Blog Post
Establishing a Successful Compliance Triumvirate Through Technology, Data Management and Human Behavior
Data risks and the ongoing growth of cloud-based communications within enterprises continue to present challenges for compliance teams in the financial services sector. Whereas communications data was once stored and managed in centralized servers within the walls of enterprise data centers, now much of the data that financial services institutions are required to preserve, monitor and report against is stored across a myriad of platforms outside the perimeter of the enterprise and without robust compliance controls. Meanwhile, regulatory authorities worldwide are increasingly focused on gaps in institutions’ ability to uphold robust compliance programs and fulfill their records management requirements.
FTI Technology’s experts participated in panels and group discussions at the recent Smarsh Connect events in the U.S. and U.K. to discuss these issues and the intersection between compliance, digital communication and human behavior. Key takeaways from these discussions, recent client work and other industry observations include:
- Rapid and widespread acceleration and adoption of technology is not abating. New chat, collaboration and productivity tools are coming on board all the time, alongside constantly evolving features and functionality within existing cloud platforms (e.g., Google Workspace and Microsoft 365), which are often released in advance of the appropriate tools to manage governance and compliance. This leaves compliance professionals in a state of constantly chasing technology changes to address regulatory and preservation obligations implicated by these new tools.
Human behavior remains a leading risk. People will naturally look for the easiest option to complete their work, which has prompted a widespread shift to consumer-orientated chat tools like WhatsApp and WeChat, as well as increased use of personal devices for work-related communications. Forward-thinking organizations are shifting their approach from prevention to enablement, supported by tools such as Smarsh Enterprise Archive, that can capture and archive data from chat and collaboration platforms to address compliance needs.
Additionally, there will always be a small percentage of employees who use these tools with nefarious intent. The use of multiple channels and frequent channel hopping can be difficult to identify and intercept, especially when activities are taking place on channels unknown to the compliance team. To address this, some organizations are proactively investigating and exploring new or previously unknown communications channels that are being used throughout the organization, including using mobile device imaging with user consent. Through this approach, organisations can better respond and remain on the front foot with respect to the capture, archiving and monitoring of communications across an ever-widening universe of channels.
- Tone at the top: Organizations also struggle with groups of employees who may behave as though they are exempt from policies. In particular, senior-level employees sometimes believe the same rules that apply to others do not apply to them, which may create regulatory compliance grey areas. Overcoming some of these people-centered challenges often requires implementation of internal communications and training campaigns that help instill a culture of compliance for employees at all levels.
Varying regulatory approaches. Multinational companies must also contend with a constantly changing landscape of regulatory enforcement and requirements, which can vary widely between different authorities. In the U.S., agencies have recently taken a strict stance, issuing fines and penalties for non-compliance with a range of obligations.
Over the past year, financial services institutions have been the subject of numerous sweeps and large fines for failure to preserve data from mobile, chat and cloud-based applications. Furthermore, updated guidance issued by the DOJ and FTC reinforced preservation obligations for off-channel communications and collaboration tools, thus widening the regulatory scrutiny to all industries beyond financial services. Conversely, in the U.K., while regulators are increasingly focusing on data retention within cloud systems, the approach has leaned toward incentivizing compliance vs. issuing fines. All these variables contribute to a complex environment in which organizations must track and respond to enforcement tactics that vary from region to region.
FTI Technology and Smarsh also shared insights about the state of compliance and data management within the recent Banking on the Cloud report from AWS, which covered how financial services institutions are responding and transforming in this evolving environment. FTI Technology and Smarsh contributed to a discussion surrounding the importance of compliance process automation. Specifically, how reliance on labor-intensive manual tasks has clashed with the need for compliance teams to be agile and efficient in managing large volumes of disparate data. This section underscored that artificial intelligence and automation tools must be leveraged as complements to, not substitutes for, human judgement.
Indeed, when fit-for-purpose tools are paired with expert oversight, compliance practices can become continuous, in-the-moment and perpetually updated with fresh data from a myriad of sources both within and outside the organization. This dynamic integration enables real-time risk assessment and prompts targeted, in-depth investigations when necessary, thus enhancing overall compliance efficacy.
A good example of this approach at scale is how FTI Technology worked with Smarsh at a large global bank to implement its Enterprise Compliance Platform. The platform, built on AWS, helps the firm archive, retrieve and monitor communications for compliance, risk mitigation and business insight. This implementation addresses legal, risk and compliance imperatives and also aligns with the organization's strategic goal of fostering long-term success through effective compliance management. With a single source of truth for all electronic communications channels and other data artifacts, the client can reinforce compliance and fulfill other legal and regulatory obligations continuously across the organization.
Related topics:
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.