A new era of digital compliance and controls
Balancing speed and control in the new normal
COVID-19 and government-imposed lockdowns have tested the resilience of companies across every industry. While for some people this is an extension of previous working from home practices, many workers have been impacted by their employer's need to remotely monitor for compliance with important laws and regulations.
Compliance concerns increasing around market sensitive information
The UK mandated lockdowns have resulted in an estimated 18 million people working from home, and many millions more world-wide. For sectors which operate within a strict regulatory environment, remote working poses additional challenges in complying with regulatory rules regarding the security of market-sensitive information and stringent rules on electronic communication.
Many compliance concerns pre-date COVID-19, and it’s easy to find examples, for example around the use of unauthorised communication platforms and the existing quality of communications monitoring on authorised platforms. However, many people believe the risk grew exponentially when traders were mandated to work remotely as the closely monitored trading floor is a stark contrast to unmonitored home offices and kitchen tables. Perhaps there’s an even greater temptation to act in a non-compliant way, as the potential loopholes become more pronounced. Is this a digital risk too far?
Regulators urge enhanced controls
Regulators have always required companies, such as the banks, to make reasonable efforts to monitor employees’ communications, enabling such communication to be analysed, monitor market manipulation and insider trading. Regulators have urged companies to enhance the broad control environment in relation to working from home.
This has translated as a need to:
- establish, implement and maintain effective recordings of telephone conversations and electronic communications,
- retain appropriate records and data for at least five years from this period,
- tell employees not to delete records,
- continue to submit regulatory data and filings,
- notify the regulator of any concerns and submit related data as soon as possible and;
- take steps to prevent market abuse risks and take reasonable steps to prevent a relevant person from making, sending or receiving relevant telephone conversations and electronic communications on devices which the firm is unable to record or copy.
Reasonable efforts: When enough is not enough, and the digital risks are too much
However, there are concerns that the digital risks cannot be mitigated adequately enough. Add to this the personal responsibility that is involved to ensure data loss is prevented, such as information security awareness practices of locking a laptop, clearing a desk or using a non-secure printer. It is potentially harder to remember to comply in a suddenly new more informal work environment, or flat-share situation, and the digital risk is certainly heightened.
It has been recognised by some regulators, such as the European Securities and Markets Authority that exceptional circumstances have been created by the pandemic, and some scenarios exist where the recording of conversations may not be possible, due to sudden remote working or lack of access to electronic communication tools. In such scenarios, regulators have considered temporary alternative monitoring steps such as the use of written minutes of conversations, notes of relevant telephone conversations, and retrospective reviews. So, it seems that some new protocols will help continue to drive compliance and go some way to mitigating the digital risk of working from home in some industries.
Continue the investigations
There has been a corporate temptation to postpone investigations. This is an understandable viewpoint, given the other pressures on the organisation at this time, however it may not be advisable. Companies need to be prepared to proceed with investigatory activity to address reports of misconduct and there needs to be a consistent process in place, despite the new ways of working. We have seen that implementing enterprise-wide programmatic solutions is helpful, and many companies are putting in new protocols as they realise that the regulators are clear that they expect companies to continue to meet their regulatory obligations whilst employees are working remotely.
Remote investigations bring their own risks and companies are doing well if they bring these risks to the fore when conducting investigations, in order to protect privilege or prevent manipulation due to the remote nature of the interview.
In good company
Reminding your staff of policy commitments through the use of employee attestations is helping some firms to reinforce positive behaviours and ensure appropriate handling of company data. Others are making it easier to report potential breaches of internal/external requirements by increasing the visibility of hotlines and employee portals. Whatever your route to compliance maybe, businesses are facing the same challenge of mitigating digital risk whilst achieving scalable and sometimes innovative digital transformation.