Getting Compliance Right in the Time of Coronavirus

Contributed by Robert Cruz, Vice President of Information Governance, Smarsh


The coronavirus crisis has accelerated the trend of employees working from home, which is creating new challenges for regulated enterprises. As more traders and other workers shelter at home and team up remotely for group meetings and projects, many employees are collaborating for the first time over previously unused or unmonitored tools such as Zoom meetings, Microsoft Teams, Cisco WebEx, and Slack.

This shift is forcing compliance teams to develop effective compliance systems for their newly remote workers. In the past, financial services firms and other regulated companies often just prohibited access to tools that were perceived as being too risky or expensive to govern. But that tradeoff has been suspended amid the current pandemic. Those same companies are being forced to develop new policies to protect their remote traders and other workers while still driving business results. Otherwise, they face being left behind by the competition.

Companies need to provide their stay-at-home workforce with access to new tools to do their jobs remotely, as an acceptable alternative to the risks posed by working together in physical office spaces or boarding crowded airplanes. In turn, compliance teams at investment banks and financial firms are struggling with how to comply with FINRA regulations and SEC rules for archiving business communications during the crisis. Many firms must decide how to invest in technologies that can enable employees to safely communicate and collaborate with teammates, partners, and customers, wherever they may be.

In working with some of the world’s largest banks on governance issues, our compliance experts have developed the following list of best practices to evaluate and address this issue:

Calibrate the Ratio of Benefits vs. Risks – Every organization should evaluate the benefits and risks of new tools before adopting them for business uses. Benefits can include the ability to reduce the number of in-person meetings and emails, while improving staff access to information. Potential risks involve cybersecurity breaches, data privacy gaps, and regulatory compliance vulnerabilities. If key stakeholders can determine that the benefits exceed the risks – and those risks can be mitigated through new technologies – then they should allow those tools to be used for business purposes.

Do Your Due Diligence on New Platform Investments – Many collaboration and conferencing solutions have multi-tiered offerings that can quickly spread within an organization based on free user downloads. IT leaders, along with security and privacy stakeholders, should develop due diligence plans to determine which offering best meets the firm’s data protection objectives. Premium-tiered offerings may provide capabilities that are not essential, but they may be the only tiers that satisfy the organization’s risk threshold. Some vendors are offering discounted or free access to premium tiers during the crisis, so be sure to check.

Plan for Data Capture and Storage – Every collaboration and conferencing vendor is unique in terms of the capabilities it provides for capturing and storing digital communications over business networks. For firms faced with regulatory compliance obligations or frequent eDiscovery demands, relying upon a vendor’s ability to provide timely responses to requests for historical content may not be a risk worth taking. Third-party solutions to capture and store content to meet regulatory and litigation demands should be a key component of any analysis.

Implement Guidelines for Strategic Communications – For many employees, new collaboration platforms may seem to be a place to socialize, which can be a distraction from critical business tasks. Therefore, it is important to update employee conduct and communications policies to reflect the new reality. Do not focus solely on oversight of email and other existing tools. Also consider conferencing and broader unified communications platforms that offer various capabilities, some of which may not be used without taking specific steps. For example, recording a conference call with an external party without first getting their permission is a no-no. Knowing the features of each tool, and how those features can be used by individuals to do their jobs, is the key to shaping policies for those who may not have had previous experience working remotely or managing a distributed team.

It’s the People  – Remote work can be a major adjustment for people accustomed to an office environment, and it may not be the best fit for tightly knit workgroups with high interdependencies. When implementing new collaborative and conferencing technologies, it is important to broadly roll out training programs that enable the entire workforce to succeed. The goal should be to head off any disruptions to the business while providing the tools needed to meet key deliverable deadlines. Ensuring that users of collaboration and conferencing systems know how to find the information generated within those tools is also crucial, but sometimes overlooked. User trainings can ensure that the technology delivers the promised productivity benefits, while still meeting regulatory requirements and keeping workers safe.

Undergoing a rapid transformation to a remote workforce requires some adjustments to management processes, measurement systems, operational plans, and cost analyses. Any evaluation of new technologies should consider the hard lessons learned from large companies that have already adopted collaboration and conferencing solutions. Doing so will ensure that you can get compliance right in this difficult time of coronavirus.

Robert Cruz is Vice President of Information Governance for Smarsh.

The views represented in this commentary are those of its author and do not reflect the opinion of Traders Magazine, Markets Media Group or its staff. Traders Magazine welcomes reader feedback on this column and on all issues relevant to the institutional trading community.