At a recent asset managers compliance roundtable at Global Relay, a number of participants spoke forcefully about the increasing burden that communications surveillance represents.
They said the challenges in this area stem from a rapid increase in the volume of communication being captured as a result of an increase in the diversity of products, combined with a burgeoning number of communications channels used by staff and clients, plus a widening of regulatory expectations.
More specifically firms, firm management and compliance teams are increasingly finding themselves under pressure from regulators to monitor not only traditional malfeasance such as market abuse, but also to conduct surveillance to track general conduct issues.
Insurance sector under spotlight
In the UK, the FCA, for example, has asked firms in the insurance sector to provide it with high-level aggregated statistics for non-financial misconduct incidents recorded over the last three years. This survey requires firms to provide the regulator with the method by which these incidents were detected, as well as the incident outcomes. The firms are being asked to include all incidents, even those that were not reported to the FCA because they did not meet the regulatory thresholds.
Jamie Bell, Head of Secondary Market Oversight at the FCA, said at a recent Global Relay event that the letter was just the start, with the FCA expecting to send out similar letters to other sectors and specific firms in the near future.
According to Bell, the regulator is interested in taking a closer look at non-financial misconduct because when it has investigated alleged cases of market abuse in the past, they “often coincide with pretty terrible examples of non-financial misconduct” and that there clearly are “strong correlations between market abuse failure and other kinds of compliance failure and also non-financial misconduct”.
But the change in tone around monitoring of communications is also very clear in the US, not only in connection with the continuing fines connected with recordkeeping lapses, but also in the tightening of the net of pertinent rules and regulations.
The implications of a more onerous future requirement for the monitoring of conduct by all types of financial services players had us considering a general question posed recently on a US-based professional compliance community blog around what the regulatory expectations are for the timeliness of communications monitoring.
Some relevant follow-up questions came to mind.
- If the volume of communication that needs to be monitored is increasing, will a regulatory expectation around what constitutes a timely review of these be changing as well? (In other words, will regulators lower their expectation as to how quickly communication that has been flagged will be reviewed by compliance?)
- Is a compliance function in trouble if there is a backlog of flagged communications that have not been reviewed?
- Is a backlog acceptable at all and if it is, what constitutes an acceptable delay and what might be acceptable circumstances that might lead to one?
Prompt reviews of all relevant staff
Our view is that it is very likely that all regulators will continue in their expectation that all communications should be reviewed “promptly”. A change in regulatory expectations around this is very unlikely.
So while a backlog caused by a sudden spike in communication that is connected to a market event may be acceptable, the communications monitoring, including the tools, processes and technology in place to help facilitate this, must be robust enough to be able to handle it within a period that is going to be viewed as “reasonable” by a regulator.
And “reasonable”, again in our view, and particularly when it comes to ‘business as usual’ monitoring, will almost certainly mean being able to review communications within days of them being captured and flagged as a potential cause for concern.
There is also no doubt that the regulatory expectation is for all relevant employees to be monitored. This is demonstrated by another FINRA settlement with TD Private Client Wealth, where the firm was censured and fined for failing to add employees newly associated with the firm to its system for reviewing correspondence and internal communications.
Implicit here is the regulator’s expectation that the fact that the backlog existed led to the inability to identify, stop and report potential misconduct to the relevant authorities.
According to FINRA, the firm’s reliance on an ad hoc approach of manually comparing a list of new employees with a list of email accounts being monitored was “not reasonable given the volume of employees the firm onboarded during the relevant period”.
In addition, the size of the team monitoring communications or reviewing alerts, as well as the set of skills that it possesses, must be suitable to permit effective surveillance and, if necessary, the escalation of misconduct.
A recent FINRA disciplinary order with WestPark Capital illustrates this point well in connection with the firm’s failure to monitor business-related communications of an associated person who employed WeChat, an unapproved communication channel, to communicate with clients and customers. Despite the fact that an unapproved communication method was being used, the regulator also pointed out that the firm did not have a system in place to review any communications in Mandarin (the language used by the representative to communicate with firm clients). And none of those responsible for monitoring communications were able to read or speak Mandarin.
Promptness and adequacy
If we look to trade surveillance, the regulatory expectation for prompt monitoring is clear and well documented. The New York Department of Financial Services’ (NYDFS) case against Coinbase, for example, provides interesting context. In the consent order the regulator offers the following criticism of the crypto firm: “By the end of 2021, Coinbase had a backlog of unreviewed transaction monitoring alerts [that] grew to more than 100,000 (many of which were months old).”
The regulator very clearly signals that a backlog of alerts ‘months old’ is not an acceptable outcome – indeed the consent order describes this situation at Coinbase as having reached a “critical stage” at this point partially as a result of the length of time needed to complete the monitoring. The NYDFS goes on to say that (underlines our own): “Although the full extent of activity that was contained in Coinbase’s TMS backlog has not been fully determined, the Department has identified troubling examples of suspicious conduct that should have been identified, stopped, and (in some instances) reported to authorities but was not, at least initially, due to the backlog.”
Implicit here is the regulator’s expectation that the fact the backlog existed led to the inability to identify, stop and report potential misconduct to the relevant authorities.
Some of this, of course, especially when connected to suspicious activity reports, is dictated by the relevant law, with financial institutions obligated to investigate and report within 30 days of detection. And while such a strict deadline may not be relevant to all communications monitoring, the regulator’s scathing language – describing the alerts as “languishing” for months in a backlog – is well worth noting.
