Individual Accountability - Enforcement Gets Personal

What do the chief executive of a US online store, the chief information officer at a UK bank and multiple senior employees at a US bank all have in common? They have all faced individual enforcement action for failing to comply with compliance expectations around the use (or indeed abuse) of technology. 

In October 2022 the U.S. Federal Trade Commission took action against a firm and its CEO for security failures that exposed the data of 2.5m customers. The firm was alerted to the security problems two years before the breach but failed to take steps to protect customers’ data from hackers. The sanctions imposed included a requirement to destroy unnecessary data, restrictions on the data the company can collect and retain, and specifically binds the CEO to specific data security requirements for his role in presiding over unlawful business practices. Notably, the FTC order will follow the CEO even if he leaves the firm - he will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.

In April 2023, the UK Prudential Regulation Authority fined the former chief information officer of a UK bank £81,620 for failing to take reasonable steps to ensure the bank managed and supervised appropriately its outsourcing arrangements in relation to its 2018 IT migration program. The fine followed the enforcement action taken in December 2022 against the bank for operational resilience failings, which resulted in a financial penalty of £48.7m. The bank also paid £32.7m in redress to customers who suffered detriment. The regulator determined that the CIO’s failings undermined the bank’s operational resilience and contributed to the significant disruption experienced.

In January 2023, it was reported that another U.S. bank had clawed back millions of dollars in employee fines as part of the remedial action following the $2bn+ fines imposed in the U.S. for failing to capture unmonitored communication channels. In some cases, the pay is being clawed back from previous bonuses and in other cases it will be deducted from future pay. The fines which ranged between a few thousand dollars and more than $1m were reportedly based on a points system that looked at the number of messages sent, the employee’s seniority and whether they received prior warnings. 

Lessons to be learned

Firms in all sectors need to understand, and have robust policies and procedures to manage, all aspects of security and compliance relating to the deployment of technology. That ranges from lax data security to failed outsourcing to the use of unmonitored channels. It is no longer a theoretical business risk but, as has become increasingly apparent, a potential personal liability. 

There are several key lessons for firms and their senior employees:

• First and foremost is the need to have the right modern solutions in place to enable security and compliance in practice. Economic reality is that firms need to have value for money for any new spend and wherever possible that spend should generate cost savings either in terms of money or other resources or both. Not spending on modern solutions may be costly as legacy solutions may no longer be fit for purpose as technology, particularly communications technology is rapidly adopted. As an example, a legacy solution which can only capture and oversee email could end up costing a firm orders of magnitude more if that firm then is unable to compliantly archive and monitor voice, chat or video. And that failure could well have personal ramifications for the individuals involved. 
  
  
• Prevention is better than cure and the best method of prevention is often education. Regular training on both regulatory expectations (around, say, the approach to data security or outsourcing) as well as compliance expectations is a good way to keep the message fresh and provide an audit trail. The fines and other sanctions imposed on individuals by both regulators and organizations themselves would make excellent examples for any training program.
  
  
• Firms should not underestimate the need for and role of robust record keeping. Firms and senior individuals should be aware that the way they use all forms of internal and external communication will not only be monitored (and discoverable) by regulators but will also be used as indicators of behavior, conduct risk and culture. 
  
  

How Theta Lake can help

Theta Lake’s multi-award winning product suite provides patented compliance and security for modern communications utilizing over 100 frictionless partner integrations that include RingCentral, Webex by Cisco, Microsoft Teams, Slack, Zoom, Movius and more. 

• Theta Lake captures and compliantly archives communications including videos, voice, chat, screen share and file transfer from mobile messaging platforms to SMS and WhatsApp to enable compliance with relevant record keeping and other requirements. It also acts as an archive connector, enabling existing archives and data storage to be utilized without disruption. 
  
  
• AI-enabled automated detection of potential or actual misconduct requiring reporting to the risk committee or regulator. Identified risks are surfaced in an AI-assisted review workflow providing an efficient and effective review process for compliance teams. Theta Lake has more than 85 risk detections which are pre-trained and ready for customer use with customers able to provide feedback and training on the classifiers. 
  
  
• The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors, regulators or prosecutors. For example, chat messages can be viewed in their native format over the entire history of the conversation with full context retained together with in-meeting communications and images, GIFs, emojis or reactions that change meaning and context. 
  
  
• Theta Lake’s compliance suite is SOC2, Type II audited and maps controls to ISO 27001 so confidential, privileged or sensitive data can be automatically redacted to meet data privacy and other legal obligations. 

Theta Lake’s regulatory and data science teams are happy to discuss any of the issues in greater detail. You can find further regulatory perspectives from Theta Lake here or you can join a weekly 30-minute demo webinar here.