How Big Was Your Bonus?

Posted originally on Oliver Bradford’s LinkedIn

Apparently, that was a burning hot question at one of the largest European banks. Inquiring minds wanted to know. In fact, a few employees of the global financial and services company were so intent on finding out that they used their own monitoring software to snoop on their bosses. And their colleagues.

In a world where data privacy is paramount and those entrusted with the role of compliance are bound to duty, this behavior is anything but cool. Of course, this behavior is what keeps executives up at night – if you don’t know what you don’t know, how will you know if your compliance officers are doing things they shouldn’t be? Read on to learn about some new functionality that protects your firm if you’re worried about the fox watching the hen house.

Back to the story about the compliance officers at the European bank who made headline news. Needless to say, the behavior of those nosy employees didn’t go down very well. And yes, as you guessed it, they got caught. This story plays out as a cautionary tale. When the fox is guarding the henhouse, provisions need to be in place to ensure that the privacy and safety of the hens aren’t jeopardized by those tasked with protecting them. Let’s dig in.

This bank uses (or at least formerly used) a compliance monitoring tool that, for months, was tested for its ability to detect any nefarious behaviors of the firm’s employees, executives, and customers. Thousands of emails were screened daily to hunt for illicit activity. More often than not, the digital communications exchanged proved to be innocuous; nothing worth reporting.

However, three employees – in the compliance department at the London office no less – were burning up because they were denied knowledge of what their boss’ bonus was. Curiosity killed the cat, as they say since we’re riffing here with one adage after the other. They didn’t stop once they pulled their supervisor’s bonus. Oh no … they kept digging. In fact, they apparently became obsessed with snooping into their colleagues’ shopping habits, too, along with the pay and medical records of thousands of other employees in their global markets division.

They indulged their burning curiosity from March through June 2019. At some point thereafter, an internal investigation was launched for purported misuse of the compliance platform. Yes, here comes another adage – there’s always a rat. That whistleblower spurred the stakeholders into action with Operation Ingot (FYI, an ingot is a rectangular bar of gold, silver, steel, or other metal). Feel free to fault the stakeholders for their lack of marketing prowess and creativity regarding the naming of the operation which would have been more fittingly called Operation Foxtrot or something (so says the creative spirit behind this blog). But you must give the stakeholders at the bank for upholding their values and taking compliance seriously enough to authorize an investigation based on a rumor.

On the flip side, the unethical trio should also get props for their creative defense, “We wanted to push the boundaries of the compliance tool.” Indeed, that’s as clever of a response as it is unscrupulous. That said, apparently, it worked: no disciplinary action has been taken against the trio. However, it should be noted that their access to the platform was duly suspended.

That lack of consequence opens a lot of burning questions that other curious people are going to demand answers to. Curious people – and authorities – like the Financial Conduct Authority (FCA) to be specific, likely have a need for answers. Apparently, the FCA caught wind of the violation (and lack of action against the perpetrators) and did their own investigation. However, they’ve been mum on what action, if any, they plan to take as a result of their inquiry. A spokesperson for the UK’s Information Commissioner’s Office made this statement to Bloomberg, who broke the story, “The ICO is aware of the matters raised and we are considering the information provided.” The FCA, however, did not respond.

Inquiring minds want to know if there has been any retaliation against the whistleblower. Inasmuch as rats are known to jump from sinking ships – they also tend to stick around if the ship is still afloat. Rats have a finite ability to hide because there’s always a fox who can outsmart the rat and sniff them out. So, we’re taking a wild guess that the rat is still there. The bank reportedly “tightened up their procedures” according to Bloomberg but what they did regarding the utilization of this commercial tool is not known publicly.

The plot thickens…

Where there’s smoke – there’s fire. With the rabbit out of the hat about who’s getting paid and how much, there were bound to be repercussions. By now, you’ve probably noticed that we used as many adages as we can in this blog just to keep things fresh and exciting for the reading pleasure of all those who read our blogs with some regularity – and we thank you for that!

Does anyone care to place a wager on how many other employees are going to come forward now that the pay and bonus structure has become a little “less opaque” as a result of the foxes testing the boundaries? Beyond the ripple effect and potential fallout around fair pay, there’s another important aspect to this story. Managers inside the bank where this incident occurred, as well as executives from other financial institutions, have had their hackles raised. Collectively, they all now want to know what their staff is searching for to ensure that daily compliance monitoring duties are being accomplished – without any abuse of the platform. With that, we’ve entered the next frontier of compliance where coyotes are now watching the foxes who are watching the hen house.

And, given that hindsight is 20/20, we can look at this incident with a new lens and apply lessons learned to guide managers on how to assume the role of “coyotes” so there isn’t a repeat at your firm. Within every bank, there are complex hierarchies for the chain of command and approved flows of communications. By giving your managers the ability to override these hierarchies for given scenarios, you can set up our monitoring solution by adjusting end-user permissions so that specific channels can be excluded from those information flows. Another critical feature is a fully documented audit trail where every communication (email, text, etc.) is tagged with a specific identification number. Anyone who then views that communication has the registered ID number recorded in their view log. Enabling privacy terms, where specific communications can be hidden from view until access is approved, keeps the “foxes” under the watchful eye of the coyotes.

So, if you’re concerned about the foxes watching the hen house, consider this an invitation to take a look at a new, safer cage.