UK regulator fines a trio of brokers almost £5m for failing to have appropriate communications compliance processes in place to fulfil market abuse obligations

With the rapid adoption of virtual meeting platforms like Zoom over the past few years, the way we work has been transformed. These platforms are much more than a way to have a discussion and go beyond replacing phone conversations, users can share content, collaborate with people outside of their organization and use chat in-meeting. While the early stages of pandemic adoption were all about enabling workers and maintaining productivity, organizations are beginning to settle in and make streamlined decisions about which platforms to retain and how to secure them. The risk of insider threats and potential data loss, in addition to human error and carelessness can lead to any number of possible bad outcomes- data breaches, loss of intellectual property, and more.

When it comes to dynamic messaging content from collaboration tools like Webex, Zoom, Slack, and Microsoft Teams as well as SMS, mobile messaging, and consumer applications like WhatsApp, the SEC’s updated recordkeeping Rule 17a-4 announced on October 12, 2022 signals a sea change for broker-dealers. The SEC replaced its antiquated “non-erasable, non-rewritable” electronic recordkeeping requirement in place since the late-90s with a technology-neutral approach centered around audit trail data, which provides far greater flexibility in implementation.

At Theta Lake, we welcome the modernization of Rule 17a-4 as it allows our financial services customers to more easily manage archiving controls for SEC-regulated electronic communications records.  In addition, the spirit and letter of the revised Rule aligns with Theta Lake’s modern approach to the capture, retention, and supervision of complex, interactive video, voice, chat, and email conversation data.

As we noted in our 2022 Modern Communications Security and Compliance Report, 97% of firms are using two or more communication tools, so the ability to seamlessly and compliantly capture dynamic data across a range of platforms is key.  With over 100+ platform integrations, Theta Lake enables easy and effective compliance with the SEC’s new recordkeeping requirements.

For customers, the updated Rule 17a-4(f) offers a flexible, audit trail-based option that makes it easier to retain dynamic data from electronic communications to databases and beyond.  The revised Rule 17a-4(f)(2)(i)(A) allows broker-dealers to:

Theta Lake has published its fourth annual survey report on modern communications compliance and security, highlighting the complex challenges faced by those tasked with maintaining compliance, security and data privacy. The report is based on the views and experiences of more than 500 compliance and security professionals from the heavily-regulated financial services, healthcare and government sectors across the U.S., the U.K. and Canada. It provides a snapshot of how communication platforms are being used and the issues organizations are struggling with, enabling them to benchmark their own practices and expectations against the wider industry, identifying any gaps or areas of exposure they may have.

Digesting and implementing the U.S. DOJ’s new compliance guidance for prosecutors on the use of personal devices and third party apps

How to Comply With the New CMS Communications and Marketing Requirements for Medicare Advantage and Part D Conversations

New recording, disclosure, and compliance rules

New electronic communications recording, disclosure, and oversight rules from the Centers for Medicare &Medicaid Services (“CMS”), effective 1 October 2022, highlight the heightened scrutiny around the sale of complex healthcare products, to promote transparency and protect consumers.  In a digital age where prospects are bombarded with telemarketing calls, online advertising, social media, and promotions from celebrities and influencers, it’s more important than ever that they receive accurate information about sophisticated products.  Clarity is particularly critical when it relates to the purchase of essential healthcare services.

The new CMS rules can be viewed as part of a broader global trend toward increased disclosure for complex healthcare, financial, or insurance products directly marketed to customers.  Complaints about misleading advertising and sales of Medicare Advantage (“MA”) plans and Part D were the key catalyst for the CMS regulatory updates.  In the one year period between 2020 and 2021 the number of complaints submitted to CMS soared from less than 16,000 to over 39,000 – a staggering increase.

With a series of enforcement actions totaling about $1 billion in fines from the five biggest US investment banks, the SEC has made it clear there will be significant financial consequences if firms don’t start policing the use of communications channels, specifically the increasing use of SMS text and messaging apps, like WhatsApp, in their workforce.The seismic shift towards heavier enforcement comes after a warning was issued last October by the SEC that firms "need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps."

Clearly regulatory bodies have served notice - and the race is on to not only comply, but balance productivity gains with increasing regulatory scrutiny. How can firms avoid the worst case scenario of fines and sanctions (and resultant bad PR) while also not disrupting their mobile workforce and lastly, minimize complexity in their mobile/IT infrastructure?

IT: Caught in the middle between business and compliance requirements

Recent regulatory enforcement efforts describe only part of the story when looking at the current state of governance and the hybrid workplace. Two years after the start of the COVID-19 pandemic, it's clear that “work from anywhere” is here to stay for the foreseeable future. Like many industries, financial services firms have been looking at ways to more effectively engage and support their clients on their preferred channels, which includes SMS and WhatsApp. The real-time communication has enabled increased productivity and richer interactions but has come at a cost. Those firms are now grappling with how to provide WhatsApp, and related services, but in a controlled manner and balanced with a strong focus on compliance, security and corporate IT standards. Users have also made it clear that they will alternate the personal use of technology with their work efforts. The days of carrying two different mobile devices, like cowboys with two holsters, are in the rearview mirror.

Legacy approaches to supporting sanctioned WhatsApp usage do not fit the current hybrid workplace. Tools that can’t capture the full spectrum of WhatsApp services – WhatsApp Voice, SMS and Mobile Voice, while also protecting the fidelity and context of the conversation for compliance purposes, can add more complexity, and another set of challenges to the ones firms are already facing today. For mobile communications compliance, the challenge is having a comprehensive capture solution for all employees’ mobile and modern communication platforms and archiving them in one central location. This solution also needs to be able to be deployed across all users effectively and efficiently at an administration level, while ensuring personal communications are separated from business communications.

The need for mobile productivity with integrated compliance and security are not oppositional- and shouldn’t require making tradeoffs. It's clear that we can’t ask users to retreat and sacrifice productivity gains that will put the organization at a competitive disadvantage.

Introducing our partnership with Movius

Digital transformation has been a fundamental enabler for financial services firms. It is hard to underestimate the opportunities and regulatory benefits firms can derive from the implementation of technological solutions but maximising their potential can present challenges. Thomson Reuters Regulatory Intelligence's sixth annual survey and report on fintech, regtech and the role of compliance explores these challenges, particularly in the context of corporate governance and risk management.