Outsourcing surveillance carries risk
One of the responses to the blog question around backlogs and promptness of reviews suggested that outsourcing of lower risk communications can be a solution that is both efficient and cost-effective.
Some firms have indeed successfully outsourced low-risk reviews, focusing in-house attention on higher risk staff as well as newly incoming staff whose risk profiles have yet to be established. This is certainly one way of reducing the cost of monitoring and ensuring that the firm is still meeting the requirement for those reviews to take place promptly, despite a high volume of communications in need of monitoring and a finite number of compliance resources available.
But, here again, the Coinbase case is relevant. To clear its critical backlog the firm hired external consultants. But there were serious quality issues with the work done by some of the contractors, something that the NYDFS was deeply unhappy about, especially because it was not informed of the problems despite a memorandum of understanding being in place between it and the company.
In its decision the NYDFS pointed out that there was “insufficient oversight over the third-party contractors”, and that “a substantial portion of the alerts reviewed by third parties was rife with errors.” The quality control process was not completed by the third-parties to the standards required and, to compound this problem: “Coinbase did not have a system in place to audit the quality control that was done.”
So if some proportion of monitoring is being outsourced, it is essential to have in place systems and processes to monitor the adequacy of the third-parties’ work directly, but also to audit and assess their quality control process to ensure that this can be depended on to draw conclusions as to performance. Complacency in connection with this, especially when it leads to over-reliance on untested representations by the third party, can be risky.
Also, generally, the growing dependence on third-parties for key systems by the financial services industry in particular means increasing scrutiny of their performance in the compliance context. Regulators globally have been adamant about the fact that you cannot outsource your compliance and legal obligations – in other words any shortcomings in their performance will eventually be the responsibility of the regulated entity. And the stakes can often be quite high – note the suit by a hedge fund against a compliance consultancy after the former found itself in the regulatory cross-hairs despite advice from the latter.
“Specifically, as to timeliness, within several weeks of ICBL’s parent company learning about the bribery scheme at its subsidiary, the parent company disclosed the conduct to us.”
Kenneth Polite, former DOJ Assistant Attorney General
Another aspect to consider is the fact that, whether reviewing communications in-house or outsourcing such reviews, it is important to ensure that keywords and policies should be regularly reviewed, assessed and, where necessary, updated.
A recent FINRA case involving Landolt Securities clearly illustrates this point. FINRA censured the firm not only for its failure to monitor and review its registered representatives’ electronic communications, but also for the fact that the firm “did not regularly review, assess, or update keywords used by the firm to flag emails for review”.
DOJ emphasis on timely self-reporting
The US Department of Justice’s (DOJ’s) Corporate Enforcement Policy (CEP) – which details its cooperation credit regime for businesses facing enforcement actions – provides that, absent aggravating factors, if a company voluntarily self-discloses misconduct, fully cooperates with the DOJ’s investigation, and remediates in a timely and appropriate manner, it can earn a presumption of a declination.
Photo: DOJ
As former Assistant Attorney General Kenneth Polite said in a speech last year: “These three requirements are detailed in the CEP and have remained constant. When a company meets them all, as we have consistently demonstrated over the last six years, the division will award a declination, absent aggravating factors.”
Polite went on to say that “voluntary self-disclosure” is also defined to require, among other things, disclosure “within a reasonably prompt time after becoming aware of the misconduct”.
Polite cited an example to further explain the “timely” reporting aspect of the CEP.
A declination the DOJ issued to Insurance Corporation of Barbados Limited (ICBL) in August 2018 involved allegations of bribes the company made to a Barbadian government official in exchange for certain insurance contracts. Senior management was involved in the conduct, and as the CEP makes clear, that is one of the aggravating factors that removes the presumption of declination.
Nonetheless, the DOJ decided to issue a declination given all the factors, including the company’s timely, voluntary self-disclosure. Polite said: “Specifically, as to timeliness, within several weeks of ICBL’s parent company learning about the bribery scheme at its subsidiary, the parent company disclosed the conduct to us.” Polite pointed out that the quite timely self-disclosure in this case was particularly needed, thanks to the aggravating factors involved.
Technology can help
Technology tools can help businesses create an email whitelist – or list of email subjects, senders or domains that should never raise a policy red flag – so reviewers never have to see mail from senders that are not relevant to the work of the compliance team. This reduces the pressure on that team when it comes to pure communication volume.
Technology can also help you assess if the lexicons you are using to target relevant content while avoiding false positives is working. These must, of course, also remain useful and practical, given changed risk conditions.
And such tools can help you adjust for slang, symbols, ordinal variations (1st versus first) and other permutations, alerting you when someone has moved to a communication channel you prohibit. These same systems can also then help you safely archive, classify, retrieve and report on these communications.
But all of these tasks depend on having adequate resources for performing them well enough to meet regulatory expectations, which is often the first and most important compliance and management issue.
So, to conclude, if you are already struggling with the current volume of communications in need of monitoring and are regularly looking at backlogs of red-flagged messages, the time to act is now. Addressing the issues with good operational planning and implementation will help to secure more resource or ensure that you have the right systems, processes and technology in place to enable your compliance team to do their work in a way that is consistent with legal obligations and regulatory expectations.