26 Firms, 392M in Records Keeping Compliance Fines: How to Avoid It

BlogHeroImage

According to Veritas Research, Risk and Regulatory Intelligence, 67% of organizations lack effective tracking mechanisms for off-channel communications. On August 14th, the US Securities and Exchange Commission reported 26 financial firms to pay combined penalties of $392 million for “widespread and longstanding failures by the firms and their personnel to maintain and preserve electronic communications.”  Three of the firms self-reported their violations resulting in lower civil penalties. 

 Among this group of firms, there are several that differentiated themselves by self-reporting prior to the staff’s investigation, demonstrating once again the real benefits of proactive cooperation.” - Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.

Longstanding and pervasive use of unapproved and non-compliant communications methods were discovered in each of the investigations.  In addition, there were widespread record keeping violations, and many firms were found to be in violation of their own internal policies regarding approved communications platforms.  The violations were discovered at all employment levels, even the C-suite. 

Electronic Communications

Electronic communications platforms like instant messaging (IM) have transformed communication within financial institutions. They offer real-time interaction, quick decision-making, and easily accessible transaction execution. However, the convenience of these communications platforms come with significant responsibilities, particularly concerning data security and regulatory compliance. For financial institutions, safeguarding electronic communications data is imperative to comply with stringent global financial regulations.

Key Drivers to Safeguarding Electronic Communications Data

Regulatory Compliance

Financial institutions are subject to numerous regulations that mandate the retention, security, and privacy of communications. Key examples of these regulations include:

  • The Securities and Exchange Commission (SEC) Rule 17a-4: Requires broker-dealers to retain electronic communications, including IM, for at least three years in a non-rewritable, non-erasable format like WORM (write once, read many) storage.
  • Financial Industry Regulatory Authority (FINRA) Rule 4511: Mandates the retention of records and electronic communications to ensure they are readily accessible for the first two years.
  • General Data Protection Regulation (GDPR): Imposes strict requirements on data protection and privacy for institutions operating within the EU or handling EU citizens' data.
  • Australian Prudential Regulation Authority (APRA) – Prudential Standard CPG 234: This practice guide provides guidance on information security management practices, including considerations for secure communication channels like instant messaging, and the need to ensure appropriate security controls are in place when using instant messaging platforms.

Securing and protecting your communications data is critical to meeting these regulations. This way you can avoid violations that lead to substantial sanctions, fines, legal penalties, and reputational damage within the financial market.

Preventing Data Breaches and Cyber Attacks

Communications platforms like instant messaging are prime targets for cybercriminals. Unauthorized access to communications data can lead to data breaches, exposing sensitive client information and proprietary data. This not only disrupts business operations but also damages the institution's reputation and erodes client trust. Robust security measures and enterprise level data protection and backup are essential to protect communications data from cyber threats.

Ensuring Data Integrity and Availability

The integrity and availability of data are crucial in the financial sector. Electronic communications data must be accurately captured, stored, and retrievable when needed. Whether for internal audits, regulatory inspections, or legal disputes, financial institutions must ensure that this data is tamper-proof and available. This supports compliance efforts and enhances operational efficiency.

Supporting Investigations and Litigation

Electronic communications data (i.e. instant messaging, VoIP, video conferencing recordings) can be pivotal in internal investigations and litigation. Financial institutions must provide comprehensive and accurate records of communications to support legal proceedings, demonstrate compliance, or resolve disputes. Proper archiving and safeguarding of your electronic communications data ensures that institutions can respond effectively to such requirements.

Best Practices for Safeguarding Electronic Communications Data

Implement Comprehensive Electronic Communications Data Policies

Establish clear policies governing the use of electronic communications data like instant messaging within the institution. These policies should outline acceptable use, data retention periods, and security protocols. Employees must be educated in these policies and trained to adhere to best practices for secure e-communication.

Utilize Secure Electronic Communications Platforms

Not all electronic communications platforms offer the same level of security. Financial institutions should select electronic communications tools that provide end-to-end encryption, secure data storage, and robust access controls. Platforms specifically designed for enterprises often include additional security features suitable for financial environments like Microsoft Teams.

Implement Data Archiving Solutions

Archiving electronic communications data is crucial for compliance and data integrity. Financial institutions should deploy automated data archiving solutions that capture, classify, and store this data in a secure and tamper-proof manner. These solutions should support indexing and search functionalities to facilitate easy retrieval of data when necessary.

Conduct Regular Audits and Monitoring

Continuous monitoring and regular audits of electronic communications data are essential to ensure compliance and identify potential security vulnerabilities. Financial institutions should implement monitoring tools that provide real-time alerts for suspicious activities. Advanced AI-powered solutions can automate this process and still provide human oversight of anomalous communications to address any non-compliance issues. 

Enforce Access Controls and Authentication

Controlling access to communications data is critical to prevent unauthorized use. Financial institutions should enforce strict access controls, ensuring that only authorized personnel can access sensitive communications. Multi-factor authentication (MFA) should be implemented to add an additional layer of security.

Ensure Compliance with Data Protection Regulations

Financial institutions must stay abreast of evolving data protection regulations and ensure that their electronic records safeguarding practices align with current legal requirements. This includes adhering to data retention periods, ensuring data portability, and implementing measures to protect personal data as mandated by regulations like GDPR.

In the dynamic landscape of financial services, safeguarding electronic communications data is not merely a compliance requirement but a strategic necessity. Financial institutions must adopt a proactive approach to secure communications, protect sensitive information, and ensure regulatory compliance. This can be done with the adoption of AI-powered classification tools and by implementing comprehensive policies.  They also need to invest in secure platforms, archive data, and enforce stringent access controls to mitigate risks, enhance operational efficiency, and maintain the trust and confidence of their clients and stakeholders.

Learn more about how Veritas can help you with electronic communications compliance and protection on Veritas.com or check out these additional blogs and solution overview:

Read more from my blog titled, “Verdict In:  Voice Supervision Needed!”

blogAuthorImage
Soniya Bopache
VP & GM of Data Compliance and Governance