As I read the regulator tea leaves for 2015, here are some of the top issues that your financial services firm should be prepared to tackle in the New Year:
1) Enhance Your Cybersecurity Preparednes
“Cyber is the next crisis we need to be concerned about” said Kenneth E Bentsen, President and CEO of SIFMA, the trade association for the security industry, at a December event. In fact, the risks of cyber attacks are gaining the attention of the regulators, with both the Security and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) conducting audits for cybersecurity preparedness in 2014.
Firms that allow their employees to use social media are at special risk. Social media users consider themselves part of a tribe and inherently trust each other. That means that they can, and will, click on links that will introduce malware into your organization. Social media is also being used by cybercrimminals to launch targeted attacks on your social media users.
To underline the importance of this issue, SIFMA and FINRA are jointly offering a Cybersecurity Conference in February. If possible, make a point of attending. Due to the high profile nature of this issue, we expect that this focus will only intensify in 2015.
2) Prepare for Recordkeeping Scrutiny
Back 20 years ago, all you had to worry about was email when it came to recordkeeping of electronic communications. However, today, new forms of communications appearing nearly every day.
In addition to email, your firm may be using unified communications such as Microsoft Lync and IBM Sametime, collaboration tools like Chatter, IBM Connections, Sharepoint or Jive, or Instant Messsaging networks such as corporate Lync IM, Yahoo! Messenger or even specific community networks such as Bloomberg and Reuters. Add in the social networks of Facebook, LinkedIn and Twitter and today’s landscape is far more complex than in the past.
But at the end of the day, for financial services firms, all business records, regardless of communications channel, need to be captured, retained and made e-discoverable. “The content of the communication is determinative” (FINRA Regulatory Notice 10-06), not the channel.
New Dodd Frank requirements illustrate the challenge. Firms must be able to reconstruct the creation of a swap, across all forms of communications. This includes edits and deletions as well. However, a conversation about a swap may weave between the phone, email, instant messages, Bloomberg communications, enterprise social networks, discussion boards, chat rooms and social media.
More and more, firms will be required to produce business records of employees’ conversations as they “channel hop” across various platforms. Regulators will demand that these business records be delivered in both a timely fashion and in context.
3) Double Down On Written Supervisory Procedures
Regulators are acutely interested in how firms supervise their employees. In fact, FINRA’s new supervision rules went into effect in December. The new rules continue to require that investment banks and securities firms demonstrate their written supervisory procedures for reviewing incoming and outgoing written and electronic correspondence. What’s new is that firms must also monitor certain internal correspondence, “to properly identify those communications that are of a subject matter that require review under FINRA rules and federal securities laws”. Examples include communications between research and non-research personnel; communications with the public that require a principal's preapproval; and customer complaints.
Firms will therefore be challenged to “evidence” (or prove) that they are actively monitoring both internal and external communications across multiple channels that could include email, instant messages, Bloomberg communications, enterprise social networks, discussion boards, chat rooms and social media.
In a similar vein, in light of the recent LIBOR scandals, firms may want to develop procedures and deploy technology to proactively create “ethical walls” both within and outside a firm to block conversations that could result in a conflict of interest.
4) Scale Social Media Compliance Review And Training
As firms continue to rollout social media to their regulated users, they will be challenged to develop and manage compliance processes that scale. What might work for 100 users and one review officer, quickly becomes unsustainable for thousands of users. As the rules stand today, firms will need to either hire more compliance professionals or use technology to automate some supervision processes. This includes the pre-review of static profiles on sites such as LinkedIn, initial and ongoing review of third party content, and deployment of “trigger words” or “lexicons” to monitor (either in advance or after the fact) for the appropriateness of communications of financial advisors. Firms also will need to quickly train large numbers of users to increase adoption and effectiveness, while complying with various rules and regulations.
5) Use The Proper Disclosures
Firms are required to disclose investment risks in their communications with the public. Character limitations on social media make this particularly challenging. Current approaches range from using hyperlinks, to allowing investors to read “more or less” of a disclosure by clicking on a link, to using special icons to indicate that there are disclosures associated with a tweet.
Aside from revealing risks, there are other disclosures to consider. Some firms require that their Financial Advisors add a notice to their social media profile to alert the investing public that their LinkedIn InMail is being captured and retained according to the industry recordkeeping rules, much like email. Others place hyperlinks on their social media platforms to link back to corporate websites to display community guidelines for various social networks. Firms have struggled to interpret the rules as they apply to social media and have asked the regulators for guidance.
In response, the SEC has stated that companies can use a hyperlink for communications (not deemed a prospectus) when using a character-limited social media platform to satisfy compliance requirements. The SEC also further clarified that companies whose social communications are re-tweeted or forwarded, are not liable for those communications. FINRA also acknowledged the need for simplifying risk disclosures during the first phase of the Retrospective Rule Review of the Communications Rules.
Look for FINRA and the SEC to provide further clarification on disclosures in 2015, whether they be “layered” (such as hyperlinks or references to other sources of information) or some other option.
So that’s my reading of what to expect in the coming months …. What are your firm’s priorities for 2015?
