Senior Marketing Manager
Digital communications compliance may be the most improtant sector of RegTech that you’ve never heard of. The compliance industry has long been one the most complex aspects of any type of risk management, and with the further explosion of globalized business, digital communications compliance brings together one of the most complex aspects of regulatory compliance.
Digital communications compliance requires next-level design thinking and cutting-edge technology. That’s because it includes monitoring every form of eCommunication across the entire internet of things. If people exchange .gifs, videos, voice notes, emojis, jump languages or blur them together as in the case of “Spanglish,” all that must be surveilled for compliance. And compliance is not limited to financial matters like market abuse or fraud; RegTech vendors must also scan for personal misconduct such as harassment of any type be it sexual, gender, racial, and so on. That’s a tall order. Not to mention how the stakes are getting higher as the SEC encroaches on social media and is seemingly insatiable when it comes to enforcing rules for digital communications compliance.
There are multiple layers of complexity regarding communications compliance. First, the volume is unmanageable. In 2021, the number of people communicating by eComms apps like WhatsApp, WeChat, and others crossed 3 billion. Each day, more than 121 million people use WhatsApp and they check messages on the app at least 22 times per day. Annually, more than 8.4 trillion text messages are sent –that’s around 23 billion daily. Let’s not forget about the most common digital communication: Email. More than 300 billion emails are sent every 24 hours and around 1% of those are phishing or other fraudulent formats.
Second, Millennials and Gen Z tend to favor digital communication through imagery. People send more than 10 billion emojis daily across all eComms apps. There are now more than 100 million Giphy users who are collectively sending over 1 billion .gifs per day. Photos are even more popular to exchange with over 5 billion daily sent via eComms apps.
Not just images are on the rise, but voice notes, too. On WhatsApp alone, more than 150 million such notes are shared every single day. This remains one of the greatest areas of digital communications compliance threats because voice monitoring is comparatively lagging with respect to technology advancement. Voice notes present an opportunity for bad actors to exploit by switching languages, muffling the phrases spoken, distorting the sound through voice synthesizers, or masking the sound with running water or other backgrounds that further exacerbate the challenges of monitoring what is being said.
And with all of these, there is nuance. It’s what makes humans human. Tone, inflection, a deliberate pause, or other such variations in our speech patterns can signify an intentional emphasis that would otherwise go unnoticed by an artificial intelligence algorithm. For example, is a pause just a pause, or does it mean something else? If a song is captured in the voice note, does the selection of that song hold meaning or did it just happen to be playing when the person was recording their message?
Another point of complexity is the number of regulatory bodies, and hence rules, that must be followed to achieve digital communications compliance. Many of these agencies have a purview outside of financial industries. For example, there is GDPR (General Data Protection Regulation). Published in the EU in 2016, it is the toughest security and privacy law in the world. Not only does it have “big teeth” with the ability to exact fines like €20 million for Clearview AI Greece, another €20 million for Clearview AI France, €17 million for Meta, and €10 million for Google, just to name a few, but it has an international reach. There are numerous regulations and policies governing the transfer of personal data across country boundaries.
Markets in Financial Instruments Directive (MiFID II) raises the standard for transparency regarding the operations of investment houses, but it is creating a lot of consternation for compliance officers. At its core, the requirement is that financial firms prove they have “acted honestly, fairly, and professionally in accordance with the best interests of their clients at all times.” Doing so requires clear, fair, and straightforward marketing communications in addition to numerous expected aspects of compliance aligned with investing criteria. However, the real pain point of MiFID II is the requirement to create a complete and chronological record of every broker/investor interaction then track and archive each of those interactions: This must be done for every transaction.
The Commodity Futures Trading Commission (CFTC) requires that financial firms maintain, preserve, and produce records (on demand) in addition to supervising “all matters” related to their business as registrants of the CFTC. This includes overseeing all communication including restricting digital communication to only approved devices. In September 2022, the CFTC laid out hefty fines totaling more than $700 million hitting Barclays, JPMorgan Chase, Morgan Stanley, Citi, UBS, Goldman Sachs, and Credit Suisse with $75 million each in fines for failing to stop their employees from using unapproved eComms apps. Bank of America had the unlucky distinction of receiving the heaviest fine: $100 million.
