<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=183336108931044&amp;ev=PageView&amp;noscript=1">


Ensuring proactive compliance in an increasingly rigid regulatory environment


Understand the compliance requirements, identify opportunities for improvement and adopt a truly proactive approach to your compliance work.

Compliance officers in the banking and financial sectors face challenges that can be both comprehensive, challenging and time-consuming to solve on a daily basis.

In a rapidly developing environment, where technological advances and new requirements, regulations and regulations are continuously reshaping the operational landscape, keeping your head above water can be challenging – particularly if you do not have the right tools, smart processes and a good compliance culture within the company.

This whitepaper has been developed by guardREC to tackle some of the most important questions, wishes and demands we have received from our customers.

Our goal is to map the current market situation, highlight the most important facets of compliance work in an ever-changing environment, discuss the most common challenges we face and provide some useful tips on how your business can adopt an efficient and proactive approach to compliance.

This guide is divided into six sections, each covering a specific subject:

  1. Regulatory compliance
  2. GDPR
  3. Customer dialogue
  4. Challenges
  5. Compliance tips
  6. guardREC® Compliance

(Click the links to jump directly to a specific section.)

Heading into a meeting? Download whitepaper as pdf here


Understanding regulatory compliance in financial services

Understanding regulatory compliance in financial services

The first prerequisite to keeping up with the changes in customer communication, tackling the biggest compliance challenges we face today, and identifying how to work proactively to ensure compliance is to have a core understanding of the most important regulations and laws that affect how we work.

MiFID II, Dodd-Frank, MAS, SYSC, FINRA, SEC, and a range of other regulators, acts, and directives are designed to improve customer rights, increase transparency across financial markets, and improve competitiveness by standardizing regulatory requirements for accessible information. 

This complicated landscape of requirements and regulations challenges institutions to find new and effective solutions to ensure compliance, and many organizations struggle to adapt and adhere to changes in their operational environment.


Proactive monitoring of your processes

An important change that has been introduced in recent years is the requirement that all companies that provide investment advice must employ proactive monitoring of their processes and compliance with the regulations.

Previously, companies were only required to collect the necessary information and provide this data at the request of internal sources, a customer, or the financial supervisory authorities. 

Now, you are obliged to prove that all processes are monitored, show that all information is recorded, inform the customer about admission and ensure that the customer can easily gain access to all relevant information you may have.


Regulations apply to customer communication across all channels

Banking and financial institutions have long been required to record and document all calls made with broker phones. However, the introduction of directives such as MiFID II expands this requirement to include all customer communication across all channels, including:

  • Landline
  • Mobile phone
  • SMS and MMS
  • Email
  • Online meetings (e.g. via Microsoft Teams, Zoom)
  • Chat (on own websites or via services like Bloomberg, Refinitiv Eikon, Symphony, WhatsApp)
  • Social media (e.g. LinkedIn, Facebook)


You must record all communication that may lead to a transaction

Additionally, current regulations emphasize that the requirements for recording do not only apply to conversations concerning the transaction itself, but rather to all customer communication that may result in a transaction.

For investment companies offering advisory services, this may result in a very long audit trail – from the very start of the customer journey until the actual transactions are completed.


The most important criterion for proactive compliance

Regulatory changes and updates have created and will continue to create major upheavals in how banking and financial institutions handle customer data. This particularly affects the workday of one specific group: Compliance officers.

According to current directives, companies must have full control of rules and regulations – a responsibility that ultimately falls on the company's compliance officer. As such, compliance officers are dependent on working efficiently to verify and document all steps within the customer journey.

The most important criterion for working effectively with proactive compliance is complete control over all data, ensuring the recording and documentation of all required communications.

If a compliance officer has to extract information from several systems, and in several formats, it will make the process of providing relevant information time-consuming and unnecessarily complicated. If, on the other hand, all data is securely stored in one central system, COs can segment specific segments and offer customers or financial authorities insight into exactly the datasets that they request.

Questions to reflect on:

  • Which communication channels does your company record and store today?
  • Is the data stored in one central system or fragmented across multiple systems?



Balancing financial regulations and GDPR

Balancing financial regulations and GDPR

In May 2018, merely five months after the introduction of MiFID II, a new comprehensive EU directive came into force in the European market: GDPR, the General Data Protection Regulation.

In broad strokes, the purpose of the GDPR is to give control over one's data back to the person, as well as to create more openness, transparency, and overview when it comes to the storage and processing of personal data.

Simply put, the GDPR boils down to answering one important question: Why does your organization store specific personal information?


How does GDPR work with financial regulations?

In 2018, the introduction of two comprehensive EU directives in less than six months presented several challenges for the banking and finance sectors. The biggest challenge – mapping how GDPR works with MiFID II and other regulators – is still an ongoing process three years later.

In practice, directives such as MiFID II may in many ways simplify the requirements of the GDPR. The requirement that all institutions engaged in the brokerage or trading of securities must record all communications that may lead to a transaction will simplify the process of consent to the storage of personal data under the GDPR because a call related to a possible transaction can not be conducted without recording.

