Legal, finance and HR departments have long-standing, well-defined roles within organizations. But until recently, compliance, has held a more ambiguous role. Some view its function as merely doing the minimum to avoid regulatory fines, while others see it as preparing filings. But over the past five years, we’ve seen compliance take the lead and assume critical roles in today’s corporation. Now it proactively monitors communications and the design of systems to discover behaviors that may, over time, spotlight regulatory or legal matters.
Every corporation creates incentives or targets which, if not checked, will unleash widespread, damaging behaviors. This occurred with the unauthorized account opening scandal of 2016 and offenses centered on anti-money laundering (AML) in Europe. Compliance’s new role is to find these excesses and develop controls that keep banks out of bad media headlines.
In financial services organizations, compliance tools now monitor corporate activities. These may involve the process of know your customer (KYC), AML reviews or trading desk/broker communications. And these systems play a crucial role since the legal department lacks real-time tools to flag inappropriate activities. Typically, legal analyzes evidence after a regulatory action or litigation identifies a corporate issue.
Meanwhile, adherence to SEC Rule 17a-4 and other record-keeping regulatory requirements in financial services has created a noted sense of urgency amongst banks to promote a proactive culture of compliance.
Thus comes the convergence of compliance and legal departments, complementing each other as they focus on their respective, specific roles.
Incentives gone wrong: a scenario
Setting corporate goals can distort internal behaviors. Legal’s role is to recognize any institutional risk and relate that to compliance, which implements systems to ensure the behaviors and processes aren’t corrupted to accomplish that target. When Wells Fargo measured success by its number of account openings, it became clear this incentive would lead to unauthorized behavior. The intense competition between European banks to win East Asian private deals incentivized legal and technical workarounds of KYC/AML and other regulatory requirements.
Compliance tech comes of age
Recognizing today’s pace of innovation and proliferation of platforms to conduct business, compliance departments can set the pace by continually adapting supervisory systems and security processes: These will complement eDiscovery programs and improve their efficiency. Short for “electronic discovery,” eDiscovery refers to the process of discovery in civil litigation, only carried out in electronic formats.
The notion that compliance must limit itself to the timely capture and monitoring of all corporate communications—while eDiscovery exclusively conducts detailed legal analysis of large data sets—only upholds the status quo. Compliance departments lead when they recognize their unique position as corporate information stewards—and proactively coordinate with legal teams. Companies positioned this way leave unprepared competitors behind.
Polishing data loss prevention policies
Many financial services organizations archive messaging and collaboration content, yet these systems are all post-send/receive; they fail to capture content before it moves within or outside the organization.
To protect intellectual property, software compliance or personal health information (PHI), companies should implement systems that flag and prevent vulnerable content from leaving the organization. Finding out after the fact is too late. To address this aspect of compliance, the institution’s messaging team must identify and incorporate data loss prevention (DLP) policies. Sophisticated systems will incorporate pattern matching, document names and lists of key words. These may then flag outgoing messages and alert compliance, which can review and approve the message or block it and alert the sending party. These typical DLP options in a messaging system call for a compliance alert:
- Whenever a password-protected attachment is sent. Stop the email from departing the organization and alert the user of the company’s policy against issuing outgoing password-protected attachments.
- Whenever a credit card number is included in an email. In this case, compliance teams can review before sending.
Knowledge-based financial institutions
The transition of a corporation’s knowledge is today mostly electronic: in Word, Excel, email or collaborations. Many products can analyze terabytes of content and discover aberrant data within large datasets. All are moving towards near real-time platforms that provide tools to find and review emerging signs of inappropriate behaviors. Examples include emails that misrepresent a financial product or a client upset over a transaction.
Meanwhile, there now exists a closer partnership between compliance and legal to establish policies that proactively review corporate behavior—which will eventually mean smarter, knowledge-based financial institutions. Compliance may also monitor communications that ask for features in a financial product, whether the bank trades foreign exchange, or that ask about bank employees in a relationship with a targeted investment or commercial banking prospect.
Putting it all together: A call to proactive action
We believe the next ten years will prove exciting and transformative for compliance departments. They will no longer languish in the backwater of regulatory filings or mechanical reviews of employee emails. Compliance will rise up as the custodian of analytical tools that will empower legal to spot bad behavior, or the executive suite to better understand their business.
Compliance will also protect intellectual property assets and secure confidential data, employee PHI and corporate financial records. To that end, it’s vital to regularly work with clients to implement tools that discover whether software code, or confidential information on pending transactions, is being sent from the firm. Each issue requires its own sampling processes and flagging lexicons.
All told, compliance will become a proactive force within the financial institution. And it must become familiar with the analytic technologies and organizational platforms that transact business. It all revolves around the long-term mission to protecting valuable IP assets and understand how corporate business is conducted. In this way—and with a power unprecedented in financial services history—compliance will come of age.
Want more Banking Strategies? Sign up for our free newsletter!
Douglas Weeden is director, compliance and e-discovery, for 17a-4, llc.