Corporate governance may not be the most exciting part of the day, but good corporate governance is exactly what is needed to ensure your firm is not making the headlines for the wrong reasons.
Highly regulated industries such as US Broker Dealers, Health providers and Insurance firms all have long-standing regulatory requirements for the retention of corporate records and communications. For the US Broker Dealers, the SEC rule 17a(4) which mandates this requirement was originally established in 2003. The fact that this record keeping obligation had been established in the early 2000’s does not make the job of compliance any easier. Arguably the challenge today is even harder especially when considering (1) the sheer proliferation of electronic communication tools available, (2) the ability to use personal mobile devices for corporate communications and (3) most recently, the global pandemic which has introduced both the full time remote and hybrid workplace scenarios. Each of these factors contribute in a unique way to exacerbate the challenge of compliance.
Financial services firms have been under heightened scrutiny, after several high-profile regulatory enforcement actions. The commonality was the use of unapproved channels, including WhatsApp, text messaging, and personal emails for corporate communications. The SEC noted in one action that the bank “did have policies and procedures in place, that employees were advised that the use of unapproved electronic communications methods, including on their personal devices, was not permitted, and they should not use personal email, chats or text applications for business purposes”.
This highlights that even with good policies and procedures in place, compliance challenges evolve over time, are based upon many variables and governance needs to be proactively revisited and adjusted when necessary. The SEC went on to state “As a result of the findings in this investigation, the SEC has commenced additional investigations of record preservation practices at financial firms”. True to this statement the SEC has been conducting industry “sweeps” to determine if similar issues exist across the financial industry.
Given the proliferation and accessibility of electronic communication tools especially on personally owned mobile devices, and the challenges of being able to reinforce corporate culture on the remote and hybrid workforce, the critical question has become: how do governance models need to adapt? In synthesizing decades of industry best practices and guidance from the Department of Justice (DOJ), below are seven recommendations proven effective for strengthening corporate governance frameworks, which apply across industries:
Revisit policies and procedures – Long gone are the days in which polices can be written, posted on the policy portal, and assumed to be found and followed. Firms need to go back to those policies and scrutinize them with an eye on; how the organization will prove that the policy has been well communicated, how the policy provides for governance, and most importantly how the organization will show it as being effective. This is one of the first very first stops for any regulatory review.
Tone from the top – Management tone is never more apparent as when there is the need to deal with issues of non-compliance. The broader organization takes its cues from these events and as part of a regulatory review, regulators will review how previous infractions were managed. In one publicly available example, senior managers that violated policies were subject to termination.
Challenge the status quo – While formal governance committees have traditionally been established for some time, this committee needs to challenge the status quo such as revisiting previous decisions like the use of Bring Your Own Device (BYOD). An option here may be to rotate individual members who participate in the governance committee within each represented functional area.
Regular attestation – Reminders and attestations to regulated personal should be frequent, with some firms requiring this even weekly. This allows firms to have evidence showing any deviation from the policy will be considered intentional.
Business confidence and trust – Firms need to be innovative and act quickly to build their trust with employees and accommodate the speed of business. Two ways to enable trust and confidence are (1) create a risk-free amnesty program where the business can disclose the use of un-approved tools akin to a whistleblower hotline and (2) enable an efficient and nimble process to evaluate new communication channels.
Bring Your Own Device (BYOD) – Without a firm’s ability to monitor personal communications on devices which allow for both corporate and personal communications, the risk of maintaining a BYOD program has been proven as too high. Firms should look to roll back their BYOD program and once again look towards issuing corporate locked down devices. All corporate issued or sanctioned devices should only be able to perform communications routed through the corporate infrastructure.
Revisit the technical architecture – The technical retention architecture needs to become more flexible to accommodate for a faster speed of adoption of new communication channels including both voice and data communications or as noted above business confidence will be lost. Reliance here many times is on the vendors who will need to step up to the challenge and push their level of innovation, especially in the use of cloud technologies.
It’s clear, the requirements for regulated firms to retain business communications have been in place for a long time. Firms had put in place, policies, procedures, and technologies to ensure compliance. It is also just as clear that we are entering a new age in which the governance over those same policies, procedures and technologies needs to be looked at with a fresh new perspective. Thoughtful changes to governance frameworks may be just the key in both keeping up with change and keeping your firm out of the press.