According to GDPR, consent must be obtained each time a new type of information is stored, but because the requirement to record all customer communication means that new information will be added continuously throughout the customer journey you may be exempt from this requirement in some scenarios.

Additionally, financial regulations state that stored data must be searchable on customer identification, broker identification, and time period. They also define what kind of personally identifiable information is to be stored. In other words, the requirement in e.g. MiFID II trumps the GDPR legislation. However, you are still obliged to inform the customer that they are being recorded.


Data security is a key topic

Data security, and more specifically how data is stored and processed, is a topic that is central to both GDPR and financial regulations such as MiFID II.

All data must be processed in such a way that they satisfy the requirements imposed on you by financial supervisory authorities through directives, while also safeguarding the security of personal data per the GDPR.

Two of the most important questions you need to be able to answer according to GDPR and MiFID II are:

  • What kind of information is recorded and stored?
  • Who has access to this information?

Regulations state that no one should be able to change or delete data in an audit trail. All data must be stored securely and encrypted so that no unauthorized persons have the opportunity to manipulate the information. The data must be monitored, but should only be available to the control function within the company.

In other words, a compliance officer responsible for monitoring the data must have full control over who has access and insight, so that no one can enter the system and delete e.g. three lines of an email or one minute of a phone call.


Information related to communication – a dilemma

According to the GDPR, a customer may, in principle, demand access to all their personal data in a company’s database. However, when looking at conversations between a broker or advisor and a customer it is a bit unclear how to cater to this demand.

If a customer requests to have all information about them retrieved, this would also include recordings of all communication, but because a conversation always includes two or more parties, you will then automatically give the customer access to private information about the broker – who is also entitled to the protection of their personal data.

In this situation, how to best comply with both the GDPR and the recording requirements of directives such as MiFID II may propose a challenging dilemma.


The customer can not demand the deletion of data

Per the GDPR, a person has the right to retrieve, move, and share any personal information kept by a company, and may also demand that all stored data be deleted. This raises two new dilemmas for companies that are subject to the MiFID II regulations.

Personal information linked to communication with a broker may be considered confidential company information that should not be disclosed to competitors. As such, retrieving or moving this data may be complicated.

Similarly, a customer can not demand that information related to communication with a broker or adviser be deleted, because certain regulations, e.g. MiFID II, stipulate that all recordings of all communication must be stored for exactly five years. To comply with the requirement for a complete audit trail, you are not allowed to delete parts of this communication.

These are just a few examples of the dilemmas that the banking and finance industry is still in the process of investigating, and which must be interpreted individually until a firm precedent is set.


3 largest GDPR pitfalls

  1. Insecure data storage
    Perhaps the greatest pitfall of all is storing data in a way that makes it accessible to unauthorized persons, either internally within the company or externally, without a good system for tracking who may acquire the information.

  2. Fragmented information
    Storing fragmented information across multiple systems, on several servers, or in different locations, may make it challenging to provide authorities or customers access to relevant data.

  3. No automated processes for inspection
    One of the biggest mistakes companies make is failing to integrate automated processes for providing customers and supervisory authorities access to the information they request.


Questions to reflect on:

  • What routines and guidelines does your company have for the collection and transfer of personal data per the GDPR?
  • Do you have a good system for restricting and tracking access to stored information?
  • Do you have automated processes for providing customers and financial supervisory authorities access to relevant data?


Customer dialogue across multiple channels

Customer dialogue across multiple channels

Imagine the following scenario: A finance agency arranges an online meeting with 100 participants and presents an investment opportunity. In the following days, interested parties contact the broker via phone to ask for more information.

The broker sends information to a prospect via email and the interested party replies in a short SMS that they want to know more about the risk surrounding the investment. A consultant in the company calls the customer and arranges a meeting.

After making contact numerous times, and across multiple communication channels, the two parties enter an agreement and the transaction is completed. The question now is: Is there a complete audit trail available?


Compliance Officers require a complete overview

This scenario is a typical example of a modern customer journey. The time when all communication took place via telephone or fax is long gone, and today brokers and consultants often communicate with the customer through a wide array of channels – from mobile phones and email to chat services and social media.

Regulatory directives, such as MiFID II, require you to have a complete overview of all customer communication, across all channels, and this task generally falls to the compliance department. Not only do they need to know how brokers communicate with customers, but they must also ensure compliance with all rules and regulations.


Solving a challenging task

Two important aspects of an efficient and proactive compliance approach are clear routines and guidelines for communication within the company, and a systematic set-up of permitted channels that grant compliance officers complete control.

For this to be achieved, it is crucial to have one central system for recording and storing data that makes it easy to record all communication in all permitted channels. This system must also provide compliance officers with access to all relevant information, as well as a complete audit trail for each customer relationship.


3 keys to efficient and proactive compliance:

  • Ensure good information flow
    A good information flow within the company ensures that all employees who are in direct contact with customers during the sales journey are aware of the guidelines and permitted communication channels. Compliance officers must verify that all brokers and consultants adhere to these guidelines.

