Data silos and legacy compliance monitoring systems – barriers to effective surveillance and comms compliance
Managing Director, Kerv Collaborate|Kerv Collaborate
Published 31/03/22 under:
Compliance Monitoring Systems – The Need for an Effective, Holistic Surveillance Solution
In a perfect world, compliance monitoring systems would be redundant. Financial regulators would exist solely to define the policies and procedures needed to protect consumers, with compliance departments acting in a purely advisory role to help firms apply these principles according to their own unique requirements and structure.
In this utopia, the process of enforcing these policies would simply be a matter of lending a guiding hand when required. All members of staff, from the most junior clerk to the CEO, would take it upon themselves to adopt and adhere to these principles, working together for the best interests of their clients.
As a result, compliance monitoring systems, surveillance, detection and investigation of misconduct; abuse; crime; or even just the occasional honest slip-up, would barely be required, if at all. And pigs might fly.
While working towards this ideal culture is undoubtedly commendable, the reality is that the roles played by regulators and compliance, risk, governance, monitoring, surveillance and audit teams are becoming increasingly complex and ever more vital.
Even with the best of intentions, humans make mistakes. People have their own agendas and, with the opportunities and pressures inherent in an industry that focuses specifically on managing the flow of vast sums of wealth, some may be tempted to bend or even break the rules.
Or coerce others to do so on their behalf. Fear and greed can both play a part. Some organisations are ineffectively structured and/or badly managed. Some people just act irresponsibly now and then. Digitalisation and globalisation present further challenges. The alarming pace of technological change provides many opportunities for both good…and not so good.
The explosion in the ways that people can now communicate and do business with each other means that strict regulation and enforcement are now more crucial than ever.
With the risk landscape growing more and more complex and new, increasingly granular regulations being continually introduced in an attempt to keep up, compliance departments must also become more sophisticated in the way they conduct eComms surveillance to monitor and control these risks.
The Expanding Scope of Regulatory Requirements for Voice, E-Communications and Trade Surveillance Tools
With the adoption of new forms of multimedia communication over the years, regulators have had to expand the scope of existing legislation, and introduce new directives, to attempt to mitigate this risk, particularly in the wake of the 2007/8 financial crisis.
The UK Financial Services Authority’s COBS 11.8 directive in 2009, outlining the parameters of a new regime for the recording of voice and electronic communications, included several important exemptions. Most notably, all conversations and communications (except email) over mobile devices were excluded from the recording requirement.
Discretionary Investment Managers were also able to claim exemption for any communications that could reasonably be expected to be recorded on the other end, i.e. by the entities which were carrying out the execution of transactions.
With the increase in mobile usage and the growth in mobile call recording solutions, the mobile phone exemption was eventually removed in November 2011.
The subsequent introduction of MAR and MiFID II across Europe, and Dodd-Frank in the USA, have significantly widened the scope of monitoring, surveillance, recording and reporting requirements and provided a far more detailed breakdown of firms’ obligations and the compliance monitoring systems they are expected to have in place in order to be meet legal requirements.
Certainly in the UK, and no doubt elsewhere, it has become clear that there is a significant disconnect between what many firms have considered to be “reasonable steps” and the expectations of the regulators.
As a result, the extension of the Senior Managers & Certification Regime (SM&CR) in December 2019, to include all FCA-regulated bodies, has caused some considerable concern among many firms.
Industry polls taken in June-July 2019 suggest that an overwhelming majority of firms (84.3%) conduct little or no Voice and eCommunications surveillance, many (62%) still have “a lot more” or “everything” still to do to implement SM&CR and most (84%) feel that “internal set-up and culture” are a key challenge.
Considering the level of personal accountability being introduced with the regime, it is no surprise then that firms’ trade surveillance technology and communications compliance monitoring tools are now coming under intense scrutiny.
To put it bluntly, when it’s your own head on the block, you want to make sure it doesn’t get chopped.
The Limitations, Costs and Inherent Risks of Data Silos
The underlying issue for many firms originates from the piecemeal way in which new forms of communications media have emerged over time, and the phased expansion in regulatory requirements associated to monitoring, capturing, storing and analysing communications.
