The Hybrid and Remote Working Problem: How Do You Monitor Communications Compliantly For Your Client Network or Employees?
7th March 2023 by Samuel Rossiter
If you work for a compliance service provider or a directly regulated financial business, you might cast your mind back to 2019 (a simpler time) and remember how you monitored your own or your clients’ communications for risk, to satisfy regulatory requirements.
It’s likely that all employees travelled to the office and worked at their desks, five days per week, and conducted all phone calls and emails on site. If you’re a compliance service provider, it’s likely that the employees of all if not most of your clients did this too. So, to monitor communications, in this simpler time, was a much simpler task – you only had to travel onsite, record and monitor a few phone calls (randomly sampled, we assume), search through a few emails, and consider that regulatory requirement checked off.
Whether this form of communications supervision was actually effective at managing risk and detecting malicious activity is another question entirely. But, this is what communications supervision looked like for many businesses and compliance service providers, pre-pandemic.
And then COVID hit. And everything changed.
Hybrid and Remote Working – Our New Working Environment
Now, businesses across the world operate in a vastly different working environment. In the UK, during the pandemic, almost half (49%) of workers in Great Britain reported working at least one day from home in June 2020, with 38% working exclusively from home. Even as pandemic restrictions lifted, the number of remote and hybrid workers in the UK have increased and are now higher than pre-pandemic numbers. In September 2022, 22% of the Great British workforce reported working at least one day from home in the previous week, while 13% reported working exclusively from home.
Across the pond in the US, the prevalence of hybrid and remote working is much the same. Currently, a whopping 80 million Americans are working remotely, which is more than half of the American workforce. On average, Americans work remotely for three days per week, and 97% of workers would like to work remotely, for at least some of the time, for the rest of their careers.
COVID has changed the way that we work forever, across the world, and now hybrid and remote working are here to stay. Many employees are now working from home at least a couple of days per week, if not more, and use company devices (such as a laptop and smartphone) for work.
As a result, many companies now use a varied range of communication channels to communicate and collaborate daily – Teams, Zoom, Slack, Bloomberg, ICE and more. This becomes even more complicated for financial business that are client facing, as clients are expecting to conduct business digitally – think WhatsApp, instant messaging apps, and even company developed apps and trading platforms, that all have business and transactional communications running through them.
So, whether you’re a directly regulated business or a compliance oversight provider, the main question to ask yourself is: Does your current communications supervision policy take this new digital hybrid and remote working environment into account?
Let’s look at what the regulators specify in both the UK and the US in regard to how financial firms should monitor communications.
In the UK – What does the regulator (FCA) specify in regards to monitoring communications?
The ‘why’ and ‘how’ of monitoring and supervising company activity are set out in the Senior Management Systems & Controls (SYSC) handbook under:
- SYSC 3.2.6 – this outlines that firms must have effective systems and controls for compliance.
- SYSC 4.1.1 and SYSC 4.1.6 – this outlines general requirements for firms, and specifies that firms must have appropriate and proportionate systems, resources and procedures.
- SYSC 6.1.4 – this outlines that the compliance function (the compliance team) must have access to ALL of a firm’s relevant information.
- SYSC 8.1.1 – this outlines that a firm may outsource the delivery of a compliance function, but the responsibility of compliance will always lie with the firm itself.
- SYSC 9.1.1A – this outlines that a firm must keep records of all services, activities and transactions, and FCA guidance is that these records are stored in a separate location from where the communications originally took place.
- SYSC 10A.1.6 and SYSC 10A.1.7 – this outlines that firms must take reasonable steps to record phone conversations and keep a copy of electronic communications that relate to financial activity, and that a firm must take steps to prevent an employee or contractor from making phone conversations or electronic communications on privately-owned equipment which the firm is unable to record or copy.
The FCA have also published guidance on the financial crime systems and controls any regulated firm must have, which you can see here.
For Principal Firms and Regulatory Hosts, the FCA published a new Policy Statement in August 2022 which gives new guidance on how they should oversee their Appointed Representatives. We outlined what these new FCA rules mean for all Principals and Regulatory Hosts, and you can also view the full FCA Policy Statement here.
Need further guidance on what the regulatory requirements are from the FCA on how to supervise communications?
