Financial services firms have long used technology to supervise the communications and activities of employees, to ensure compliance with regulatory requirements and be able to detect issues such as market abuse, mis-selling or data privacy. It’s a key control for meeting regulatory obligations including MiFID II, CFTC, FINRA, IIROC and GDPR and a standard feature of working in a regulated industry. Likewise data loss prevention tools are commonplace across businesses to reduce the risks of data loss and exposure. All designed to protect consumers, employees, and shareholders.
Scope and purpose of supervision
Considering the scope and purpose of proposed supervision is essential and like any supervisory activity should be validated by compliance, privacy, or security stakeholders. Critical media reports and an investigation by the UK privacy regulator, the Information Commissioner’s Office, into a global bank’s use of software to track how employees spent their time at work, reinforces this. In that instance, the bank deployed a technology platform that sent warnings to staff if they appeared to be idle on computer desktops or spent too long on a single task. Although this case is instructive, the scenario is very different to deploying tools for security or regulatory compliance purposes and protecting sensitive data.
“If organisations wish to monitor their employees, they should be clear about its purpose and that it brings real benefits. Organisations also need to make employees aware of the nature, extent and reasons for any monitoring”
ICO spokesperson
Supervising compliance and security risks
Employees are now using collaboration platforms like
Zoom,
Microsoft Teams,
Cisco Webex,
RingCentral, and
Slack as the primary source for communications and information sharing, driven by a new remote work paradigm. Now firmly embedded, these applications are a key pillar of hybrid,
work-from-anywhere and office-based workforces. Whilst their rapid adoption has kept employees connected and productive throughout the pandemic, the focus is now shifting to potential compliance and security risks created by these new ways of sharing information.
The legacy tools in place for monitoring email communications for risks such as data leakage or malware aren’t designed for the way employees communicate and share information today. Consider the dynamic nature of chat; the challenges of interpreting contextual data like emojis and reactions; the potential for risky behaviour on screen; the ease of attaching confidential files or accidentally sharing the wrong screen with sensitive data. The need for oversight of modern communications to protect employees, customers and the organization is paramount.
Given Theta Lake’s role in detecting compliance and security risks in modern communications, supervision is a topic that is frequently discussed in our deployments with customers. It’s important to not only understand how to safeguard communications but to ensure that monitoring controls meet regulatory expectations and don’t adversely impact staff productivity and morale. Here’s what we’ve learnt:
Top tips for keeping staff and regulators happy
- Be transparent - establish clear policies on conduct, data privacy, security and acceptable use of communication systems. Communicate policies to employees with periodic reminders which include the purpose of monitoring and the penalties for breaching policies.
- Train employees - provide training so that employees understand the expectations and requirements relating to what’s being monitored including data privacy, security, conduct and adherence to regulatory obligations.
- Be consistent - act consistently with your policies where breaches are detected. ‘Turning a blind eye’ will create challenges in enforcing or relying on them where needed.
- Prioritise - take a risk-based approach. Given the volumes of communications, the potential risks are likely to outstrip the capacity of compliance teams to review everything. Focus on the risks most likely to have serious consequences in terms of customer harm or regulatory, operational, financial, reputational damage, and review a sample of the rest.
- Protect data - monitored communications are likely to contain sensitive data. Make sure it can be redacted across video, voice, and chat so that it’s not unnecessarily exposed further during the review process or retained unnecessarily, whilst still keeping a record for your audit trail.
- Act quickly - be able to respond and remediate identified issues, whether they’re deliberate or accidental. For example, remove a malware link, a file, an inappropriate comment or confidential information so the issue doesn’t perpetuate whilst it’s being dealt with.
- Evidence - be able to demonstrate action taken where potential breaches are identified, whether that’s seeking clarification with the employee or escalation to a compliance team.
- Manage the review process - set out the appropriate routing for identified risks to be escalated to. That could be the compliance team and may vary depending on factors such as role, geography or level of risk identified.
- Find records quickly - be able to respond quickly and comprehensively to both internal HR matters and internal audits as well as external customer complaints, GDPR and data deletion requests, regulatory reviews or legal investigations.
- Integrity of records - ensure that records of communications, supervision and action taken are held securely and can meet legal and regulatory obligations such as legal hold capabilities, specified retention periods or SEC 17a-4 Write Once Read Many requirements
How Theta Lake helps
Theta Lake provides security and compliance for modern communication platforms, facilitating the identification of regulatory, privacy, and security risks that might arise during business use. We don’t monitor general employee productivity activity like time spent on tasks or away from a desk. But we do enable organizations to get full use of the features and value of the investments they’ve made in collaboration systems which makes everyone more productive.
Theta Lake’s purpose-built AI-powered risk detection capabilities enable safe and compliant collaboration, reducing the overall cost of compliance and risks of non-compliance. The use of advanced AI, ML and NLP technologies facilitate more efficient and effective compliance, risk and data security management through:
-
Automatic detection of security, data loss and compliance risks in what’s spoken, typed, shown or shared, including specific detections for collusion and misconduct plus instant search results to support e-discovery.
-
Comprehensive capture ensures there are no gaps. All channels, from group to private messages, in-meeting chat, plus all content, from emojis and GIFs to file attachments, edited and deleted messages, videos and files shared from SharePoint or via desktop upload are captured and analyzed.
-
Prioritisation of communications and content requiring review or intervention, custom workflows to route potentially risky communications to relevant compliance supervisors with a dedicated review workspace providing an audit trail of action taken.
-
Swift remediation and removal of any risky content across platforms. Comprehensive redaction capabilities in video scenes, audio files, transcripts, and chat to protect confidential or sensitive information from being accessed more widely.
-
Rapid identification, and consistent legal hold, of relevant communications, content and images across platforms to support investigations, regulatory review, audits or complaints.
Find out more about how Theta Lake can help identify and reduce the risks of misconduct in what’s spoken, typed, shown or shared.