Author: Brian Lynch
05 May 2022
With the global shift to remote and hybrid working, there has been an upsurge in the usage of digital communications channels. Businesses are seeing staff and clients alike conducting corporate communications over eComms channels like WhatsApp, iMessage, Signal, WeChat, and Telegram, which has made information archiving and meeting communications record retention rules for compliance purposes more challenging.
In this blog, we explore how firms are contending with the changing corporate communications landscape, how record retention rules and requirements can continue to be met, and what effective and secure information archiving can look like.
Before going into how record retention and information archiving rules can be met, let us look at what the rules say.
Across North America, firms are required to adhere to rules set out by the SEC, FINRA, and IIROC. In the US, regulators still leverage long-standing regulations like the Securities Exchange Act of 1934 when it comes to record keeping and retention. While the rules have undergone changes to account for electronic channels, the requirements around what needs to be stored, and how, still stand.
Under SEC rules (for example, 17a (3 & 4) and 204-2), registered entities are required to store and preserve electronic communications in an easily accessible manner. Similarly, FINRA record retention requirements under rule 4511 state that “all books and records required to be made pursuant to the FINRA rules shall be preserved in a format and domain that complies with SEC Rule 17a-4.”
In Canada, IIROC Rule 3804 states that “Dealer Members (Dealers) must retain copies of all records in a safe location, in a durable and accessible form…”
Learn more about record keeping in North America here >
In terms of the EU and UK, MiFID II requires records to be stored in a “durable medium” that allows them to be replayed or copied, and must be retained in a format that does not allow the original record to be altered or deleted. In addition, records must be stored in a searchable medium to ensure that they are accessible and readily available for auditing by the relevant national competent authority (NCA) upon request.
The Market Abuse Regulation (MAR) in the EU and UK also requires firms to capture, archive, and monitor communications (among other data) and report any suspicious activity to an NCA.
Learn more here >
Recent cases where top-tier banks have faced regulatory inquiries as a result of the use of non-authorized corporate communication channels (examples below) indicate that there is a growing risk for firms that do not maintain effective processes and policies for eComms information archiving and record retention.
Examples:
It also shows that the popularity of these channels is only growing in the corporate world. In fact, since the COVID 19 pandemic, 56% of business leaders have expressed that their businesses have seen increased use of alternative communications technology.
Having a consistent approach for responding to changing employee and client needs when it comes to eComms is a “strategic imperative” that cannot be overlooked.
As US market regulators continue to clamp down on firms that are not adhering to existing regulations surrounding the use of digital communication channels, as seen with cases like JPMorgan, other regulators will likely follow suit.
Consequently, firms are increasingly exploring ways to deal with emerging eComms channels, either through policy amendments, technological solutions, or a combination of both. In fact, organizations like Deutsche Bank, in anticipation of regulatory changes, are starting to tighten their grip on the use of these channels internally “amid a crackdown from US regulators on banks who fail to store business-related communication”.
To meet communications record retention rules and ensure compliance, firms need to draw up policies that either permit [with conditions] or prohibit the usage of specific communications channels.
Historically, platforms like iMessage, Signal, Telegram or WhatsApp have been “non-authorized channels”, and for many, this continues to be the case. The reason for this tends to be that by prohibiting these channels, firms do not have to worry about the cost or complexity of integrating or monitoring the communications. However, in a world where the means of communicating between employees, partners, and clients has evolved, this outright prohibition does not prevent risk, as we have seen repeatedly where traders have used the prohibited channels anyway and we see the severity of fines and potential damage is increasing.
Although firms are often more inclined to go with a policy to prohibit the use of prominent eComms channels, relying on policy alone to ensure compliance presents a hoard of challenges which you can read about here. Also, clients often prefer to use these channels for business, putting staff in a difficult position between complying with company policy and appeasing clients to maintain fruitful relationships.
The other alternative is to combine policy with technology and capture popular eComms channels where possible. However, this comes with its own set of considerations to bear in mind.
There are a number of ways that firms can capture business communications on platforms like WhatsApp, Telegram, Signal and iMessage and thereafter archive them on a platform like SteelEye for record retention compliance.
At a foundational level, the first consideration when a decision has been made to onboard a new eComms source is whether the data is being captured from a corporate or personal device. This is important as there are privacy considerations for firms that use a BYOD (bring your own device) policy.