Download our handy guide below, and get in touch if you have any more questions.
In the US – What do the regulators (SEC and FINRA) specify in regards to monitoring communications?
One of the most important SEC rules relating to communications supervision is Rule 17a-4 – this specifies that broker-dealers must capture and archive electronic communications in a digital storage medium that “preserves the records exclusively in a non-rewriteable, non-erasable format.”
Rules relating to the supervision of electronic communications are also covered under FINRA Rule 3310 – which outlines general company supervision. More specifically:
- 3310(a) specifies that each member “shall establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations” and outlines what this Supervisory System requires.
- 3110(b) outlines the Written Procedures required by members, including supervisory procedures “for the review of incoming and outgoing written (including electronic) correspondence and internal communications relating to the member’s investment banking or securities business.”
Do You Need To Review Your Controls and Systems In Line With Our New Hybrid and Remote Working Environment?
So, the regulators on both sides of the pond are clear. Both the FCA and SEC specify that firms must capture, archive and supervise all electronic communications for risk, and in our new hybrid and remote working environment, this includes every single communication channel that your client network or your own business uses to do day-to-day business.
So – if your own business or your client network uses Teams, WhatsApp, Slack, Bloomberg, Ice, Zoom – do you have the proper systems and controls in place to monitor and archive all of these communication channels?
And what happens to firms who don’t supervise all of their channels?
Well, the regulators have actually been pretty lenient – oh no, they haven’t. They’ve clamped down very hard, actually. In the US, the SEC recently fined 16 Wall Street Firms a total of $1.1 billion for failing to maintain and preserve their electronic communications, including the use of WhatsApp. When the director of the SEC’s Division of Enforcement commented on the situation, he underscored the importance of record keeping requirements, calling them “sacrosanct”. In the UK, the FCA have followed suit – questioning major banks such as Citigroup and JP Morgan over their WhatsApp use, which looks like it may be leading to even more fines.
We understand that monitoring every single communication channel in our current working environment to manage risk and ensure regulatory compliance may seem like a mammoth and impossible task. Especially if you work for a Principal Firm, Regulatory Host or Outsourced CCO that is responsible for overseeing a network of clients or Appointed Representatives. If you’re responsible for overseeing several clients, each with thousands of employees and many communication channels that they use daily, just how do you monitor their communications for compliance in a cost-effective and profitable manner?
What Is The Answer To Monitoring All Communications Cost-Effectively When Your Client Network Or Business Has Employees That Work On A Hybrid Or Remote Basis?
The answer is simple.
How do you monitor communications for risk and compliance efficiently, cost-effectively and at scale?
You use the right technology.
And we’re not saying that the Fingerprint platform is the best on the market for supervising communications but… well actually, we are. Because we truly believe it.
Well, Fingerprint is a cloud-based platform that has full API and integrates with the most widely used business communication platforms. It contains everything that your compliance team needs for the entire communications supervision process – ingesting every single communication channel into one place, automatically searching for risky and suspicious activity, then providing all the reporting tools and workflows compliance teams need to monitor comms compliantly. Hybrid and remote working are no problem for our platform because of its API – it can integrate with most communication channels, which can be done online (without your remote employees coming into the office), and ingest data within one working day.
In fact, on average, it only takes one week for our clients to become fully onboarded onto the Fingerprint platform.
And for compliance service providers such as Principal Firms, Regulatory Hosts and Outsourced CCOs? Our platform is designed for multi-client use, which allows you to oversee all client networks and Appointed Representatives from one place, with only one login needed.
It gets rids of a lot of tedious and manual tasks that wastes time for your compliance team, which means that they can supervise their clients much more efficiently. You’ll be able to add more firms to your portfolio without needing to hire more people to manage them, so your existing compliance team can supervise many more clients using our platform and your business can scale and grow profitably.
In Summary – What Do You Need To Do To Ensure Your Client Network Or Business Remains Compliant In Our New Working Environment?
The most important thing you need to do is look at your current communications supervision policy and see if it takes hybrid and remote working into account, which includes monitoring the large range of communication channels that your own business or your client networks use.
And, if you think Fingerprint could help your business supervise communications compliantly and grow profitably, then get in touch and we’d love to show you a demo of our platform.