It’s clear that the flexibility regulators including ESMA, the FCA, FINRA, and the SEC offered financial services firms around the relatively unfettered use of modern collaboration and chat tools like Zoom, Microsoft Teams, and Webex by Cisco during the pandemic has come to an end. No action relief issued at the outset of COVID-19 has expired, and regulatory missives in the second half of 2021 indicate a marked change of tone and expectations for firms using dynamic communication platforms.
A steady stream of guidance during the back half of 2021 demonstrates that regulators now expect firms to implement consistent compliance and supervisory controls for collaboration and chat platforms whether in-office or remotely. Moreover, regulators have taken a closer look at the video, voice, chat, and file transfer capabilities of collaboration and chat tools and are expanding their interpretation of written electronic communications to extend to collaboration features like screen shares, whiteboards, and polls.
Starting with ESMA’s updated MiFID II Questions and Answers in May 2021, and reaching a crescendo last week with the SEC’s announcement of a horizontal sweep of electronic communications platforms, regulators are telegraphing clearly and consistently that they expect adherence with both the spirit and letter of e-comms, record keeping, and supervision requirements.
ESMA
ESMA’s Q&A kicked off the notification cycle emphasizing the breadth of its expectations in defining the types of e-comms subject to MiFID II recordkeeping and supervision. ESMA stated “‘electronic communication’ covers many categories of communications and includes amongst others video conferencing, fax, email, Bloomberg mail, SMS, business to business devices, chat, instant messaging and mobile device applications.” The inclusion of video conferencing in the revised Q&A likely piqued the interest of Continental compliance officers who had not previously considered the implications of VC platforms.
FINRA
Having issued a set of COVID-19 FAQs in March of 2020, FINRA followed up with amendments to its Advertising FAQs on September 30, 2021. These updates included guidance regarding e-communications capture, retention, and supervision obligations for online videos, dynamic charts, whiteboards, polls, file transfers, and chat. Notably, under certain circumstances, each one of these features now falls under FINRA’s definition of an electronic communication and may require pre- or post- review as well as implicate recordkeeping and supervision obligations depending on the forum in which they are presented. For example, FINRA’s updated take on the use of collaboration platform whiteboards in the retail communications context is as follows:
if during an online meeting that includes more than 25 retail investors, a representative responds to a live audience question by using the platform’s whiteboarding feature to draw a diagram illustrating the differences between a conventional bond and a stock, that content would meet the definition of a retail communication in FINRA Rule 2210(a)(5) . . . the firm may review the whiteboarding content in the same manner as required for supervising and reviewing correspondence pursuant to FINRA Rule 3110(b) and 3110.06 through .09.
FCA
Following up a few days later, the FCA released “Remote or Hybrid Working Guidance for Firms” covering compliance, supervision, the Senior Managers Regime, and electronic communications platforms. While the FCA’s release touches on several relevant issues, the overarching intent of the expectations is crystal clear:
It's important any form of remote or hybrid working adopted should not risk or compromise the firm's ability to follow all rules, regulatory standards and obligations, or lead to a failure to meet them. (Emphasis added).
There should be no confusion about firms’ compliance obligations in the “new normal” of hybrid work: it does not matter where employees are sitting, they are subject to existing FCA requirements without exception.
While nearly all of the FCA’s pronouncements are worth quoting, the following points are particularly relevant and, when read in conjunction with ESMA’s guidance, apply equally to collaboration tools like Zoom, Slack, and Webex as well as the voice recording platforms discussed below. The FCA states that firms must be able to prove they have adequately planned in these areas:
- Control functions such as risk, compliance and internal audit can carry out their functions unaffected, such as when listening to client calls or reviewing files.
- It has the systems and controls, including the necessary IT functionality, to support the above factors being in place, and these systems are robust.
- It’s considered any data, cyber and security risks, particularly as staff may transport confidential material and laptops more frequently in a hybrid arrangement.
- It has appropriate record keeping procedures in place.
- It can meet and continue to meet any specific regulatory requirements, such as call recordings, order and trade surveillance, and consumers being able to access services.
SEC
Rounding out the busy regulatory season, news hit on October 12, 2021 that the SEC is engaged in a horizontal sweep of firms’ practices as they pertain to electronic communications. While publicly available details of the inquiry are sparse, the review was likely prompted by an issue at a particular financial institution. Moreover, while the analysis is focused in part on employee use of personal or non-business messaging platforms, it will no doubt focus on the risks related to the increased use of collaboration tools as a critical component of most firms’ hybrid work strategies.
A Better Way Is Needed, Now
As a whole, regulators are mandating record keeping and oversight requirements for collaboration and chat features like screen shares, whiteboards, webcams, and polls that previously occupied a grey area in compliance and enforcement. These recent statements coupled with an expectation that supervisory and cybersecurity controls must be applied consistently across work from anywhere environments means that compliance frameworks for dynamic communication tools must be modernized to incorporate comprehensive capture, archiving, and supervision across voice, video, and chat. Firms must move quickly, leveraging appropriate supporting technologies like Theta Lake’s, to align with emerging regulatory expectations.
Solving Complex Compliance and Supervisory Challenges
Have a look at our case studies and customer testimonials below to understand how financial services firms have successfully deployed Theta Lake at scale to help them solve complex compliance and supervisory challenges.
- “Theta Lake helped us very quickly implement a full compliance suite to capture and record all aspects of Microsoft Team’s Meetings as well as proactively detect risk in the recordings, enabling our compliance teams to be much more effective and efficient when performing review. Not only are we compliant with MiFID II regulations, but our compliance teams are able to scale with the growing volume of unified communications we are recording.” - Longview Partners Microsoft Teams Certified Compliance Recording
- “Theta Lake flat-out saved us time and money while improving our compliance coverage. We have rapidly scaled up our use of Zoom for meetings as well as recorded presentation and training content.” - Advisor Group Zoom Video Case Study
- “We have been recording client meetings for years and now with Theta Lake we have a tool to effectively use those recordings to improve our client experience, identify issues and ensure compliance. Importantly all our reviews are fully documented for audit purposes.” - Tupicoffs Zoom Phone and Video Case Study
- “Theta Lake will allow us to further expand our ability to introduce additional innovation around compliance and security for the next generation collaboration toolsets as this something we have done and continue to do.” - Wells Fargo Investment
- “Our new compliance process is exactly what I’d envisioned with Theta Lake. We’ve set up compliance policies for our recordings, and I get alerted when there’s a new risk detection in my review queue. Then, I can either accept or reject those reviews, as well as forward anything on to the managers for follow up training with the advisors.” - Reeves Independent Zoom Case Study
- “Theta Lake helps us meet the FCA’s clear recording and supervision requirements for voice and video calls using RingCentral. Theta Lake gives us a depth of security and compliance collaboration coverage that served us pre-pandemic, during remote work scenarios in the pandemic, and in the future as the work-from-anywhere environment evolves.” - Attivo Group RingCentral Case Study