In the midst of the current coronavirus crisis, life is changing for everyone. The stock market has been very volatile. Governments, schools, entertainment, sports, and retail have shut down operations independently or are being mandated to do so. Businesses are increasingly asking their employees to self-quarantine, practice social distancing and stay home. But, what if you’re a financial trades broker or firm, how do you monitor transactions, behaviors and eComms outside of your office? This virus may be thwarting efforts to socialize and attend large scale entertainment attractions, but it’s certainly not going to curb efforts to leverage the crisis for the purpose of perpetrating market abuse crimes.
The majority of your employees are now (likely) working from home. Do you know what equipment they’re using? When’s the last time that you audited their laptops and phones to ensure that their eComms, virus protection (no pun intended) and applications were compliant with corporate policies?
Volatile markets are busy times
For many investors, volatile markets signal that it’s time to act. The world is currently hopeful that this pandemic will ease up once the summer starts. And, as is the case for every US election year, the instability of the markets in the months before the vote is typically replaced with a vigorous rally once a new President is selected. This suggests that there will be a flurry of activity and an increased number of trades to monitor. The market’s expected volatility makes it extremely difficult to spot unusual, or out of the ordinary behaviors. For example, if a trader is selling a large number of stocks due to insider information he received.
This could be a bumpy ride. For how long, nobody knows, but it’s going to put additional strain on global and local economies, as well as on the people. Our “new normal” will be fraught with anxiety and unprecedented challenges trying to live and work almost exclusively in a virtual world.
Are you ready for work-from-home?
Thousands of businesses have been caught off-guard, scrambling to hastily scrape together contingency plans in the event that their employees need to work from home. Beyond the obvious issues related to maintaining the supply chain and staffing required to support critical industries and floating catastrophe pay arrangements to sustain staff, hourly workers, in particular, business leaders have been grappling with the reality of eComms. How can you monitor what you don’t have access to?
Many businesses have not yet drafted policies that meet current applications of technology and eComms, let alone established strict protocols governing monitoring and surveillance in the event of a global crisis. Few could have predicted the scourge that is plaguing the planet today. Large banks and other enterprise financial institutions generally require the use of mobile technology and laptops provided by and approved by the firm. But those still cannot monitor employees that are no longer sharing an office with colleagues and are now sharing trading ideas, actions, and tips on the less monitored channels.
Small to midsize financial institutions have not provided every employee with technology to enable remote work. Some have prohibited the practice of BYOD (Bring Your Own Device) in an effort to direct eComms and practices on systems controlled by the firm. Many brokerage houses are now wrestling with the question of ‘to trade, or not to trade’ given that their employees will be most likely be asked to self-quarantine yet perpetuate “normal life” as best as possible in an effort to prevent total global, economic collapse. Do you pay them to keep working, and, if they’re still working, do you permit them to use their personal mobile phones and laptops?
How to develop a contingency plan as a financial institution
As it is the case for nearly everything, you simply don’t know what you don’t know…until you know that you don’t know it. That’s a rather convoluted way of stating that, because you can’t be ready for everything, you need to conduct a scenario planning exercise then establish a contingency plan for as many scenarios as possible. But where do you begin?
- Audit everything. Conduct an inventory of every mobile phone, laptop and IoT device on your network. Who owns it and, if it’s an approved device, what software is on it? If it’s not approved, obviously immediately disable access. This will take considerable time.
- In parallel, begin generating a list of “acceptable” or approved software and applications for any IoT device connected to your firm’s secure network.
- Create a detailed roster beginning with a registration list of all employees, their physical home address, home phone, and mobile phone numbers plus their supervisor’s home address, home phone, and mobile phone numbers. All titles, registrations, and lists of approved business activities must be captured. If any employee has had a history of discipline problems or compliance violations, consider restricting remote access for those employees.
- Enable an onsite and remote work inspection team. Ensure that they have the required authorizations and systems access to conduct their inspections. Enablement includes providing a clear definition of how and how often these inspections will be conducted.
- Policies need to be created or updated with a set of defined protocols. These should include annual (or semi-annual) audits of all IoT devices accessing the network; conducting a review then generating a revised list of all approved software plus applications for IoT devices; regular updates to an employee roster and required timing for self-reporting of any new employee contact coordinates. Most importantly, your policies should strictly prohibit the use of personal devices, systems and software for conducting trades, e-Comms, analysis and other activities related to the functional business role.
- Written procedures defining the permissions required and stepwise documentation of work-from-home approval requests and authorizations will be required as an audit trail. In order to secure authorization for remote work, employees may be asked to review and sign a “refresher policy.” This may include highlights of approved practices for e-Comms, trades, restrictions regarding in-person meetings with clients, documentation, the electronic and physical storage of documents and measures to ensure that client privacy is maintained according to GDPR and other regulations.
- And finally, consider having a place a system that can proactively monitor and alert if a suspicious conversation is happening under your radar. The potential of wild market movements means fraud and errors will have a much larger impact than usual. Where do we go from here?
These are challenging times. It’s unclear how long it will take for financial institutions to reign in all eComms, trades and other business functions for appropriate surveillance operations. However, a systematic approach to defining your firm’s business practices and the technologies used to enable those practices can help you navigate this ongoing market storm and prepare you for the future of work which is increasingly tilted to working-from-home.