US Regulators fired a $555m shot across Wall Street’s bow last week by holding them accountable for their employees’ pervasive use of unauthorized communication methods, like private texts and in some cases WhatsApp.
This is the second batch of ‘market moving’ fines in the US within a year , yet no other country has followed suit. Why? What does this mean to your investment firms’ global surveillance infrastructure.
We believe the 2024 RegTech surveillance agenda holds great promise as infrastructures become safer with coverage of new communication channels and opensource tools that not only avoid fines but cut billions from the bottom line.
By investing in the right technology and data practices, investment firms can ensure that they are well-positioned to navigate the regulatory surveillance warfare and deliver value to stakeholders.
More US fines
The US Securities and Exchange Commission (SEC) found significant unauthorized communication practices involving those at a senior level. The largest fine, of US$125 million, was applied to Wells Fargo companies.
Additionally the SEC fined BNP Paribas and SG Americas Securities $35 million each, and BMO Capital Markets Corporation and Mizuho Securities USA LLC have each agreed to penalties of $25 million.
The Commodity Futures Trading Commission (CFTC) also reached $75 Million settlements with Wells Fargo, BNP and Société Générale for related conduct. Bank of Montreal, and Wedbush Securities, were fined a total of $41 Million. Inappropriate electronic communications use was cited as a ‘red flag’ for culture.
The combined regulatory fine total of $2.5 billion in penalties since December 2021 is meant by the US regulators to send a zero tolerance message to those who seek to evade their regulatory oversight.
Global surveillance policy battle lines
The communications management challenge is somewhat like balancing a three legged stool: generation of alpha in the market, controlling conduct risk, and providing for employees’ wellbeing.
The critical question for senior management is, does a firm:
- Need to monitor everything to do with its platform; or
- Balance the risk of missing something with the privacy benefits of NOT knowing everything.
As JWG and Shoosmiths have discussed for some time, the industry struggles to define what ‘good communications surveillance looks like’.
The US is definitely in the former camp while the EU in the latter camp with the UK yet to declare.
Camp 1: ‘Know it all’
Supervisors in Camp 1are effectively asking management to ‘know it all’ – they need to monitor everything – including electronic communications.
They believe the firm is open to abuse by employees and senior management has both the right and obligation to control it.
The employee ‘signs the paper and takes his/her chances’. Firms add all relevant communication platforms to their surveillance. Bad actors caught. Examples made. People go back to passing physical notes. Job done.
The devil is in the detail, however and lines are blurry. Let’s say my firm lets you bring your own device (BYOD) and you have 40Gb of messages on it. 90% of those will be personal but these fines suggest that the firm is expected to find the 10% that are not personal and ensure they are kosher.
Of course, firms could stop spending money on surveillance and issue staff ‘work phones’ on which personal stuff is fair game. It seems logical to that if a firm policy is “don’t use auto delete function on Signal” and I use auto delete then I should be in trouble in the same way that if the policy is “don’t use personal mobile for work stuff” and I do and I get caught, I should be in trouble and that should be the extent of a firm’s obligations. Spot checks, maybe?
Unfortunately, the employer cannot unsee what personal information it sees in looking for the juicy stuff and (honestly) doesn’t want to see it in the first place.
Once they do see digital life revealing behavioural ‘red flags’ are they obligated to take action?
Camp 2: Risk based approach
Supervisors, like the EU and possibly the UK in Camp 2 are effectively asking management to ‘be reasonable’ – they need to monitor with a view to Employee welfare.
They believe there is a right to privacy at work and the Information Commissioner issues detailed guidance on what that means.
The FCA recently boasted in its annual report of its new Market Surveillance system which is now live and in full production mode this October. However, they are reticent to discuss what good systems look like.
Market Watch 69 (05/22) identified failings including poor risk frameworks, policy and procedural gaps and organisational structure which fail to consider the full of scope of market conduct. In 2020, the FCA made heavy weather of staff working from home changing the paradigm completely so far as inside information (the FCA was careful to single-out inside information rather than market abuse generally) and monitoring for it was concerned: “what constitutes inside information may change radically during the pandemic,” said Julia Hoggett, Director Market Oversight, on 12 October 2020.
She also said that the events did not “necessarily give rise to ‘new’ market abuse risks, but that the relative prevalence of certain risks compared to a more steady state scenario changes, as does the manner in which some of these risks may manifest.”
The reason this is instructive is that although the FCA expected firms to be agile and intelligent in their monitoring (working from home carried different risks, such as staff using their own devices or new communications methodologies) that the firms would satisfy an obligation to identified the risks associated with the pandemic to its business, the firms’ overall obligation was to have “effective controls”.
The big difference between the US and the UK likely is: in the UK, “effective” controls means appropriate and focused policies and procedures consistently applied, not strict liability for breach.