Years of having to adopt different systems for new forms of communications data have led to most organisations (both large and small) eventually finding themselves with a fragmented array of disparate vendor, technology and data silos for the surveillance, capture, storage and analysis of various media types.
For example, on one end of the scale, a small, single-site fund manager might have one system to record landline calls, another to capture mobile calls and SMS, another to capture video calls, and a number of others to capture various forms of instant messaging, with some or all of these media types then being stored in separate repositories.
A global investment bank, on the other hand, might have accumulated dozens of recorders over the years, from multiple vendors, spread across numerous countries, just for capturing fixed line calls. These recordings may also be stored locally within each jurisdiction, creating further silos of data.
The dispersal of companies’ communications data across so many disjointed legacy platforms, and the absence of a single, unified view of the data across each of these silos, is the root of many of the problems that businesses face.
Having to work with such a wide range of different systems means firms are not only incurring significant costs (hardware, maintenance, licencing etc.) but are severely limited in their ability to extract any useful information from their data, and are subsequently exposed to very real operational and regulatory risks.
Real-time communications surveillance becomes practically impossible. Any proactive monitoring must be done manually, which is both resource-intensive and ineffective, and leaves firms unable to effectively deal with the volume of false positives often generated by their market surveillance systems. The ability for timely case reconstruction, necessary for Dodd-Frank and MiFID II compliance, is also severely impaired.
If required by regulators to reconstruct a trade within a certain timeframe, many firms would simply be unable to do so. At least, not without spending an arm and a leg on external consultancy fees.
Historically, many might have preferred to just pay the fine – possibly a less attractive option under SM&CR.
The Search for a Holistic Surveillance Solution and The Budgetary Tug-of-War
To address this, most organisations have now recognised the need for a more holistic surveillance solution.
Some of those with deeper pockets are already working with various regulatory compliance software companies to pull together their many systems to form a coherent whole. In general, this has involved deploying a layer of middleware to sit over the top of their myriad legacy systems and provide a central hub.
However, although this does give a more complete view of their data to those firms who can afford it, it is still adding yet another layer of technology and cost, to essentially form a “patchwork of data silos”, as opposed to addressing the root issue itself and breaking down data silos altogether.
In addition, depending on the solution(s) used, firms may still struggle to meet regulatory case reconstruction requirements and deadlines in time; especially if, for example, source data is stored in other countries or is spread across multiple jurisdictions.
For many firms though, budgets and resources are an issue, and taking an expensive and inefficient silo-based approach to compliance monitoring and surveillance is simply not an option.
Even in larger organisations, there is often a tug-of-war between IT and Compliance departments as to whose budget should be used…with the Finance department stuck in the middle.
Using holistic compliance monitoring software for effective market abuse surveillance, however, is now a vital requirement for all firms, and affects all departments.
A solution is required that removes cost as an obstacle. A solution which, by eliminating data silos and replacing them instead with a single, unified platform for monitoring, capturing, normalising, storing and instantly recalling all forms of voice and electronic communications and market data, allows firms to reduce costs rather than add to them.
Such a solution would have far-reaching benefits, solving critical problems faced not only by Chief Compliance and Risk Officers, but also by Heads of Technology, Operations and Finance – as well as, ultimately, Chief Executives.
And of course, most importantly, resulting in a better, safer service for end customers. Which is the whole point…right?
The Holy Grail of Compliance Monitoring Software – “What If…?”
Technology and cultural change will always be around, forcing organisations to adapt. Mankind, by our very nature, will always ask “what if?” – forever pushing the boundaries of possibility, until the “impossible” eventually becomes the norm.
The challenges facing regulated firms will continue to evolve constantly. What may appear almost insurmountable now, will eventually become commonplace.
For now, financial institutions need to undergo a significant shift, moving away from the use of layers of legacy compliance monitoring systems and controls to a single, unified, holistic surveillance solution that allows them to meet the challenges of today and the road ahead.
The question is…what if? What if this solution already exists?