As of today, the SEC fined 15 financial institutions a total of more than $1.1 billion for “widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications” in violation of federal securities law. This followed a fine of $125 million earlier that year for JP Morgan for the same reason. Getting in on the act, the CFTC announced settlements for similar breaches at the same time.
The signal was clear – poor communication standards and lack of oversight and monitoring would not be tolerated. Firms must implement comprehensive communications surveillance systems.
Communications surveillance and monitoring is not new. In the US, longstanding federal requirements have required communication monitoring and processes. This was expanded with the implementation of MiFID, which requires all electronic communication, voice and text, to be recorded and monitored. While no fines have been issued by European regulators regarding this specifically, lack of compliance or notable breaches are likely to see fines in the future.
More trading, more communication, more tools…. the perfect storm
But how did firms get here and what should they be doing about it? It’s certainly complex. The volume and variety of communications within financial institutions and between them and their clients and other parties has exploded. The need for more communication is, of course, a simple feature of more trading, more asset classes, more complexity, and a much bigger market. And the number and variety of communication channels have expanded to meet this need, dominated by new and innovative electronic communication tools designed to streamline and simplify communication between all parties.
For the regulators, this explosion is just another risk and it’s one they fully expect financial institutions to be on top of. So what’s required? Firms need to install, save and monitor all electronic communications, alongside incorporating and enforcing policies for their use. It sounds simple, but the volume of data, the variety of devices, and the proliferation of apps and services make it tricky, exacerbated by the increased use of personal devices for work-related activities driven in part by the shift to hybrid working during the Covid pandemic. The days of a trader on a landline with a client on the other end are long over.
Communications surveillance and security isn’t simple
An effective communications surveillance system that will genuinely reduce financial, regulatory and reputational risks needs to work within the framework of two key challenges:
- Disparate data types and sources leading to silo building
Communication within teams and with clients and other stakeholders is not consistent nor easily tracked. A bank’s employees may be using a combination of tools and devices and doing so simultaneously. Email, voice, Teams, Zoom, Bloomberg, Whatsapp, Signal, and Telegram are just a few. Adding to the complexity, this communication is happening across multiple devices such as computers, landlines, mobile phones, and tablets. The challenge of gathering and archiving this communications data can be overwhelming for compliance and technology teams.
At best, the most common way to do this is to track the data at a device or tool level and then again at a business line or trading desk level. The resulting data silos tend to very quickly multiply and grow, resulting in little uniformity across an organization. At a glance, this does at least seem to meet the baseline need for gathering and storing the data…. until a problem arises and the intrinsic flaws and limitations of this become clear: data silos can’t be cross-checked or cross referenced; search and analysis are all but impossible, and the effort required to identify and access this data is extreme.
Data collection of this sort might technically meet regulators’ requirements, but it spectacularly misses the real objective – to facilitate oversight and monitoring of communications in order to reduce the opportunity for and likelihood of market manipulation, fraud, and other undesirable behaviors.
- The volume of data and the inherent challenge of monitoring and reviewing it.
The immensity of the data volumes is already well established. Dipping in and out at random is unlikely to have any effect and certainly doesn’t take context into account. Many firms attempt to get around this with huge lexicons designed to identify trigger words. But even if these can be applied across all communication channels (spoiler: they can’t), these lexicons are not only hugely difficult and complex to create and set up, they’re a blunt tool when precision and nuance are needed. Trigger words generate hundreds of alerts, all of which have to be checked manually. That’s bad enough. But worse is that 99.9% of these alerts are false positives. Compliance teams spend endless hours and resources checking these, but it largely becomes a box ticking exercise with no real insight and very little impact on real risk reduction.
Leverage AI, ML, and technology
Better technology and the use of AL and ML can solve both of these problems, allowing firms to capture all their data and store it in a single data reservoir and then apply smart search tools as needed. At the same time, real time monitoring is hugely enhanced with the use of AI and ML which can detect genuine bad actors by analyzing context and monitoring multiple channels simultaneously. The result is reduced complexity, vastly enhanced effectiveness, and less manual effort. All of which ultimately reduce risk.
A “capture once” approach allows a standardized, consistent method of gathering, aggregating and normalizing data. Taking the eComms data and integrating it with outputs from order management execution management systems then leads to a more granular understanding of trading behavior and an optimized internal process.
Firms need a strategic, smart approach to integrating communications surveillance systems.
Multi communication channels have forever removed the option of a simple email storage server and recorded voicemails and any firm that aims to truly meet regulator requirements to minimize bad actors, in order to reduce the likelihood of fines and reputational damage should be actively exploring multi-channel communications surveillance software.