Updated: Nov 20, 2020
A healthy balance of identifying bad behavior, protecting individual privacy, and defending company interests is the responsibility of a good compliance team.
Staying compliant with applicable regulations, and assuming a defensive posture should a violation occur, is predicated on detecting misconduct before it escalates. This requires instituting the right protocols to meet your organization’s specific needs and obligations.
After all, no two compliance programs look the same. The size and client base of an organization, among many other factors, will play a role in determining what’s appropriate.
As you build your protocols and select the best technology to help, a good grasp of your organization’s risk appetite is essential. No less important is a healthy understanding of your ethical obligations.
Here are some considerations to help you develop a surveillance program that respects all of these critical priorities.
1. Have a well-documented scope for every data type.
Key to responsible surveillance is a deep understanding of your organization’s data. Developing this understanding begins with knowing what types and sources of data fall under the purview of your surveillance program.
When it comes to the diversity of data types, the scope of what’s out there is growing—and fast. To craft a fully formed surveillance policy, make sure you’re covering all your bases in this regard. As a starting point, these data types and sources could include:
Mobile devices. Cell phones tend to have more informal conversations, and may or may not be company issued. Based on these factors, not every firm chooses to record and review them. Whether or not doing so is right for your organization should be determined with careful consideration. Your rationales should be documented in your risk assessments.
Landline phones and dealer boards. These channels are for business use, so monitoring them is often common sense. However, in some cases—such as on the trading floor—employees are not permitted to use their personal devices. As a result, they may need to use work devices to make personal calls. Your surveillance team must minimize the review of these personal conversations (more on that in the next section).
Emails. Again, this is a prolific channel for business communication and certainly falls under monitoring requirements. However, when retrieving emails, a surveillance analyst must cautiously avoid committing privacy and HR violations by reviewing out-of-scope conversations.
Chat rooms. These require access rights, to minimise any information flow breaches. Relevant rooms can certainly prove important for your compliance monitoring strategy. However, private side projects may also be discussed in these digital areas.
SMS and instant messaging. These sources should be reviewed with confidentiality, especially if you know they are commonly used for more personal conversations. Unfortunately, they are also channels that can be abused.
While a wealth of potentially in-scope communications can be derived from these sources, It’s important to note that any and all of them may also produce personal conversations.
For every data type, a clear line must be drawn in the sand with regards to personal content.
2. Enable periodic check-ins on restrictions and training for surveillance officers.
Determining access rights and permissions for surveillance analysts just once isn’t good enough. It is crucial that this type of access is audited, and rationale provided, on a regular basis. The responsibility is on the compliance teams to decide the scope that they are comfortable with maintaining, and ensuring that regulatory requirements are met.
The risk appetite also comes into play here, so a risk assessment would aid this process of scoping out the controls and employees selected for review. As you go about this process, remember to develop—and evaluate execution on—guidelines around the following subjects.
Levels of access granted to surveillance officers must be documented and justified, restricting access to relevant communications and in-scope sources with minimal risk of unnecessary exposure. This should be updated quarterly to reflect movement of employees within and outside of the company, ensuring you discontinue monitoring an employee who has moved to an out-of-scope team.
Surveillance officers must be properly trained prior to being granted access to communications. This is how compliance managers ensure their officers know the purpose of surveillance, red flags to look for, and the rationale behind organizational protocols.
Crucial to successful onboarding—and a defensible compliance program—is documentation.
In support of this training, your documentation should cover the scope your organization has set out and the limits in place. With good training and helpful reference materials, officers are empowered to recognize what types of communication should not be reviewed.
For example, personal communications and information must be handled confidentially. Educate your compliance officers in regards to GDPR and similar regulatory obligations.
Highlight particular flags indicating a need to stop reviewing data, such as when a subject’s wife appears on a recorded call and the discussion turns toward their children.
It should also be made clear that surveillance officers have access to private information about stocks and other sensitive data, which can be used to benefit their personal trading accounts. Your compliance team should be properly trained on how to handle this information.
These protocols and training opportunities shouldn’t only be shared with new officers. Revisit them frequently across your team, both to make updates as needed and to ensure established team members are still familiar with them.
A strong audit process helps compliance supervisors spot and stop rogue officers, and monitor leakage of information. But it can also aid in making sure they’re viewing everything they should to guide informed decisions during a compliance review.
As an example, when an officer is reviewing an email, you should have tracking in place to ensure they are reviewing attachments as well as the message itself. This is helpful because bad actors may try to hide misconduct or market abuse in attachments rather than the body of an email.
Everything from reviewing a communication to downloading an attachment should be audited, to protect employee information and ensure thorough, appropriate, and efficient surveillance.
Robust audits also allow supervisors to monitor for abuse of access to communications.
3. Ensure monitored individuals are well informed of your policies and their duties.
The default level of understanding among monitored individuals (MIs) will vary by industry. In banking institutions, it may be considered a given that communications will be reviewed for employees in scope. Many employees in this space will be notified that their communication channels are in scope of compliance review during onboarding. Still, in some cases, the nuances of these policies may not be apparent—such as when or whether mobile phones are also in scope.
Informing an individual that they are in scope solidifies the reality that they are accountable for their actions in their role. It also instills a healthy awareness of the implications of breaching regulations they are obligated to follow, and provides a good reminder that personal matters should be kept separate from work.
Specific details to share with MIs may also include retention periods and their obligations to disclose personal account trading—especially if they’re communicating on work platforms and have access to inside intelligence.
Sonia Chowdhury is a compliance subject matter expert at Relativity, where she supports development of Trace—a communication surveillance tool that detects insider trading, collusion, and other non-compliant behavior in real-time.