The Need for Effective, Holistic Compliance Monitoring and Surveillance

In a perfect world, compliance monitoring would be redundant. Financial regulators would exist solely to define the policies and procedures needed to protect consumers, with compliance departments acting in a purely advisory role to help firms apply these principles according to their own unique requirements and structure.

In this utopia, the process of enforcing these policies would simply be a matter of lending a guiding hand when required. All members of staff, from the most junior clerk to the CEO, would take it upon themselves to adopt and adhere to these principles, working together for the best interests of their clients.

As a result, compliance monitoring systems, surveillance, detection and investigation of misconduct; abuse; crime; or even just the occasional honest slip-up, would barely be required, if at all.

And pigs might fly.

While working towards this ideal culture is undoubtedly commendable, the reality is that the roles played by regulators and compliance, risk, governance, monitoring, surveillance and audit teams are becoming increasingly complex and ever more vital.

Even with the best of intentions, humans make mistakes. People have their own agendas and, with the opportunities and pressures inherent in an industry that focuses specifically on managing the flow of vast sums of wealth, some may be tempted to bend or even break the rules. Or coerce others to do so on their behalf.

Fear and greed can both play a part. Some organisations are ineffectively structured and/or badly managed. Some people just act irresponsibly now and then.

Digitalisation and globalisation present further challenges. The alarming pace of technological change provides many opportunities for both good…and not so good. The explosion in the ways that people can now communicate and do business with each other means that strict regulation and enforcement are now more crucial than ever.

With the risk landscape growing more and more complex and new, increasingly granular regulations being continually introduced in an attempt to keep up, compliance departments must also become more sophisticated in the way they conduct eComms surveillance to monitor and control these risks.

Capital Markets Compliance in the “Golden” Age of Communication

Once upon a time, in the early 1990s, things were simpler. Mobile phones looked like bricks and cost a small fortune. Telephone calls were all made over copper wires, and email and the internet were strictly the territory of academics.

Meanwhile, Mark Zuckerberg had just started primary school, getting his first lessons in Atari BASIC programming from his Dad. The closest thing to “Social Media” back then was reading someone else’s newspaper over their shoulder on a crowded train. And the “Cloud” was still just a fluffy white thing in the sky…

Compliance monitoring systems essentially consisted of nothing more than document storage, bulky, expensive tape drives and endless reels of tape, with no easy way to locate specific calls and certainly no way to perform any kind of meaningful analysis.

There was no such thing as e-communications surveillance monitoring because, well…e-communications didn’t really exist.

The mass adoption of email over the following years, along with the explosive growth of the internet into the mainstream – fuelled by huge investment in infrastructure to provide superfast data connectivity – signalled the beginning of a massive transformation.

The commoditisation of mobile phones and rapid expansion of GSM networks revolutionised the way people communicate, to the point where there are now over a billion more mobile connections on the planet than there are people.

With the development of smartphones and the rollout of 3G, 4G and now 5G mobile data services, mobile phones have become indispensable to businesses. Unified Communications and cloud computing allow organisations and their employees to work flexibly, from almost anywhere in the world, with constant access to their corporate network and the systems and tools required to carry out their roles.

Communication with colleagues, clients, partners and other third parties now takes place in countless ways, over numerous forms of media – voice calls over fixed lines, dealer boards and mobiles; SMS; video calls; social media; and an ever-growing list of instant messaging applications, from WhatsApp to Yahoo chat, Skype, Bloomberg chat and everything in between.

Great for staying connected with each other, but a potential minefield for Risk and Compliance departments…how do you control risk and ensure your organisation is compliant when you don’t have proper visibility of what your staff are doing?

The Expanding Scope of Regulatory Requirements for Compliance Monitoring Systems and Market Abuse Surveillance Tools

With the adoption of new forms of multimedia communication over the years, regulators have had to expand the scope of existing legislation, and introduce new directives, to attempt to mitigate this risk, particularly in the wake of the 2007/8 financial crisis.

The UK Financial Services Authority’s COBS 11.8 directive in 2009, outlining the parameters of a new regime for the recording of voice and electronic communications, included several important exemptions.

Most notably, all conversations and communications (except email) over mobile devices were excluded from the recording requirement. Discretionary Investment Managers were also able to claim exemption for any communications that could reasonably be expected to be recorded on the other end, i.e. by the entities which were carrying out the execution of transactions.

With the increase in mobile usage and the growth in mobile call recording solutions, the mobile phone exemption was eventually removed in November 2011.

The subsequent introduction of MAR and MiFID II across Europe, and Dodd-Frank in the USA, have significantly widened the scope of monitoring, surveillance, recording and reporting requirements and provided a far more detailed breakdown of firms’ obligations and the measures they are expected to have in place in order to be compliant.

Certainly in the UK, and no doubt elsewhere, it has become clear that there is a significant disconnect between what many firms have considered to be “reasonable steps” and the expectations of the regulators.

