Technical Features for Sound Regulatory Change Management
March 3, 2021By Stefan Vucicevic
The financial sector faces rising regulatory challenges.
The evolving nature of business records dictates that companies manage large volumes of data, from varying sources and file formats. Even more importantly, financial institutions need to preserve unstructured data that are becoming predominant and hide useful business insights.
Looking into these data sources and reconciling information locked in data silos is a costly endeavor. When remote work and the pandemic are factored in, the financial sector hurdles seem impossible to overcome.
On the other hand, it is in the unearthed data silos that pitfalls for non-compliance lie. Companies on average spend around 4% of their revenue on compliance, a figure expected to increase to 10% by 2022.
These compliance issues include regulatory fines, personal liability of employees, especially chief executives, the use of personal devices for business-related communication, lack of data strategy and lack of awareness of compliance challenges and individual responsibilities, as well as constant security threats that can reduce the company’s value by 7.27% and see them lose up to 99 million records.
One such example was the case of trading company Scottrade, which failed to properly archive and retain their records, having missed to preserve business emails and lacking an electronic system to help secure compliance with FINRA and SEC rules. As a result, FINRA fined the company $2.6 million for non-compliance.
Overlooking the Regulatory Landscape
A major part of compliance in the financial industry is the sensitivity of personal information. Financial institutions, banks, and brokers all deal with PII on a daily basis. This is the staple business record in the financial sector, found anywhere from loan contracts, ledgers, forms and agreements, pre-contracts, reports and statements submitted by third parties.
As such, the compliance efforts in the financial industry need to be particularly well-calculated, as each misstep can exert dire effects on the financial institution and all of its clients.
The first step towards fail-safe compliance is keeping abreast of regulations that govern this industry. From major regulations such as FINRA, SEC rules and SOX, to recent pieces of legislation including GDPR and CCPA, companies need to ensure systemic compliance efforts across the board.
The fact is that the scope of compliance is expanding. It’s no longer up to compliance officers alone to tackle the challenge. It’s everyone’s responsibility to ensure data is handled properly within their own field of responsibility. From customer-facing employees to C-level roles, each has an equally important part to play in spreading the awareness and following the procedures consistently to ensure no data slips through the cracks.
Requirements for Financial Institutions
So what implications does this evolving regulatory landscape have? If we look at FINRA and similar laws cases of non-compliance, we get a handy cheat sheet that helps companies devise a sustainable compliance plan.
Here are the key regulatory requirements for the financial industry:
- Introduce a centralized repository for all business records
- Keep all records in non-writable, non-erasable, aka ‘WORM’ formats
- Assign responsibility for document-preservation to one or more personnel
- Ensure the totality of records is preserved; e.g. the mentioned Scottrade incident considered 168 million emails the copy of which wasn’t preserved in a centralized archive and as a result all these emails were lost
- Support a variety of formats; nowadays all emails, social media, instant messaging communication is treated as a business record. This means that you need to be able to capture and preserve all the communication that flows through these channels. For instance, if your company uses WhatsApp, where employees talk to their colleagues about business cases in real-time, it’s important you ensure all that communication is preserved in your business WhatsApp archive. The same goes for Facebook, Twitter, Slack or any other channels for inter- and intra-company communication.
Compliance as the Sum of Tech Capabilities
Now that we have these requirements mapped out, let’s see how they translate into technical requirements that can help financial institutions ensure compliance:
- Automate business processes and record retention efforts; given the rise in the volume of data, it’s impossible to manually copy and store each business record. That’s why it’s important that your record management system can automatically detect, process, and index incoming and outcoming communication
- Ensure customizable data access; for compliance purposes, it’s essential that only authorized personnel has access to crucial information, as all other access and data manipulation would be considered unauthorized and could result in data breaches
- Make use of existing data; to ensure proper compliance as well as business excellence, it’s most efficient for companies to first make use of proprietary data, this allows them to understand their business processes and optimize them.
- Introduce redaction capabilities; when working with sensitive data, it’s important to disclose only those pieces of records that pertain to the case. Sometimes, however, this requires that a financial company needs to disclose data that hold information on other third parties. Hence, it’s essential that the financial institution has redaction features that would allow compliance officers to remove all third-party data that is irrelevant for the case.
##
ABOUT THE AUTHOR
Stefan Vucicevic is a tech writer covering compliance in regulated industries and enterprise information archiving.