This in-depth session (conducted under Chatham House Rule) at the foremost compliance surveillance conference featured Rebecca Butler from NatWest, Ugne Willard from Barclays, and Ray Soanes from Societe Generale.
The point was made that there was now increased governance process in the first line as a direct response to the rolling WhatsApp fine regime. This has proved to be a silver lining for comms surveillance heads as it has shone a light on all comms channels and created debate about whether they are really needed by the business. Another panellist stated that newer channels often offer chat functions, which can be perilous.
It is very tough to find every communication channel – those wanting to game this will almost always be able to sidestep governance and process. There needs to be a consequence of failing to use an approved channel. This is a new development in practice. There also has to be an ability to do the right thing – if the process is clear and someone uses a personal route after being issued a corporate device, there needs to be a management process to discipline that person appropriately.
Unapproved communication
The moderator asked how best to detect unapproved communication. Target lexicons and more generic ones are a start point, and can be supplemented by trade reconstruction to help confirm all related comms are being captured and monitored proportionately. Attestations are also of value, as can an actual involvement in the desk review process, rather than a passive ‘alert-review only’ role.
Some of the panel suggested more regulatory guidance on channel usage to define possible outliers such as Facebook message boards, HR channels, and comms used for social and logistical purposes primarily. Should they be surveilled as well as captured?
The first audience poll asked – have the recent enforcements for use of personal channels and devices caused:
- an increase in resource deployed here – 23% of the audience said yes;
- maintained the status quo through the current approach – 70%;
- neither – 7%.
A second question asked if exceptions were made for any teams from having their comms captured and monitored:
- sales – 5% said yes;
- trading – 2%;
- research – 3%;
- all the above – 8%;
- none – 82%.
Consequence management was mentioned again. If there is no incentive for people to do the right thing, you are starting from a bad place. The incentive to do the right thing is to keep your job and your bonus! Risk governance needs to deploy a regular stream of training, policy, communication and approved channels.
Culture
The moderator asked how to embed a healthy culture at a firm. One of the panel said that a good relationship between the first and second line where open questions are the norm can be essential. Anonymous surveys have proved valuable at one firm. The ability to point out colleagues who are obviously not playing by the rules is a key capability and to be comfortable doing that without retribution. Another said that tone at the top is crucial here. Good examples should be set.
One of the panel suggested that Compliance IT can help if they are educated around the regulatory need; this means that the spirit of compliance in this area starts to spread on its own. More credit needs to be given to the comms surveillance team for a tricky role that requires specialism and does affect the bottom line (if it avoids enforcement). The focus on pure unapproved comms has meant that the root cause of these requirements is rather losing the limelight (for example inside information distribution).
Ultimately the business needs to make the decision on how essential a communication channel is and whether the cost justifies the potential for revenue/profit. The more transparent these are, the better the business decision. The recent fines have driven a new governance process on the viability of each channel. The analysis of risk requires the business to be more involved in the information discovery now.
Please note that this article is not a comprehensive reproduction of all that was said in this session and is an interpretation of comments made by the regulatory journalist – it has not been officially approved by the speakers or conference organizers.