As a result, the extension of the Senior Managers & Certification Regime (SM&CR) in December 2019, to include all FCA-regulated bodies, has caused some considerable concern among many firms.

Industry polls taken in June-July 2019 suggest that an overwhelming majority of firms (84.3%) conduct little or no Voice and eCommunications surveillance, many (62%) still have “a lot more” or “everything” still to do to implement SM&CR and most (84%) feel that “internal set-up and culture” are a key challenge.

Considering the level of personal accountability being introduced with the regime, it is no surprise then that firms’ trade surveillance technology and communications compliance monitoring tools are now coming under intense scrutiny.

To put it bluntly, when it’s your own head on the block, you want to make sure it doesn’t get chopped.

The Limitations, Costs and Inherent Risks of Data Silos

The underlying issue for many firms originates from the piecemeal way in which new forms of communications media have emerged over time, and the phased expansion in regulatory requirements associated to monitoring, capturing, storing and analysing communications.

Years of having to adopt different systems for new forms of communications data have led to most organisations (both large and small) eventually finding themselves with a fragmented array of disparate vendor, technology and data silos for the surveillance, capture, storage and analysis of various media types.

For example, on one end of the scale, a small, single-site fund manager might have one system to record landline calls, another to capture mobile calls and SMS, another to capture video calls, and a number of others to capture various forms of instant messaging, with some or all of these media types then being stored in separate repositories.

A global investment bank, on the other hand, might have accumulated dozens of recorders over the years, from multiple vendors, spread across numerous countries, just for capturing fixed line calls. These recordings may also be stored locally within each jurisdiction, creating further silos of data.

The dispersal of companies’ communications data across so many disjointed legacy platforms, and the absence of a single, unified view of the data across each of these silos, is the root of many of the problems that businesses face.

Having to work with such a wide range of different systems means firms are not only incurring significant costs (hardware, maintenance, licencing etc.) but are severely limited in their ability to extract any useful information from their data, and are subsequently exposed to very real operational and regulatory risks.

Real-time communications surveillance becomes practically impossible. Any proactive monitoring must be done manually, which is both resource-intensive and ineffective, and leaves firms unable to effectively deal with the volume of false positives often generated by their market surveillance systems.

The ability for timely case reconstruction, necessary for Dodd-Frank and MiFID II compliance, is also severely impaired. If required by regulators to reconstruct a trade within a certain timeframe, many firms would simply be unable to do so.

At least, not without spending an arm and a leg on external consultancy fees. Historically, many might have preferred to just pay the fine – possibly a less attractive option under SM&CR.

The Search for a Holistic Surveillance Solution and The Budgetary Tug-of-War

To address this, most organisations have now recognised the need for a more holistic surveillance solution. Some of those with deeper pockets are already working with various regulatory compliance software companies to pull together their many systems to form a coherent whole.

In general, this has involved deploying a layer of middleware to sit over the top of their myriad legacy systems and provide a central hub.

However, although this does give a more complete view of their data to those firms who can afford it, it is still adding yet another layer of technology and cost, to essentially form a “patchwork of data silos”, as opposed to addressing the root issue itself and breaking down data silos altogether.

In addition, depending on the solution(s) used, firms may still struggle to meet regulatory case reconstruction requirements and deadlines in time; especially if, for example, source data is stored in other countries or is spread across multiple jurisdictions.

For many firms though, budgets and resources are an issue, and taking an expensive and inefficient silo-based approach to compliance monitoring and surveillance is simply not an option. Even in larger organisations, there is often a tug-of-war between IT and Compliance departments as to whose budget should be used…with the Finance department stuck in the middle.

Using holistic compliance monitoring software for effective market abuse surveillance, however, is now a vital requirement for all firms, and affects all departments.

A solution is required that removes cost as an obstacle. A solution which, by eliminating data silos and replacing them instead with a single, unified platform for monitoring, capturing, normalising, storing and instantly recalling all forms of voice and electronic communications and market data, allows firms to reduce costs rather than add to them.

Such a solution would have far-reaching benefits, solving critical problems faced not only by Chief Compliance and Risk Officers, but also by Heads of Technology, Operations and Finance – as well as, ultimately, Chief Executives. And of course, most importantly, resulting in a better, safer service for end customers.

Which is the whole point…right?

The Holy Grail of Compliance Monitoring Software – “What If…?”

Technology and cultural change will always be around, forcing organisations to adapt. Mankind, by our very nature, will always ask “what if?” – forever pushing the boundaries of possibility, until the “impossible” eventually becomes the norm.

The challenges facing regulated firms will continue to evolve constantly. What may appear almost insurmountable now, will eventually become commonplace.

For now, financial institutions need to undergo a significant shift, moving away from the use of layers of legacy compliance monitoring systems and controls to a single, unified, holistic surveillance solution that allows them to meet the challenges of today and the road ahead.

The question is…what if?

What if this solution already exists?

See https://edge-edge.co.uk/soteria.

About DoubleEdge