The industry is playing catch up with the impact of working from home and must ensure e-comms risk is managed in a better way, says Rupal Patel at Acin.
Wall Street banks have been hit with more than USD 2 billion in fines for using unauthorised communications channels—a number that may still rise as regulators clamp down on unmonitored and unauthorised communications. The risk of bank employees using channels such as WhatsApp and other social media platforms has proliferated given the shift to hybrid working that accelerated during the Covid-19 pandemic.
But banks are failing to act fast enough. While 41% of firms highlight communications surveillance as a top investment priority over the next 12 months, only 15% currently monitor WhatsApp, according to SteelEye’s 2022 Compliance Health Check report.
Regulators started ramping up fines in December 2021, when a major Wall Street bank was slapped with a USD 200 million penalty for failing to keep records of communications made on personal devices—USD 125 million imposed by the Securities and Exchange Commission (SEC) and $75 million by the Commodity Futures Trading Commission (CFTC).
The SEC said the problem was widespread within the bank, even supervisors were communicating on unmonitored channels via text message, WhatsApp and personal email accounts. While the risk has become more acute, due to the pandemic and the shift to remote working, the SEC’s investigation stretched back to 2018—underscoring that the issue predates the pandemic and banks have still not caught up with their controls.
Over the course of 2022 these fines were replicated across the financial services industry.
How can banks step up surveillance and manage this risk?
Over the past year, regulatory alerts tracked by Acin on the theme of unauthorised communications jumped to 20 from four in 2021. Mapping these to risks and controls, it is clear that surveillance controls on their own are insufficient to mitigate the potential risk.
The increase in unauthorised communications from personal devices is often a behavioural issue. For example, employees could be deliberately circumventing controls to avoid detection of misconduct. It could also be down to inadequate training or poor control monitoring that could provide early warning signs of suspect employee behaviour. Ineffective business continuity planning may also push employees to use unauthorised communication channels if official channels are not working.
To that end, our risk intelligence team has identified 28 controls banks should have in place, grouped in four categories and mapped to eight key themes, as follows:
- Four categories of controls
- Training and supervision
- Employee monitoring
- Business continuity planning
- 28 controls mapped to eight themes
- Chatroom monitoring
- Trade surveillance
- Audio-communications surveillance
- Training and procedures
- Unauthorised trading
- Segregation of duties and access
- Business continuity management
While our anonymised network data shows that more than 50% of the identified controls within those categories are present, there are several missing controls under the surveillance and training and supervision themes that banks must adopt to prevent and monitor for unauthorised communications use.
On average across all four categories, 24% of preliminary controls are missing. Analysis of these suggests a third of them are missing and not operated or missing and not documented.
Furthermore, a fifth of these banks (18%) operate their e-comms controls on a less frequent basis than their peers, while just under a third (31%) don’t even report the frequency, making it very unclear how those banks are monitoring e-comms risk. The data suggests that control design standards also require improvement.
All of this comes against a backdrop of increased regulatory scrutiny as banks adapted to new ways of working post the Covid-19 pandemic. In July 2020, the Financial Markets Standards Board (FMSB) provided examples of controls to be implemented across key hybrid working risks, including controls around communication.
Then in October last year, the UK Financial Conduct Authority (FCA) said the risk of misconduct has been impacted by the shift to remote and hybrid working where employees are sometimes out of supervisors’ line of sight.
The industry is currently playing catch up with the impact of working from home and must ensure that the risk presented by e-comms is managed in a better way. Without addressing these issues we could enter a cycle of billions being lost to fines each year.
Four steps to immediately reduce e-comms risk
Currently, analysis highlights that improvements can be made to control standards and the design of controls to support future and ongoing regulatory enquiries and to demonstrate that firms have a structured and well designed risk control framework in place to manage the risk of unauthorised communications going forward.
We believe that implementing the following steps will ensure the industry has a robust set of controls and management systems to better manage e-comms risk.
1. Network Intelligence
Banks need to review their controls that monitor non-business applications such as WhatsApp and to ensure their risk control framework is well designed. Access to network data and intelligence can help banks benchmark themselves against their peers to identify any gaps in their risk controls and where they need to improve, thus ensuring a well-designed risk control framework is in place to manage the risk of unauthorised communications.
2. Ongoing Risk Management
The use of risk intelligence provides ongoing dynamic risk management capability by enabling tracking of regulatory and market news as well as ensuring controls are always up-to-date and properly mapped to the relevant risk. This ensures firms continuously stay on the front foot and are able to conduct dynamic Risk and control self-assessments (RCSAs) on an ongoing basis. In addition, risk scenarios on unauthorised communication using the bow tie concept allows firms to clearly see the threats that cause a risk event and the controls required to minimise the consequences.
3. Compliance culture
Banks must ensure they are not only recruiting the right individuals but that those individuals also understand the culture of the bank. In a world of hybrid working with employees based remotely, banks must ensure that a culture of compliance and risk management is maintained. That includes fostering a speak-up culture where employees are encouraged to flag poor behaviour.
4. Monitoring apps
The use of unauthorised communications can increase if employees are stressed, overworked and under pressure to close deals. For instance, to get a transaction over the line outside of work hours or when a client is out of the office, it might be easier to use a personal device. Therefore, personal devices should always have a monitoring app installed to provide a detective control.
5. Remote tech
As well as ensuring monitoring apps are installed on personal devices, banks need to ensure employees have access to operating systems such as recorded phone lines and other tech tools no matter where they are located, whenever they need them. Poor business continuity planning where authorised communications channels are unavailable can result in employees switching to unmonitored channels to get the job done, as can periods of market disruption where traders might be tempted to use unauthorised channels because they need to act fast.
Rupal Patel is Head of Risk Intelligence at Acin, which works with banks and asset managers to address operational risk issues through the use of data and technology. Acin is currently helping some of the largest investment banks convert reams of control documentation into quantitative, calibrated, actionable data, enabling confidential comparison of their operational risk controls with their peers, across both front and back office.