Five questions about regulatory communications management
An interview with Sean Riley, Terry Bock, and Paul Yackinous, Deloitte Risk and Financial Advisory
Regulatory mandates and other business demands require that many companies, particularly in highly regulated and litigious industries such as financial services and pharmaceuticals, retrieve and produce extensive employee communications. For years, the massive and growing volume of communications data that must be captured and retained to meet these requirements have created new risks and costs for those companies.
- Future-state regulatory communications management platform
- Features and functions of a next-generation platform
- Arrival of a next-generation platform
- Deployment of a next-generation platform
- Key issues regarding data quality
Five questions about regulatory communications management
What does the future-state regulatory communications management platform look like?
The next generation regulatory communications management platform should enable firms to maintain compliance with applicable books and records requirements, provide the data required to fuel analytics-driven surveillance, and provide a reliable source of data for eDiscovery and defensible disposition.
What are some of the features and functions of a next-generation platform?
In order to meet sometimes competing requirements of compliance and reduction in legal risk, the next generation platform should aggregate electronic communications with other regulatory required data (e.g., sales practice complaints, outside business activities, AML, insider trading, investigations). Further, internal and external data provides the context necessary to perform effective eDiscovery and surveillance, including market condition data, external events, (mergers, acquisitions) and critical enterprise data (e.g., HR data, organizational structure).
Advanced analytics technologies will likely fuel risk-driven, broad-based surveillance informed by the firm’s complete and aggregate intelligence associated with their covered persons, transactions, as well as oversight and surveillance activities.
Rather than randomly selecting electronic communications for review or relying on complex yet blunt lexicons, analytical models can allow firms to identify emerging risks associated with people, transactions, and customers.
The enhanced context provided by the universe of data in the next generation platform should allow for significantly more intelligent eDiscovery. Enhanced with tools that can analyze and index voice communications and incorporate machine learning to improve outcomes, eDiscovery is both more automated and efficient.
Better information about data and its value to the enterprise will help firms to confidently dispose of unneeded data in a defensible fashion. Data quality tools monitor data sources, data quality, and data availability on a realtime basis. IT professionals can address system outages and issues that affect compliance much more quickly and help firms avoid the dreaded Rule 4530 reporting associated with compliance gaps.
What are some concrete actions companies can take now to prepare for the arrival of a next-generation platform?
An important first step is to get a handle on the company’s global regulatory books and records footprint. Regulatory requirements, whether local in nature or cross-jurisdictional, should be considered from process, technology, and data perspectives. It is critical that firms broaden focus beyond electronic communications to all other required books and records (per SEC Rule 17a-3, CFTC rules, MSRB regulations, etc.) and prepare them for migration to the next generation platform.
It can be helpful to categorize the regulatory environments the company operates in by country and get legal and compliance teams to identify the key regulations requiring focus in those jurisdictions. In addition to these local requirements, some regulations, such as those in a business’s headquarters country, can affect operations globally. Understanding and documenting these are foundational in constructing a globally consistent approach to regulatory compliance.
Once the regulatory environment is well understood, a survey of communication sources within the enterprise may be undertaken. Particular care should be applied to reviewing vendor solutions and line-of-business solutions that exist beyond the purview of IT. It is also critical to identify the employees, contractors, and externals that require communications archiving, and that the organization have a repeatable and defensible means of provisioning archiving for communication sources and users.
Firms should also identify key supervisory and surveillance data sources and confirm that such data is available for consumption in the next-generation platform. Some firms store sensitive information associated with supervision activities (e.g., internal investigations, heightened supervision, branch exams, anti-money laundering, insider trading, sales practice complaints, outside business activities) in non-enterprise systems or even spreadsheets and relational databases. For some data sources, rationalization of taxonomy, data definitions, and storage media may need to be transformed.
What type of governance will be needed with the deployment of a next-generation platform?
Effectively managing regulatory communications and meeting regulatory expectations should include the establishment of a defensible program, inclusive of technology, processes (and
procedures), oversight, controls, and testing.
The ability to demonstrate to regulators that regulatory communications are managed in a controlled and careful way may allow firms to weather the inevitable gaps in compliance
that come from a complex ecosystem.
Governance considerations should include the full lifecycle of communications from provisioning of data sources and regulated persons; to the creation and storage of communications in business applications, vendor/cloud applications and messaging platforms; and finally to their storage and disposition in regulatory archive platforms.
Involvement from IT, legal, compliance, and lines of business is critical. New communication sources are introduced on a regular basis—some of those sources are beyond the direct control of either IT or compliance. Establishing controls and processes within the procurement and IT project management methodology is critical to assuring that communications are captured with the appropriate levels of data quality.
What are some key issues to address regarding data quality?
In order to maintain compliance and meet regulatory expectations, firms should consider the quality of the communications data holistically, across the following dimensions:
- Completeness: Capture of all messages from all known sources associated with all required covered persons, including proper provisioning of devices and applications
- Accuracy: Consistent message metadata, integrity of message content, transformations, database, and full-text index
- Timeliness: Messages are archived within acceptable timeframes and gaps are addressed in a timely manner
- Consistency: Mapping of source fields, handling of message types, and provisioning of users across all components of the archive and segments of the user population
- Accessibility: Index reflects sufficient metadata to find messages associated with a person or transaction and format of message allows for viewing
- Auditability: Historical tracking and reporting on any action and person that changes data or metadata, or otherwise impacts the archival ecosystem
Given that in many firms there may be dozens of communications sources and billions of messages accumulating over time, a piecemeal or manual approach to data management no longer suffices.
In order to measure, remediate, and report on the overall quality of the regulatory communications ecosystems, many firms are investing in purpose-built platforms that monitor message sources and archives.
Firms should start on their journey to a next generation regulatory archive platform now. Significant preparation will be required, including new skillsets (e.g.,data quality management, analytics, and data science), investment in technology, and enhancements in process and governance.