By Donald McElligott, VP of Compliance Supervision, Global Relay
In recent years, communication compliance has become a minefield to navigate, especially as regulators issue ever-increasing fines. So far this year, the U.S. Securities and Exchange Commission (SEC) has issued over $480 million in fines for recordkeeping and off-channel communication compliance failures, with more rumored to come.
In the wake of these crackdowns, it’s no wonder that businesses are turning to evolving technology – like artificial intelligence (AI) – to help effectively monitor communications, identify regulatory breaches, and report failures to mitigate potential penalties.
But implementing advancing technology is not always simple. Firms must choose the right frameworks and architectures to fit their compliance needs, ensure they stay ahead of regulators, and avoid fines further down the road.
Regulatory oversight is growing
As a first step toward building effective communication compliance, firms must understand the regulatory space they are operating in. For several years, regulatory agencies in the U.S., like the SEC and the Financial Industry Regulatory Authority (FINRA), have taken more direct stances around communication compliance than peers in other jurisdictions.
In 2021, the SEC launched an initiative to monitor and curb the use of ‘off-channel’ communications, particularly those sent through messaging platform WhatsApp. Since then, the agency has imposed more than $2 billion in fines to firms for failing to maintain and preserve electronic communications.
And this trend is set to continue – in July, the SEC targeted 26 financial firms, issuing nearly $393 million in fines for failing to keep adequate records of electronic communications. Similarly, FINRA has cracked down on AI-created communication and chatbot communication, emphasizing that stricter oversight of these channels will better ensure compliance and prevent misleading communications.
With increasing pressure from regulators, financial firms must lean into technology resources in order to ensure they meet the standards for communications compliance across the territories they operate in.
Technology is a gamechanger for communication compliance – but where to start?
Before identifying which platforms and tools they want to use, firms need to pinpoint their specific pain points and which compliance tools are needed to solve these issues. For example, firms with complex, multi-vendor solutions waste a lot of time reviewing content spread across multiple channels and platforms. A single solution to consolidate all communications into one system streamlines performance, increases efficiency, and helps reduce risk.
Additionally, each firm will have its own unique set of requirements to manage their specific compliance needs. One company may need a more robust and cooperative system to satisfy audit requirements or submit more timely responses to discovery requests, while another’s main concern might be the need to strengthen data integrity and security. Identifying specific needs is key to efficient workflows and mitigating risk.
Another important step is to determine if an internal system or third-party partner works better to meet an organization’s needs. Companies looking to create their own internal systems should look for solutions that seamlessly integrate into existing infrastructure and architectures and can adapt with emerging technology. For example, tools like OpenAI’s compliance application programming interfaces (API) for enterprise customers allow companies to manage their data, while still prioritizing privacy and compliance with regulatory standards, and compliantly capturing and archiving prompts, conversations, and file attachments between individual users and the ChatGPT bot.
Conversely, working with a third-party partner requires firms to focus on consolidation. While external partners can be vital for effective processes, using multiple partners for critical operations adds complexity, which can expose firms to compliance gaps. Firms should use this opportunity to simplify and streamline their processes and avoid risks to operational resilience – especially with more regulators focusing on this area.
It’s also critical for businesses to have a start-to-end plan after they begin monitoring and capturing employee communication. Firms will need to factor in how to migrate data from old end-of-life (EOL) technologies and systems to newer solutions. Regulators will want to see this step featured in business continuity plans and know that a firm has sought out the least disruptive solution possible. Migrating large amounts of data, while maintaining strict chain-of-custody controls, can be a challenging process. This may require working with a migration partner with expertise in EOL transitions within regulated industries.
Organizations also need a plan for how and when to report breaches in case there is a communication compliance failure. The SEC has outlined that a company’s decision to directly disclose recordkeeping rule violations can potentially reduce the fine it receives. Prompt self-reporting, as well as a firm’s level of cooperation during an investigation, and clear efforts to prevent off-channel communications, can help reduce fines.
The path toward compliant communications is tech-focused and action oriented
In today’s era of intense regulatory oversight around business communication, firms must determine how to capture, store and analyze communication data, which technologies they will employ to achieve compliant data capture, how they will set these steps into action through EOL data migration plans, and a course of action on how and when to self-report in the case of a data breach. Technology solutions, like AI, and digital upgrades, such as data management platforms, will serve as the backbone to achieving compliant communication and ensuring outlined plans can become reality.
