Accessible and easy-to-digest, Emily Wright’s book is a practical and helpful primer on employee surveillance. It begins by outlining the role of surveillance within financial institutions, and sets out the difference between financial crime surveillance and compliance surveillance.
The regulatory and jurisdictional complexity underpinning this critical function has become more complex in recent years. Wright says this complexity stems from ever-changing regulations, the diversity of rules and regulations that a financial institution working across borders has to adhere to, and, just as significantly, rapid advances in technologies.
In particular, the post-pandemic move to hybrid working coupled with a proliferation of communication channels being used for business purposes has had a real impact. Wright observes that inadequate surveillance, even in the absence of actual market misconduct, is something that a regulated institution can now expect to be censured and fined for. The argument put forward most strongly by US regulators is that the absence of surveillance data makes the investigation and punishment of wrongdoing near impossible.
The costs and consequences of non-compliance are examined by looking at a number of key cases that have shaped the compliance narrative in the last decade. This includes the recent fines connected to the use of personal devices in a business context.
“The easiest and cheapest solution is to stop the use of personal devices for business.”
Wright makes the point that handing over “personal data for extraction” by employers is not the “direction of regulation” and that it is also a “risky strategy ethically for an institution to pursue.” The robustness of the Fourth Amendment protections is likely to continue to be a challenge and the suggestion is that “the easiest and cheapest solution is to stop the use of personal devices for business” while at the same time providing “coverage of whatever channels are needed for business” and treating those channels as something “owned by the business.”
After a succinct examination of the three lines of defence model, Wright suggests that attempts to move surveillance to the first line of defence are misguided for a number of reasons. One of these is resourcing, a perennial worry for compliance teams, but another is the revenue and business development pressures that the first line of defence is subject to that do not exist in the second line of defence (or certainly do so to a lesser extent). Such a move, and the differing resources and perspectives it would result in, could lead to a real weakening of the defence framework overall – an undesirable outcome given increasing regulatory scrutiny in this area.
The book very helpfully delves more deeply into some key aspects and challenges around surveillance. The crucial role that data plays in effective surveillance, as well as the interrelated nature of the key data sets (trade data, electronic communication and voice communication) in any effective surveillance program, is lucidly explained. So is the fact that data represents both a challenge and an opportunity to setting up and running an effective surveillance program. By delving into the difference between structured and unstructured data, Wright touches on a key point constraining the efficient use of surveillance technologies, including the cost-effective deployment of LLM technology and AI models.
A valuable discussion of the importance of governance is also included. Governance is something often overlooked in the implementation and effective running of any business unit or function, but as clearly highlighted in the BCBS report on the Digitalisation of finance, just published, is fundamental to identifying, monitoring and mitigating risk.
Wright also tackles the challenges connected to data privacy. A chapter on the ethics of surveillance is particularly useful given the discomfort with anything described as ‘surveillance’ frequently expressed by senior leaders and board members who have had limited compliance exposure and experience.
There is often a strong correlation between compliance infractions and other, non-financial misconduct.
The difference between covert and overt surveillance is set out clearly, as well as the fact that employee surveillance is both targeted and also intended to encourage compliant behavior. This is something that the FCA’s Jamie Bell indirectly alluded to at an event organised by Global Relay recently, pointing out the FCA has found that there is often a strong correlation between compliance infractions and other, non-financial misconduct. Such distinctions, between work and home, between public and private are likely going to become more relevant as monitoring and surveillance technologies advance and are adopted more widely so this is a very interesting discussion and point.
Wright concludes with a call for the enhancement of surveillance capabilities and functions by institutions as a way of improving compliance outcomes more broadly. She suggests that quality vendors may well play a key role because of their ability to continue to innovate and provide quality tools to tackle some of the complex key challenges outlined.
This is an engaging overview of a vital and rapidly changing area, with the main points clearly articulated along with a positive assessment of the opportunities presented by an effective leveraging of the surveillance function.
• Emily Wright was recently a guest on the GRIP podcast.