I recently sat down with Global Relay’s VP of Compliance Supervision, Donald McElligott, to discuss what he is hearing from clients and prospective clients about their technology solutions (and ongoing challenges) in the e-communications recordkeeping space.

His comments revolved around the needless complexity of using multi-vendor solutions, creating efficient workflows and risk mitigation strategies unique to your firm, leveraging your vendor for ongoing training, and harnessing the promise of artificial intelligence.

The backdrop

Over the past few years, the SEC and CFTC have charged multiple Wall Street firms with widespread recordkeeping failures, handing down staggering penalties that total well over three billion dollars now.

The two most recent enforcement sweep actions from the SEC in August included fines of just over $392m on 26 broker-dealers, investment advisers, and dually-registered broker-dealers and investment adviser firms, plus SEC fines of $49m on six credit-rating firms earlier this month.

Sanjay Wadhwa, SEC Deputy Director of Enforcement, noted in a press release announcing another sweep action last August: “We know that other SEC-regulated entities have committed similar violations, and so our work to enforce industry-wide compliance continues.”

And Gurbir Grewal, the SEC’s Director of the Division of Enforcement, said in reference to his agency’s enforcement actions (along with the CFTC): “Today’s actions – both in terms of the firms involved and the size of the penalties ordered – underscore the importance of recordkeeping requirements: they’re sacrosanct.”

Enforcement orders from the SEC and CFTC in this arena have uncovered pervasive and longstanding use of unapproved communications channels, failure to store the substantial majority of these off-channel communications and often a failure to reasonably supervise and enforce the business’s own policies or code of ethics.

The officials’ quoted remarks have been quite pointed and showcase exasperation over the persistence of some businesses in not learning from the costly mistakes of others or the clear, hard line the regulators are taking when it comes to this issue.

Is my tech working?

McElligott said businesses must get some baseline numbers on a regular basis, such as monthly reports that generate performance numbers across polices and controls. “You need to know what regular message volume looks like and what regular violations and flagging looks like. Most systems report that easily – but don’t always make it easy to track trends.”

If someone has suddenly gone quiet on the channel, it’s likely they have moved to an unapproved channel like WhatsApp, he said.

It’s always about following trends and be able to recognize the abnormal. But it’s not just about monitoring flow. What changes more frequently than lexicon is the mechanical thing – someone introduces a new update to the newsletter and suddenly updated newsletter items are classed as junk. “You have to realize these systems need regular care and feeding, or else you’ll quickly be buried in junk, frankly,” McElligott said.

Companies constantly say they are capturing too much – it’s the common problem – and some companies say running random samples helps them more than running their actual policies.

McElligott is surprised by how some customers don’t significantly leverage the great training resources offered, and he strongly recommends reaching out to learn evolving best practices.

“And this is just not how it should work to be effective. The random sample pile is your back-up measure and not your go-to source,” McElligott said.

The real trick with integrations – multiple systems working together – is that it’s never really seamless, he added.

“The fact that a vendor might have a solution that integrates all of the functionality should be taken seriously, because multiple systems often do not play nice with middleware and connections break often. Third-party connectors need a lot of oversight because they break and can do so without your main service provider having a way to help you fix it, and sometimes without you knowing for a good duration. You won’t often get a red flag it’s not working – you’ll just stop getting stuff from over there,” he said.

Can I build my own solution?

Also, vendors make changes. “Let’s say LinkedIn makes a tweak to how it makes profile updates and it messes up the API – you don’t know that the third party tool is only giving you two thirds of the data now,” McElligott said. “And maybe your reviewers are seeing lower volumes of Bloomberg data, but you might not know if this is because of a technology issue or upgrade for months. That itself can lead to an uncomfortable disclosure to the regulator about having gone blank on a chunk of data for some months.”

McElligott is surprised by how some customers don’t significantly leverage the great training resources offered, and he strongly recommends reaching out for ongoing training for evolving best practices on how to use it more effectively for your business.

He likes to remind businesses that his company has seen everything, so it really can help you save money and time to use the technology more effectively.

“Compliance professionals are already mandated to review their compliance programs – policies, procedures, and internal controls, at least annually – and this should include communication recordkeeping policies, at a bare minimum,” he said. “Go through the reported for the last year see how the policies are going, see the false positive rates and hit rates, find the pain points and fix them. Six months is probably best – but training team can help you do this regularly and more seamlessly. At this point in our history as a firm, our trainers are actual consultants with true expertise in this area.

“These internal trainers have seen so much go well and awry that they can give you the ways to avoid the latter, simply having worked closely with firms just like yours.”

And, if a provider tells you certain aspects of the tech they provide you will never experience an outage, they are lying, he said. But that basic fact just means you need a great customer support team at that business so you’re informed and back online promptly.

Connectors

McElligott says he talks to some large firms that have their own connectors and use a bunch of vendor connectors – and they’re buried in them.

“Part of the problem is that some of the large banks have built their own communication platform and there’s no tool for that internally-built connector specifically – but there’s still middleware to get that data into an archive,” he noted.

It can be tempting to buy a specialized solution for one aspect of your communications archiving, but it’s not hugely helpful if it does not scale, he points out. “Your business is likely to scale and technological advancement is inevitable, so the niche providers might not make sense.” (A Teams-only connector is not going to give you a lot of bandwidth, for example.)