The EU’s approach is similar to the UK’s, although (thanks to the Schrems cases) we are aware that the EU focuses heavily on personal data control and processing as an overlay to all other regulatory obligations. Those who were involved in the discussions to square the GDPR circle with the MiFID II investment/execution decision-maker reporting data will appreciate how difficult this overlay can be.
It is natural then that the EU would focus on protection of staff’s personal data: unless there is a very good reason to control or process that data, no one should do so.
The UK differs here because of the FCA’s and the PRA’s long-held focus on “culture and conduct”, which includes non-financial, non-work culture and conduct. The bald fact is that an individual member of staff could be an exemplary employee but have a complicated personal life. Conduct of staff is not just workplace-based, even now that working exclusively from home broadly is a thing of the past.
This focus may pull the UK towards the US in approach (i.e. as almost every facet of a staff member’s life is “fair game”, so is their data), but (a) the Information Commissioner is likely to give that the side-eye and (b) firms are extremely reluctant to go down this route anyway.
RegTech Surveillance 2024 agenda
According to a NICE Actimize survey of financial institutions, 60% of firms are not monitoring newer communication channels, including Microsoft Teams, Bloomberg Chat, Zoom and WhatsApp. As a result, many firms are being levied fines as large as $200 million due to record keeping and surveillance lapses.
As JWG has observed, the FCA was silent in its annual report of its new Market Surveillance on appropriate technology and data practices and does not, in fact, mention “RegTech” once.
The 2024 RegTech surveillance conundrum in a nutshell is that retrospectively, the industry is able to see what ‘bad’ looks like, but the forward view of what ‘good’ looks like, isn’t available.
While it would be nice to be provided with a technology or HR or monitoring framework which, if adopted, would be “compliant”, that never is going to happen. We would be naïve to expect it to do so.
However, in the emerging US approach, the firm is at fault framework if it fails to catch every instance, while in the EU and the UK the regulators may not reach a similar finding.
All that being said, given that (technically at least) in the UK senior managers can go to prison for overseeing rule breaches, it is better for the industry to take the approach to bring records management and surveillance together from the multitude of different vendors and even different stakeholders within a firm’s business area.
Paul Cottee, Director, Regulatory Compliance, NICE observed “With the recent explosion in the number of potential communications channels, the regulators are laying a clear line in the sand not only to the fined firms, but also to individuals at all firms: it might be ‘cool’ to use a certain messaging app, but unless your employer says it’s ok, don’t do it, or there will be real-world, career-limiting consequences, no matter if you’re a new joiner or a senior managing director.”
Opensource RegTech
Research has shown that standardized business events and data dictionaries can streamline the process for spotting suspicious trading activity across markets and communications channels leveraging FINOS’ Common Domain Model.
Industry-led guidelines for trade and electronic communications surveillance could unblock the challenge.
Identifying the pre-trade data points which can trigger a review of a wash trade and how it applies to an asset class could radically reduce the number of false positives and help find the true needles across many haystacks.
This will not come for free. Pre-trade lifecycle events will need to be agreed by asset class, metadata defined, lexicons agreed and methods of using the data to derive patterns needs investment.
The business case for mutualisation of the data strategy and code is, however, straightforward and will return nine zeros (e.g., 1,000,000,000) on the investment across the markets.
Perhaps more importantly, management will be able to sleep at night knowing what workflows need to be integrated and what monitoring is required to ensure that proper analysis and record keeping is kept.
Conclusion
In conclusion, the regulatory surveillance warfare is intensifying, with the US and EU/UK taking different approaches to the need for monitoring electronic communications.
US regulators are firmly in the camp which demands a ‘know it all’ stance, while the EU and the UK are more risk-based, asking management to ‘be reasonable’ and (particularly in the EU) prioritizing employee welfare and the sanctity of their personal data.
As the industry struggles to balance the competing priorities of market alpha generation, controlling conduct risk, and providing for employees’ wellbeing, it has become clear that firms need to find a way to define what ‘good communications surveillance’ looks like.
As we approach the 2024 RegTech surveillance agenda, the industry is grappling with the challenge of finding the right technological solutions and data practices.
While standardized business events and data dictionaries can streamline the process for spotting suspicious trading activity across markets and communication channels, trade and electronic communication surveillance will require significant investment in metadata definitions, lexicons, and analysis methods.
The business case for mutualisation of the data strategy and code is clear, Not only could these fines be avoided in the future, but the cost of compliance will fall dramatically.
By investing in the right technology and data practices, investment firms can ensure that they are well-positioned to navigate the regulatory surveillance warfare and deliver value to stakeholders.
Next Steps
JWG is conducting research with FINOS members on the future of Surveillance RegTech Opensource and hosting roundtables in New York and London in advance of our 7 February annual Conference.
RegCast Season 3, Episode 6 ‘Breaking surveilance silos’ can be found here or on your favourite podcast platform.
Please contact Corrina.Stokes@jwg-it.eu if you would like to get involved.