compliance leaders should proactively question vendors about their “model risk management framework,” covering the entire AI model lifecycle from data collection and training to deployment and monitoring. Key disclosures expected from vendors include “model methodologies, assumptions, data sources, and potential biases”. The risk of issues like data poisoning or model drifting necessitates robust machine learning operations (MLOps) to maintain accuracy.
In the UK, regulators expect compliance teams to be able to “explain how the AI system works” and diagnose issues if they occur, making “explainability” a critical requirement. While AI can significantly augment surveillance capabilities, it is currently not a ‘set and forget’ solution; “human oversight is still required” for governance. Examples of bias in AI training data, such as historical employment data leading to skewed hiring outcomes, underscore the need to assess potential biases. Explainability should ideally cover “why a decision was made” in a readable format, and results should be “repeatable” with consistent inputs. Panellists also suggested asking vendors about their track record, durability, and how data is handled to avoid leaks. Ultimately, regulators generally adopt a “technology-agnostic approach,” meaning the firm remains responsible for compliance outcomes, even when leveraging AI.Looking Ahead
The path forward involves continuous adaptation. Recording remains critical, and vendors are working to keep pace with new technologies. Tone from the top is vital but must be reinforced through “iterative and practical” engagement models. Finally, compliance teams themselves must evolve, either by hiring technologists or partnering closely with Compliance IT, to navigate the ongoing technological shifts. As the industry moves into 2025, managing the challenges of new technologies and governance in communications surveillance will continue to be a key focus.
Subscribe to our newsletter
