Risk & Economy » Compliance » Risk of record management misconduct heightened by remote working

Financial Services firms are under increased regulatory pressure to ensure record keeping management remains compliant as remote working and technological advancements triggers misconduct risk.

“[The pandemic] has completely changed the approach to communication and collaboration in the corporate world,” says Ben Chrnelich, president and CFO at Symphony.

The amount of digital communication channels that people are using while working such as WhatsApp, Zoom, and other messaging platforms has expanded significantly, he says.

“The proliferation of all these applications has made it really difficult to have consistency of communication. The challenge is that the number of records and documents that you need to review have expanded significantly across all these different applications.”

As a result, finance leaders need to be cognisant of putting in place a consistent approach on how employees communicate with each other and their clients, and where the record exists, he says.

Risks from reduced monitoring

In December, the Securities and Exchange Commission (SEC) announced it had fined JP Morgan Securities $125m for “widespread and longstanding failures by the firm and its employees to maintain and preserve written communications”.

The firm admitted employees communicated through text messages, WhatsApp, and personal email accounts frequently from at least January 2018 to November 2020. None of the records had been maintained as required by federal securities laws.

“As technology changes, it’s even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid market oversight,” said SEC Chair Gary Gensler in a statement.

Moreover, the Financial Conduct Authority (FCA) reminded firms during the pandemic to remain compliant with the recording regime SYSC 10A (Senior Management Arrangement, Systems and Controls) while teams are working remotely.

“Firms will need to ensure that, if such apps are used for in-scope activities on business devices, they are recorded and auditable,” the FCA said. “We expect firms to have a rigorous monitoring regime, commensurate to the increased risks, where in-scope activities may be conducted outside the controlled office environment.”

Mitigating the record management risk

Record management can act as a safeguard for companies not just to ensure compliance but also in times of disaster recovery, confidentiality breaches and security threats.

The world is becoming “much more fluid” in how it communicates, according to Brian Lynch, US president at SteelEye.

“Being in a work or home environment means all of those channels have probably been harder for firms to oversee with people in their distributed environment.”

As such, companies should look to update their record keeping policies and surveillance processes, ensuring their robustness and enforcing them effectively, adds Lynch.

This includes outlining expectations of employees to avoid potential grey areas and unaccounted scenarios in the company’s guidelines, adds Chrnelich.

Moreover, firms should not turn a blind eye to minor transgressions, highlights Lynch. “When someone sends you an internal WhatsApp message, then there’s probably a likelihood they’re using the same channel for client communication.”

Most notably, in 2017 Deutsche Bank became one of the first banks to ban all text messages sent through WhatsApp and other communication apps. In 2020, the bank announced it had integrated Symphony’s solution to employees “preferred chat platforms” allowing them to communicate with clients while meeting security and compliance criteria.

Moving to cloud-based tools

When companies operated mainly in an office environment, records management data would have been integrated and stored on-site, according to Lynch.

The shift in wider adoption of cloud-based and Software as a Service (SaaS) applications means data of voice, text and email communications can be collected from multiple locations and stored efficiently, says Lynch.

For CFOs, the partnership with the CIO and technology team is critical especially as technology plays an important and material part of running any organisation, says Chrnelich.

CFOs need to be in sync with the senior technology team to understand tech applications the company is deploying, it’s usage and what are the systems of record in place, he says.

“I encourage CFOs to understand all the different ways that customers interact with you and be comfortable in those tools.”

Chrnelich highlights employers should be transparent on the employee data they have access too to avoid breaches of privacy especially when record management tools are deployed on personal devices.