Some channels are easier to capture than others. WhatsApp and Telegram, for example, already support the use of their platforms for business purposes through a dedicated app (WhatsApp Business) or API (Telegram). This makes balancing the need to capture data from these channels and respecting employee privacy easier, whereas other channels do not enable the user to switch between personal and business communications, as is the case with Signal and iMessage information archiving.
Using a “WhatsApp for business” app which sits separate from a private WhatsApp app, can ensure that private conversations remain private where a BYOD policy is in place. Leveraging the Telegram for business API can achieve similar results.
However, privacy does become a concern on channels like iMessage and Signal since data can only be captured in its entirety through the phone number linked to the device. This means that if an employee is using iMessage to conduct business communications with clients on a BYOD phone, all the personal communications would also be captured.
In these instances, it is advisable that firms outline in their policy that, should staff decide to use these channels on personal devices for business purposes (under a BYOD policy), they then consent to the communications being captured and stored in the firm’s eComms storage facility. Although this allows firms to address iMessage information archiving challenges, it is important to make staff aware that all their iMessage communications - private and corporate - will be captured.
However, a more mutually beneficial solution might be to revert to providing dedicated business devices. This ensures that employees can keep corporate and private communications separate but still achieve effective capture and information archiving over the dedicated device’s data.
This way, communications on iMessage, Telegram, Signal, WhatsApp and any future eComms platforms can be captured through the means available, whether it is a number archiver or business app/API. While this option is better for individual privacy, it is a more cost- and admin-intensive route. But, with the support of an effective archiving software solution, the risks associated with firms using the eComms channels can be mitigated.
While this approach would still require policy, it enables customers to communicate through their desired channels without compromising on your record keeping obligations, which could be a good solution for customers and staff alike.
Of course, it is worth noting that the actual capturing of the data is the first step to compliance record retention and secure information archiving. Once the data has been captured, it needs to be stored for a specific period in accordance with specific regulations (typically 5-7 years), often in a WORM (write once, read many) compliant format. Additionally, data needs to be easily retrievable so that if requested by the regulator, it can be reproduced and reported within 72 hours.
Once you’ve addressed how alternative communications channels can be used in your firm, it’s worth leveraging a holistic record keeping solution that provides a secure and search-ready archive that stores your data in a compliant format, with the ability to quickly access records if needed. This type of comprehensive record keeping not only ensures your compliance with the necessary record retention rules but allows you to use your data for analytics that can inform important business decisions.
As the ways we communicate with each other continue to evolve, organizations need to account for these changes to ensure staff, client and regulatory needs are all being met as efficiently as possible. While this is no easy task, the widespread adoption of channels like WeChat, WhatsApp, and iMessage for business, and the subsequent investigations by regulators, indicate that compliance processes need to be tightened.
With the support of digital solutions that enable secure information archiving, firms can get on top of this trend, make the right call when it comes to device and channel usage policies, and ensure that records are effectively captured and stored without compromising on employee privacy or compliance.
SteelEye provides a sophisticated RegTech platform that brings data together from multiple eComms, vComms and trade and order sources for record keeping and archiving.
Our record keeping platform enables firms to capture their data and compliantly store it in line with regulatory obligations under FINRA, SEC, IIROC, MAR and MiFID II.
With SteelEye, you can keep all your communications and trading data in one central place, giving you a holistic view of, and instant access to, all your data. This makes responding to regulatory requests, establishing full audit trails, and achieving complete oversight easy.
If you’d like to find out more about how SteelEye can help your firm effectively archive communications records and meet record retention rules and requirements, contact our expert team now.
About
LOCATIONS
United Kingdom - 5th Floor, 55 Strand, London, WC2N 5LR
United States - 600 Fifth Avenue, New York, NY 10020
Singapore - 600 North Bridge Road #23-01 Parkview Square Singapore 188778
Portugal - Av. da Liberdade 747 1ºD, 4710-251 Braga
India - No. 613, 12th Main, HAL 2nd Stage, Bangalore - 560008
STEELEYE LIMITED, A COMPANY REGISTERED IN ENGLAND AND WALES WITH COMPANY NUMBER: 10581067, VAT NUMBER: 260818307 AND REGISTERED ADDRESS AT 55 STRAND, LONDON, WC2N 5LR.