The Securities and Exchange Commission (SEC) entered the year 2022 “swinging for the fences” with their full-on assault against financial firms who failed to monitor and archive eComms messages and for their poor display of leadership where executives openly flaunted compliance policies by using unapproved personal devices and WhatsApp. JPMorgan Chase was hit the hardest with more than $200 million in fines along with the termination and sentencing of a couple of executives. But the SEC was just getting started. Within a few months, they had levied over $1.1 billion in fines on the world’s biggest financial firms to make their intentions clear about digital communications compliance. By year’s end, the SEC posted a record-breaking 760 enforcement actions which yielded a collection of $6.4 billion in penalties and public disgorgements.
The Financial Industry Regulatory Authority (FINRA) is an independent body within the USA that helps ensure financial integrity of the industry, funded without tax-payer dollars. FINRA Rule 2210 has a set of guidelines that span three categories of communications: Correspondence, retail communications, and institutional communications. One aspect of the rules is specific to digital communications channels governing which ones to use, how policies need to stipulate usage, and how all such communications must be clear and easy for clients to understand. An emerging set of rules governs the gamification of financial services which may influence clients into making transactions they probably should refrain from. Gaming represents a potential future “hot potato” in the realm of digital communications compliance because rules may extend to monitoring and storing what is “said” by game avatars prior to conducting the financial transaction.
The Financial Conduct Authority (FCA) also imposes strict guidelines regarding digital communications compliance. Specifically, each post, Tweet, or other engagement on social media must be considered individually, monitored, and archived. Another legal influence is the Market Abuse Regulation (MAR). It was published around the same time as GDPR and aims to uphold the integrity of the market and to protect investors. Compliance with its rules requires communications surveillance.
The “usual suspects” like email, text messaging on all the 80+ eComms platforms in use today, phone calls, live chat, and voicemail are well understood when it comes to the expectations related to monitoring for compliance. But nothing in compliance is as simple as it sounds. Voicemail on the office phone is a relatively easy thing to monitor, but how many banks still have landlines in use? Everyone uses their personal phones, and, if that phone is not registered for use related to financial transactions, monitoring the voicemail and text messages exchanged on that device are no longer simple. The boundary between what content is personal versus work-related and where that boundary of monitoring starts and stops becomes a little blurry. Yet compliance officers must do so in fulfillment of their job responsibility which requires that they monitor for potential misuse, sensitive data breaches, or inappropriate language.
The not-so-usual suspects include Slack, Teams, Monday, and other collaboration solutions which enable interaction in real-time. Digital communications compliance policies must get more granular to specify if those interactions should be monitored in real-time as they happen or recorded, stored, and analyzed after-the-fact. Here, the lines around individual privacy do become messy and require affirmations from employees to ensure compliance. Platforms like SnapChat or enabling the “Disappear” function on Instant Messenger by Meta pose significant threats to compliance officers: How can you monitor, analyze, store, and retrieve something in the future if it doesn’t exist long enough to be captured?
As people increasingly use FaceTime, WhatsApp, Zoom, and other services to video-conference, the demand on compliance officers and RegTech providers to develop solutions capable of monitoring them grows burdensome. It also poses a logistics challenge to record, archive, and make all those recordings accessible on-demand even as digital technology formats change regularly. Another type of digital communications that must be monitored for compliance include Dropbox and Google Drive. Efforts must be made to ensure that sensitive documents are only shared with those who are legally entitled to see them. A log must also be active to track who looked at which document when.
Digital communications compliance may be a new term, but the risks for inadequate adherence have been around for decades. Although the boundaries and regulatory consequences, such as legal actions, fines, and penalties, are ever evolving, many risks are already abundantly clear. These include:
Digital communications compliance is vital for an organizations success. Enacting a solution that meets today’s standards and future-proofs your organization is within reach. What can be an often overwhelming strategic decision, finding a software partner that can help automate once manual processes and create team efficiencie, allows your team to maintain compliance.
When looking for a solution, consider the following.
Digital communications compliance is complex and, as an evolving field, there always more to know, but one thing is for sure: There are severe consequences for non-compliance. However, there is a way to protect yourself from regulatory rebuke and fines. A robust compliance strategy reduces the likelihood of a breach and financial losses, as well as downstream reputational effects. Efforts to get ahead of the authorities by taking proactive actions now to future-proof your firm can dramatically alter a firm’s potential exposure.
Shield gives you confidence in your digital communications compliance strategy. From ingestion to multi-layered AI surveillance models, the way you search, and your ability to organize cases—monitoring communications, no matter the type, is no longer untenable. With all these things your team can understand all types of communications and their conext, giving you the ability to read between the lines.