“We have an offering that provides every connector for every user. It’s a premium service, but it makes sense for some users, so they can avoid having to keep adding and negotiating new deals for new connectors that they will invariably need,” he said.

The scariest tools are the ephemeral ones like WeChat and Snap Chat that feature messages that disappear after a short duration – because those are specifically designed to not be surveilled or captured, he reminded us.

Role of compliance consultants

McElligott said his team speaks constantly to the consultants that businesses have hired to work specifically on their communications recordkeeping or on surveillance more generally.

“We meet regularly with large consultancies that want to get to know us and figure out whether and how to recommend the business and its solutions to its own clients. They can’t do this intelligently enough without having conversations with us about how the tools work to get a snapshot of who our customers are and what we’ve done for them.”

The large language models (LLMs) are being designed to see a lot of examples of what you’re looking for – whether it’s front-running or money laundering – and they learn what that looks like and can then detect it, McElligott explained.

It was a “train the trainer” model. Over time, the models got better and better as the LLMs got more and more data and were trained on it.

“Any AI solution needs to be assessed for storage, processing, extraction, and whether updates to the model will easily be accommodated, so companies need to proceed carefully here, because this technology is changing so quickly.”

Donald McElligott, VP of Compliance Supervision, Global Relay

“The problem with that scenario is that the companies were sharing their data and it was getting pooled. There are so many privacy and other implications with that. Companies wanted every other firm’s data but didn’t want to share their own,” he said.

The arms race began as to who had the most data and the best custom models.

“It actually helped some firms that entered this race later when LLMs like ChatGPT were better, faster and open-sourced. Because then everyone was downloading it but you could only handle the data flow to run it if you had $5m worth of hardware to run it. You want to go with the business that has the hardware, data, data centers and the LLM in which it operates,” he said.

“Some of the LLMs offered by archiving providers are about 100m parameters – parameters being like brain cells, the more the better. The off-the-shelf Llama model (by Meta) has 70 billion. You don’t have to train it – it knows everything humanity has generated, really. It already knows what AML is and will even tell you why it knows it,” McElligott said.

Everyone has great access to these great models – but can you run it efficiently in the cloud?

“Sure – but you pay per CPU cycle in the cloud. You bill is going to be pretty sizable and you’ll be paying the provider a lot of money,” McElligott said.

“Think about a provider that can run it in-house and doesn’t have to put it in the cloud. And when it comes to feeding the LLM with the data, think about the three to five million messages a day you get. It’s a massive data maneuvering exercise that consumes a lot of energy (literally). And you don’t pay just for storing the data, it’s extraction it and giving it to an AI model to read it and review it and maybe store another copy of it for more analysis – all of this costs a lot of money.”

McElligott said a provider that already has the data, the models running in its own environment, and can help control the costs involved might be a better solution – especially if it already has considerable structuring around data to explain what the data is and where it came from, plus where it is going and all persons involved.

It is much more time-consuming to deal with unstructured data.

“Does your provider store and structure it? It should. Running AI on data sitting in a cloud somewhere is not half as targeted and efficient,” he observed.

“Any AI solution needs to be assessed for storage, processing, extraction, and whether updates to the model will easily be accommodated, so companies need to proceed carefully here, because this technology is changing so quickly,” he said.

AI governance

It’s important to not only think of the volume and cost of AI, but also governance concerns. Was the AI tool trained properly? How do we know it was not given false information or hallucinating? How is it being evaluated and tested to make sure it’s operating within the right performance metrics?

McElligott was circumspect. “Honestly, no one is even sure of how to do that with these LLMs. In the compliance world, we’re so used to being able to show a breadcrumb trail. We took a message and ran it through these filters, this was not flagged because it was from this particular sender, etc. We’re used a nice explanation of how this message got here. With AI, that is not the case, it’s just that the AI told us there’s a problem here,” he said.

“Honestly, if the tool is performing really well and spotting what it needs to and you are doing model validation – the periodic testing of results – to validate results. Feed it a known true positive and make sure it flags it, exercises of that nature. It’s absolutely the case that we need a regular testing program to make sure the tools are staying within the guardrails that were anticipated for them. I mean, we don’t want the tool teaching someone how to launder money,” he said.

Impact of the regulatory sweeps

These sweeps have a huge effect collectively – the companies named in them are galvanized into action, as are the ones who see themselves in these enforcement fact patterns.

“The old playbook of periodic employee attestations is complete garbage now. Companies no longer think those attestations and some discipline after the fact will work. ‘Trust but verify’ and ‘trust but surveil’ is what needs to happen,” McElligott contends.

And regulators are consistently pointing to which channels are not being surveilled – because firms are missing one or more of them. Regulators are getting more keen on what to look for in their investigations, just like we in the fintech world are in developing solutions.

“The old argument of ‘I’m a smaller firm and can’t afford the technology solution for this’ is not resonating any more with the regulators, because they expect more than a rudimentary approach over something this fundamental,” he said. “And running optical character recognition on images is pretty standard now – and it captures text and images and any blends of both. It’s like capturing the image of a scanned document – it’s an image of text that should be easily captured.”

The entire landscape is changing quickly, but one thing that remains constant is how seriously businesses are taking the issue of keeping proper records and surveilling them, whether it’s defensively to prevent regulatory penalties and be able to defend oneself against any type of accusation with records that are up-to-date – or if it’s to aid in its own investigations of internal misconduct.

“It’s always a great thing if you can identify problematic issues before the regulators do.”