Financial services firms have long used technology to supervise the communications and activities of employees, to ensure compliance with regulatory requirements and be able to detect issues such as market abuse, mis-selling or data privacy. It’s a key control for meeting regulatory obligations including MiFID II, CFTC, FINRA, IIROC and GDPR and a standard feature of working in a regulated industry. Likewise data loss prevention tools are commonplace across businesses to reduce the risks of data loss and exposure. All designed to protect consumers, employees, and shareholders.
Considering the scope and purpose of proposed supervision is essential and like any supervisory activity should be validated by compliance, privacy, or security stakeholders. Critical media reports and an investigation by the UK privacy regulator, the Information Commissioner’s Office, into a global bank’s use of software to track how employees spent their time at work, reinforces this. In that instance, the bank deployed a technology platform that sent warnings to staff if they appeared to be idle on computer desktops or spent too long on a single task. Although this case is instructive, the scenario is very different to deploying tools for security or regulatory compliance purposes and protecting sensitive data.
“If organisations wish to monitor their employees, they should be clear about its purpose and that it brings real benefits. Organisations also need to make employees aware of the nature, extent and reasons for any monitoring”
Supervising compliance and security risks
Top tips for keeping staff and regulators happy
- Be transparent - establish clear policies on conduct, data privacy, security and acceptable use of communication systems. Communicate policies to employees with periodic reminders which include the purpose of monitoring and the penalties for breaching policies.
- Train employees - provide training so that employees understand the expectations and requirements relating to what’s being monitored including data privacy, security, conduct and adherence to regulatory obligations.
- Be consistent - act consistently with your policies where breaches are detected. ‘Turning a blind eye’ will create challenges in enforcing or relying on them where needed.
- Prioritise - take a risk-based approach. Given the volumes of communications, the potential risks are likely to outstrip the capacity of compliance teams to review everything. Focus on the risks most likely to have serious consequences in terms of customer harm or regulatory, operational, financial, reputational damage, and review a sample of the rest.
- Protect data - monitored communications are likely to contain sensitive data. Make sure it can be redacted across video, voice, and chat so that it’s not unnecessarily exposed further during the review process or retained unnecessarily, whilst still keeping a record for your audit trail.
- Act quickly - be able to respond and remediate identified issues, whether they’re deliberate or accidental. For example, remove a malware link, a file, an inappropriate comment or confidential information so the issue doesn’t perpetuate whilst it’s being dealt with.
- Evidence - be able to demonstrate action taken where potential breaches are identified, whether that’s seeking clarification with the employee or escalation to a compliance team.
- Manage the review process - set out the appropriate routing for identified risks to be escalated to. That could be the compliance team and may vary depending on factors such as role, geography or level of risk identified.
- Find records quickly - be able to respond quickly and comprehensively to both internal HR matters and internal audits as well as external customer complaints, GDPR and data deletion requests, regulatory reviews or legal investigations.
- Integrity of records - ensure that records of communications, supervision and action taken are held securely and can meet legal and regulatory obligations such as legal hold capabilities, specified retention periods or SEC 17a-4 Write Once Read Many requirements
How Theta Lake helps
Automatic detection of security, data loss and compliance risks in what’s spoken, typed, shown or shared, including specific detections for collusion and misconduct plus instant search results to support e-discovery.
Comprehensive capture ensures there are no gaps. All channels, from group to private messages, in-meeting chat, plus all content, from emojis and GIFs to file attachments, edited and deleted messages, videos and files shared from SharePoint or via desktop upload are captured and analyzed.
Prioritisation of communications and content requiring review or intervention, custom workflows to route potentially risky communications to relevant compliance supervisors with a dedicated review workspace providing an audit trail of action taken.
Swift remediation and removal of any risky content across platforms. Comprehensive redaction capabilities in video scenes, audio files, transcripts, and chat to protect confidential or sensitive information from being accessed more widely.
Rapid identification, and consistent legal hold, of relevant communications, content and images across platforms to support investigations, regulatory review, audits or complaints.
Find out more about how Theta Lake can help identify and reduce the risks of misconduct in what’s spoken, typed, shown or shared.