Compliance teams are struggling to keep pace with electronic communication channels, with 45% saying they are in constant catch-up mode when it comes to oversight, according to the ninth annual Electronic Communications Compliance Survey report by Smarsh.
There is an overwhelming number of electronic communication and collaboration platforms now and they are proliferating in the workplace, the survey of more than 300 compliance financial services professionals found.
The compliance-awareness gap
Having prohibition policies for use of personal devices and messaging applications at work “is really futile,” said Robert Cruz, senior director of information governance at Smarsh.
The survey found that 74% of respondent organizations are allowing employees to use their own devices. Yet, 77% said SMS/text messaging poses the greatest risk.
Cruz said the survey’s intent was to call out compliance gaps and look for the delta between business use and controls in place to oversee those gaps.
SEE: Hiring kit: GDPR compliance officer (TechRepublic Premium)
“And what’s happening is there is tremendous growth in teams in Slack, in particular, [where] the use is outpacing the compliance controls, and there are a lot of companies still that haven’t provided the guardrails of what you can and can’t do on social networks,” he said.
As a result, organizations need to rethink their approaches to the adoption and oversight of electronic communications to better compete and grow as a company, Smarsh said.
With new channels such as integrated voice, video, chats and application-sharing being approved for the workplace, compliance teams need to keep pace with archiving and supervision standards.
Companies recognize that talking to a client via text and getting a response in 90 seconds is more effective, but 69% of respondents have little or no confidence that if examined, they could provide specific messages from SMS/text channels within a reasonable time frame, according to the survey.
So there has been a greater push to use technologies to segregate the private versus corporation information. This is not a new area of technology, Cruz points out. The difference now is that compliance teams are working in tandem with IT, which previously, weren’t “front and center to what compliance people have been concerned about: email and data that flows within IT controlled systems” and tracking and controlling that correspondence, he said.
The volume of data is increasing, especially in collaboration platforms like Microsoft Teams and Slack, but compliance teams are having to do more work while in some cases dealing with flat or declining head counts, Cruz said.
“If you start with the same number of compliance resources it’s more difficult to understand what’s going on in a persistent chat,” he noted. “You can’t just review a message; the content changes and people come and go, and in some cases, it’s regulated staff who shouldn’t be talking to other staff.”
In highly regulated industries like financial services, companies are required to maintain “ethical walls” to make sure employees are providing fair and objective advice to clients that meets their particular investment profile, for example.
“These are controls people have traditionally had in place via a policy but now there’s too many communication sources to just rely solely on the policy and the presumption that people will do the right thing,” Cruz said.
As basic communication has gotten more sophisticated and there are more things you can do as you collaborate through tools, there becomes a huge strain on resources to keep up, he said.
“We have a large client that supports today over 60 different communication sources,” meaning employees are allowed to use these tools internally or to communicate with a client because the firm is confident it has the ability to capture, store and track that content, Cruz said. These include WeChat and WhatsApp. “That’s a heavy lift.”
It is critical for compliance teams to understand the complexity of what’s going on in a chat, and when five employees are talking about potentially representing a financial product to a prospective client, “there’s important information someone wants to store and understand…if an issue arises,” he said.
The employee issue
In addition to concerns about data privacy and security, organizations also need to think about what happens when an employee leaves a company, Cruz said.
“These are organic communications in many cases…but they’re also breeding grounds as new places where threats can be launched,” he said. “It’s an easy way to take things with me if I leave a company, because I’m going to use a network where I think I can avoid detection.”
The channels with the greatest compliance gaps are Instagram (50%); text/SMS messaging (40%); Facebook (just under 30%); and collaboration platforms (under 30%), according to the survey.
Cruz said it still surprises him that even with data on phones showing how much time people spend on their devices a day, there are companies that still haven’t acknowledged that “the workplace is on your device. When I talk to compliance teams that say, ‘We’re still trying to block it,’ it’s amazing to me it takes so long to find technology to deal with this.”
How to cope
Many organizations have established compliance groups to evaluate new communication tools before they’re deployed so they can have a more holistic view of them, Cruz said. “Let people communicate how they want, but let’s look at this with eyes wide open and either develop a plan to mitigate— or we’re not going to allow a channel to be used.”
That governance step is a great move to prevent communication platforms from being used in a siloed manner.
It’s important to note that a lot of the existing technologies many firms still use are designed to capture email only, he added.
They should understand that employees are having multimodal conversations that cannot be stuffed into older mobile device management (MDM) technologies, which will lose context, he said. “So you need to treat communication sources as they’re rendered natively.”
Cruz also advises companies to review their communication policies and provide periodic employee training.
“It’s someone’s job to go and dust off the manual, but they are static, and you really have to think about the new ways people are interacting today—voice, video, emojis, collaboration tools,” he said. So if you’re allowing them, training needs to be evergreen with whatever new apps are on the horizon, he said.
Using Smarsh’s client as an example, Cruz said that while this year there may be 60 electronic communication sources, “I guarantee next year there will be 70.”