Last week I spoke on a webinar about the role that compliance officers should play in helping to guide a firm’s electronic communications. After all, coronavirus has forced tens of millions to work remotely, so the use of “collaboration tools” such as Slack, Zoom, Microsoft Teams, and similar apps is soaring.
Well, what are the compliance risks generated by that shift? And how should a business respond to them?
The quick answer is that the risks are many, especially for financial firms with high burdens regarding employee surveillance and records retention. The longer answer is that to identify all those risks requires a detailed technical review and risk assessment — which, in turn, requires a compliance function fully engaged in what employees are doing with all these online collaboration tools.
That’s the part that worries me.
Let’s start at the beginning. The key to managing the compliance risks attendant with online collaboration tools is to understand the use cases employees would make for said tools. If you don’t understand why and how employees want to use Zoom instead of Microsoft Teams, or iMessage instead of Slack, or whatever other tools they might put forward (I hadn’t even heard of half the tools mentioned on the webinar), then the policies and controls you try to put around online collaboration might not align with what’s actually happening in the organization.
OK, the compliance officer needs to understand the use cases for collaboration tools. Think about what that means. First, it implies that the compliance officer is working closely with business functions in the first and second lines of defense, so compliance can understand what’s going on with workplace operations generally.
It also means that compliance must work closely with the IT department to understand all the features of these tools. For example, some collaboration tools allow users to flag certain messages as high priority. So can such a tool also capture in its archives whether that priority flag was attached?
Because some collaboration tools do allow you to capture that priority flag; others don’t. But capturing the priority status of a message can be something important for record-keeping compliance at, say, a broker-dealer firm.
So a compliance officer needs to work his or her way through several questions regarding this scenario:
- First, do your regulatory obligations in fact require you to archive that priority status, or just the underlying message?
- Can the collaboration tool you’re using archive that priority status or not?
- If it can’t archive that priority status, could you customize the tool to give you that capability anyway?
- Or if the tool can archive priority status — could others customize somehow turn that archiving feature off? For example, could devious employees turn off that feature against your wishes? Could you turn off their ability to disable it, but keep it for yourself?
You get the idea. Evaluating the compliance risks of collaboration tools can be a painstaking endeavor. Some of these collaboration tools have dozens of features that the compliance function will need to understand.
Compliance officers have understood this exercise for traditional email for many years. Now coronavirus has tossed us into a blizzard of more modern collaboration tools. So, yes, you really would need to go through each tool with the IT department, feature by feature, analyzing how each one works and the compliance risks that it brings.
How Does a Compliance Program Do That?
I’m stuck trying to figure out which firms are best suited for this cooperation between compliance and the rest of the business.
On one hand, a smaller firm might naturally allow the compliance officer to have more access to living, breathing employees; who would be more forthcoming with someone they see every day as they talk about how they use the technology.
On the other hand, a smaller firm has fewer resources at the compliance officer’s disposal. In particular, you’ll have less access to sophisticated technology, and less IT support to help you dissect all those collaboration tool features. (Because the IT department will be just as overworked as you are.)
A compliance officer at a smaller firm is also more likely to be a part-time CCO with other roles as well. Or the firm might not embrace a rigorous culture of compliance. Either scenario can leave the CCO struggling to keep pace with collaboration tools the business units select and start using long before you ever get involved.
Meanwhile, at a larger firm, you might not be able to reach all the employees to understand those use cases we mentioned earlier. If the business has 1,000 or 5,000 employees e-gabbing away on all sorts of collaboration tools — no, you’re not going to know all those people and what they’re doing.
Instead, the compliance officer will need to work with the heads of those business functions. Those function leaders might even take compliance seriously, but all of you will have less visibility into lower rungs of the business, to understand how employees are really using collaboration tools.
Yes, at a large firm you might also have better IT support; and that IT team might have an easier path to implement enterprise-wide controls on how certain tools are used. That’s the good news.
But as people work from home with corporate apps and data, on personal devices and networks — they’ll have an easier time evading those enterprise-level controls that IT is trying to cloak across everybody.
So you’ll need to rely on policy and training as much as you’ll need to rely on IT controls. You’ll need to get employees to understand the risk-aware culture you want, and embrace it. Which will probably be just as painstaking as those technical risk assessments I mentioned above.
At least when the time for training comes, you’ll have lots of collaboration tools to choose from.