MiFID II: Supervising Social
London, June 2016
In general, communications data has flown under the compliance radar for the commodities sector, but the arrival of MiFID II is about to change the status quo.
In accordance with the regulations, firms must establish policies and procedures to ensure that managers, employees, agents, and outsourced companies comply with directive. Organisations must demonstrate effective supervision and control over policies and procedures relating to the firm’s communications. The focus is no longer only on email, but social media and other collaborations tools too.
For some firms this may seem like a daunting task, especially when considering the myriad of communications tools already in use from social media to instant messaging and email to enterprise communications tools such as Microsoft Skype for Business (formerly Lync).
With new communications channels constantly emerging how is it possible for organisations to meet the mandates of new regulations in a way that protects the business from being out of compliance and deliver value?
As with many compliance issues a pragmatic approach is often the simplest. Identify the need, consider the policies and procedures already covered, and mitigate the remaining risk by implementing new procedures and/or technology.
Clarify Channels
In order to establish policies it is important to conduct an audit to discover who wants to use social media and other collaboration tools, and why. From this information it is possible to define the channels that can be used and by who.
It is very common that employees within a firm are regulated differently depending on their job function and activity within the business. This also affects how policies are applied, so it is important to bring in key stakeholders such as business, sales, marketing, investor relations, compliance, risk, HR, data, security, privacy, and IT. Working together will ensure that no part of the business will be overlooked.
There is another reason for clarifying channels early on. MiFID II clearly states that “all reasonable steps must be made” to capture phone and electronic records - not just email. But whether it is VoIP, Skype, LinkedIn or other collaboration tools, each have their own idiosyncrasies when it comes to archiving. Deciding now which channels are approved based on the need in the workplace and challenges in preservation, will save time wasted in reactive measures at a later date.
Define the Need
What motivates the need to use certain communication tools? Understanding the business reasons and defining the need now will help build the right compliance and risk infrastructure.
Discover the intent behind the need to use the various communications tools. Is it traders using instant messaging for faster communications or deepening relationships, or marketing creating social media campaigns to build brand awareness and drive revenues through lead generation?
Understanding the business goals and how communications tools enable employees to achieve them will help to establish the risks and guide the compliance infrastructure required. Think of compliance as a stakeholder in the mix, not the driving force behind implementation.
Reuse Resources
Armed with the information about what people want to achieve, it is then possible define the infrastructure needed to supervise social media activities, making it easier to identify the resources that can be reused. Consider what processes, policies, and supervisory systems are already in place that can be reapplied for MiFID II.
Can marketing review and supervision systems that are in place today be leveraged to use with social media communications too? Or should an outside vendor be brought in to create something new? By examining existing processes and policies and comparing them to technology already in use, it is easier to work out where the potential gaps are in meeting MiFID II compliance.
Increase Intelligence
While firms must demonstrate effective oversight and control over policies and procedures relating to communications, reinforcing supervisory and surveillance capabilities is not only about compliance, it can also expose erroneous employees faster.
With the emergence of new enterprise communications and collaboration technologies, companies are faced with an increased risk of confidential information leakage, sensitive information theft, and a higher liability from inappropriate content. Even if the intent is not malicious, it can still be devastating for an organisation.
Supervisory and surveillance capability has emerged as one of the critical needs for businesses to reduce this risk, as well as address regulatory requirements for those in specific financial markets. Using technology that delivers sophisticated supervisory and surveillance workflows can help to pre-emptively recognise and stop any erroneous activity before it becomes an issue for the organisation.
Understand Conversations in Context
Being able to reconstruct past events accurately is crucial to attorneys, litigation support staff, and auditors, but the complex way in which employees and customers communicate can make this difficult.
A typical conversation today might use any number of communications channels. A customer complaint on Twitter might continue over email. Defining the terms of a trade can be faster on chat than using the original email initialising the deal. Just to add to the complexity, they might not be discussing one trade, but potentially several.
There are all kinds of legitimate reasons for switching to the most appropriate channel during a conversation. And a few dubious ones too. In order to supervise effectively, firms need to be able to follow them easily.
Knowing who joined a conversation when and over what channel can be a nightmare to reconstruct six days after the fact, let alone six months. An archive that is going to save the business time and money in litigation, as well as highlight any rogue trades, needs to deliver conversations in context as they switch between different channels and users.
Archive in Real-Time
MiFID II demands that electronic communications such as email, instant messaging, collaboration tools, social media relating to the reception, transmission, and execution of client orders are accurately captured. It might be tempting to simplify the issue by archiving data once or twice a day, as many businesses have been handling email for years.
The problem is a single snapshot of communications data does not reveal the whole story. Like a picture taken with a 1970s Polaroid camera, it shows that everyone is happy at that particular moment. It does not tell the true story that two minutes before the kids were arguing as to who was responsible for Barbie sporting a brand new moustache. All that is wiped away by the toothy smiles in the captured image.
The same can be true of archives not built for real-time. They do not reveal that the trader bending the rules slightly makes sure all his electronic communications relating to it are deleted before the system runs the archive. Or, that someone out to make mischief edits their Facebook post after an employee has just replied “Great idea!” to make it look as if they are giving bad or misleading advice.
And then there is the danger that someone else does remember what was said in a conversation and has the real-time archive to prove it.
Education
Once social media programs are defined and ready to be deployed, arm employees with an understanding of what is considered good practice. Training regulated end users is essential to help them avoid being out of compliance by enabling them to make good decisions.
Make sure to include not only the firm’s social media policy but also guidance on the separation between business and personal use. Educating users to the potential dangers and liabilities that their actions may cause can significantly increase protection against non-compliance.
Be Prepared
It doesn’t have to be a major scandal to send a firm out of compliance, someone having a bad day at work can do it just as easily. Creating a plan in case of a crisis is good practice. Think through the variety of scenarios and create a plan that will ensure a fast reaction.
Do you respond through the firm’s PR arm or use the social media programs that are on those channels? Who is the first responder? Who then evaluates the right approach or the right response? Is no response the right response?
Remember it is not just non-compliance that is at risk, but also the damage to individual, company, and industry reputation that can occur when organisations and individuals do not properly manage enterprise communications.
Stay Ahead of the Curve
Ultimately, proper record keeping is critical to maintaining communications compliance, avoiding fines and sanctions, as well as protecting a firm from litigation or worse. A modern context-aware archive that makes it easy to retrieve business communications, whether for compliance audits or eDiscovery purposes, will save time and money, in addition to highlighting irregularities early–on.
While there will always be new communications channels gaining traction in the enterprise, a regulated firm should always ensure that they have done everything in their power to manage compliance.
By following best practices, businesses can enable new modes of communication in a way that meets potential regulatory requirements in the future, not just MiFID II, and improve collaboration and engagement with partners and customers. •
Ends --
Brian Perfect is VP EMEA with Actiance, a leader in communications compliance, archiving, and analytics.
www.actiance.com
No comments:
Post a Comment