Billions of dollars in fines and rising

Nearly half a billion dollars in fines announced by the European Commission for trading cartels involving ten global banks is a stark reminder of the challenges firms face in monitoring chat and instant messages to detect misconduct. Communications in chat rooms enabled the sharing of commercially sensitive information to go undetected for several years.

The traders violated EU rules that prevent anticompetitive business practices such as collusion on prices. The traders were in direct competition but knew each other and were in regular contact in chatrooms, where they colluded on trading strategies, exchanged sensitive pricing information and coordinated on prices.

These latest penalties add to the multi-billion dollar fines already levied over the last decade for interest-rate manipulation and price fixing, where ineffective compliance controls enabled traders to share confidential customer information with peers at competitors through chatrooms. Supervisory weaknesses in detecting misconduct led to some banks having no option but to disable chat.

The critical need for compliance oversight

Fast forward a decade and not only is chat integral to workplace communications, it has become more complex to supervise. With GIFS, images, links and files routinely attached along with emojis and reactions, compliance strategies need to address the heightened compliance and security risks. Particularly, given that working from home and the adoption of hybrid work-from-anywhere models has driven the exponential increase in chat usage. Whilst regulators have shown significant flexibility in supporting firms through the pandemic, it’s clear they still expect rigorous controls around communications even when staff work at home. The FCA has reminded firms of the need to continue to comply with recording obligations in SYSC 10A which remain the same whether staff are remote or in the office. Reports that banks are asking individuals to retain messages sent on personal devices reinforces the challenge of providing compliance oversight and meeting record retention requirements.

“It is important for firms to proactively review their recording policies and procedures every time the context and environment they operate in changes. We expect firms to have a rigorous monitoring regime, commensurate to the increased risks, where in-scope activities may be conducted outside the controlled office environment.”

FCA, Market Watch 66, January 2021

With regulators laser-focused on firms’ conduct and culture, coupled with accountability regimes being rolled out around the world designed to hold individuals personally liable for their behaviour, it’s more important than ever for firms to be able to detect and mitigate the risks of misconduct. Even in the case of the recent cartel fines, the banks that identified and proactively self-reported to the Commission were granted immunity from paying any penalties. Senior management must be able to demonstrate to regulators that they have both effective communications controls in place and have learnt the lessons from legacy misconduct and compliance failures within the industry.

What are the challenges in monitoring chat?

The enormous volumes and unique nature of chat features presents complex security and compliance challenges. That’s added to the regulatory requirements to retain electronic communications, from MiFID II requirements to SEC 17a-4, and the need to swiftly access records for regulatory supervision, legal investigations or customer complaints.

• Its shareable nature makes it easy for files, links, or screenshots to be sent internally and externally, increasing the risk of confidential data being shared, whether by accident or deliberately.
• Because chat is persistent any file, links or attachments remain accessible long after conversations have ended, regardless of how sensitive or confidential the information is.
• There aren’t limitations on size and they can support text, audio files, links, images, gifs, emojis and reactions, which all need to be captured.
• Reconstructing ongoing and fluid conversations spanning multiple days and participants, and capturing the full context of conversations that may include emojis, reactions and gifs, for effective oversight or to support investigations.
• The blurring of boundaries between work and home and the increase in chat being sent out of hours increases the risk of inappropriate behaviour extending wider that the sharing of illicit information.
• The millions of chat messages being sent within organisations outstrips the capacity of compliance and security teams to detect risks within them.
• The inability to capture and archive complete information such as original content shared from OneDrive or Sharepoint links, edited/deleted messages or images and GIFs, or contextual details like reactions and emojis prevents firms from complying with regulatory obligations for maintaining complete records.

How technology is enabling firms to manage the risks

In parallel with the growth in chat usage, developments in technology, artificial intelligence (AI) and machine-learning (ML) techniques are enabling firms to unlock the business value of collaboration platforms.   Firms are able to maximize the productivity benefits of using chat in Microsoft Teams, Cisco Webex, RingCentral, Glip, Slack, Zoom and other modern platforms whilst complying with critical regulatory requirements .

Theta Lake’s purpose-built AI-powered risk detection capabilities enable safe and compliant collaboration, reducing the overall cost of compliance and risks of non-compliance. The use of advanced AI, ML and NLP technologies facilitate more efficient and effective compliance, risk and data security management through:

• Automatic detection of security, data loss and compliance risks in what’s spoken, typed, shown or shared, including specific detections for collusion and misconduct plus instant search results to support e-discovery.
• Comprehensive capture ensures there are no gaps. All channels, from group to private messages, in-meeting chat, plus all content, from emojis and GIFs to file attachments, edited and deleted messages, videos and files shared from SharePoint or via desktop upload are captured and analyzed.
• Prioritisation of communications and content requiring review or intervention, custom workflows to route potentially risky communications to relevant compliance supervisors with a dedicated review workspace providing an audit trail of action taken.
• Swift remediation and removal of any risky content across platforms. Comprehensive redaction capabilities to protect confidential or sensitive information from being accessed more widely.
• Rapid identification, and consistent legal hold, of relevant communications, content and images across platforms to support investigations, regulatory review, audits or complaints.

Find out how we can seamlessly integrate with existing archives.

Find out more about how Theta Lake can help identify and reduce the risks of misconduct in what’s spoken, typed, shown or shared by scheduling a live demo.