  • Avoid information surplus
    Although financial agencies are required to store relevant information regarding a potential transaction, there is also plenty of information that should not be stored. Brokers will likely use the same channels for professional and private communication, highlighting the importance of applicable whitelisting functions and solid guidelines to determine what information to store, and what to omit.

  • Use risk indicators for added security
    One of the risks of whitelisting is brokers tagging professional calls as private, allowing them to communicate without being recorded. To minimize this risk the recording system should enable the use of risk indicators, such as setting up alerts for additions or changes in numbers or IDs during calls. This adds an extra layer of security and prevents potentially costly regulatory breaches.


Questions to reflect on:

  • Are the brokers and consultants within your company using any communications channels that are not currently being monitored?
  • Do you have solid routines and systems to avoid storing private calls and surplus information?




Common compliance challenges

Common compliance challenges

Due to the ever-changing and increasingly stringent requirements and regulations, along with potentially severe repercussions to any compliance violations, compliance officers tend to work under constant pressure.

Through speaking with our clients we have identified five common challenges faced by compliance officers.


1. Getting a complete overview of the data

The biggest challenge for compliance officers is getting an overview of all contact points between multiple people on both sides of a transaction, spread across a wide array of communication channels.

Collecting fragmented information, stored in multiple locations, on different servers, or in separate systems is very time-consuming, and may create problems when the need to provide supervisory authorities or customers access to relevant data arises.

Additionally, it can be challenging to track and reconstruct a transaction when the information is spread across multiple systems.

By storing all information in one central system, you simplify and streamline the process of obtaining relevant data, allowing you to define specific segments as needed. With automated processes for granting access, you can easily provide authorities and customers access to the relevant data.


2. Achieving complete compliance with regulations

Many compliance managers worry about whether or not their company fully complies with regulations, as even a small breach may have major consequences.

Here are three recurring concerns:

  1. Uncertainty as to whether or not all permitted communication channels are recorded and stored correctly, and if data can be easily retrieved.

  2. Risk of lost recordings, especially in regards to email. Many companies entrust each broker and advisor with storing all relevant emails in a specific location or synchronizing their inbox with the CRM system daily. This requires a lot of manual work, puts a lot of responsibility on individuals, and makes it difficult for compliance officers to verify the information.

  3. Risk of unauthorized access to recordings and information. All data should be encrypted and securely stored, and only be accessible to the company’s control function, i.e. compliance officers.


3. Acquiring adequate documentation

Adequate documentation of compliance efforts is alpha and omega when supervisory authorities come knocking. And yet, many compliance officers find it challenging to provide proof of their approach and routines. 

Three challenges, in particular, are giving compliance officers headaches:

  1. Documenting compliance may be challenging
    Because it is not realistic to assume that a compliance officer will have time to review and control every single conversation between a broker and a potential client, the logical option is to use a risk-based approach to identify and prioritize potential breaches. This may be a challenging and very time-consuming process without a smart system for automating risk management and data-driven prioritization.

  2. Whitelisting across multiple channels is difficult
    Whereas most compliance managers can whitelist specific telephone numbers, many cannot whitelist sources in other channels, such as email addresses, chat IDs, etc. This makes it difficult to comply with regulations on avoiding surplus information.

  3. Documenting customer complaints is time-consuming
    Documenting customer complaints often takes up far too much of a compliance officer's time. In some cases, addressing a complaint requires the compliance officer to collect all recorded data relating to a specific customer relationship, a task made even more tedious if information from different channels is stored in separate systems. Additionally, a lack of filtering options may result in sifting through a large surplus of irrelevant information.


4. Ensuring complete audit trails

In addition to monitoring multiple communication channels, many compliance managers have to spend a significant amount of time ensuring complete audit trails, as well as generating reports.

The more fragmented the information, the more difficult it becomes to refer to a complete audit trail. Storing all data in one central system will simplify the task of verifying the audit trail and streamline the reporting process.

A good compliance system should include an automated reporting solution that gives compliance officers access to integrated and efficient reporting tools, as well as ready-made report templates that make generating and sharing incident reports simple.


5. Creating an internal compliance culture

Although the task of ensuring compliance with all laws, rules, and requirements ultimately falls on the compliance department, the responsibility is shared by all employees in the company. A company-wide compliance culture is crucial for ensuring quality at all levels, but developing such a culture requires both time and effort.

Clear guidelines, good routines, sufficient staff training, and top-down commitment are key elements of creating a proactive attitude towards compliance work in the organization.


Questions to reflect on:

  • Does your company employ a risk-based approach in your compliance work?
  • How efficient is your process of gathering and preparing all the necessary data for generating reports?
  • Is your recording system making your workday easier or more difficult?



5 steps for streamlining your compliance efforts

5 steps for streamlining your compliance efforts

Streamlining your compliance efforts requires a detailed and actionable plan. Here are five reliable steps you can follow to optimize your efficiency, based on our own experience from the industry and experiences shared by our clients.


Step 1: Get an overview of available channels

To ensure compliance with MiFID II, Dood-Frank, and other regulations, you must get a complete overview of all channels your company uses to communicate with customers and verify that your internal regulations and routines for recording and storing data include these channels.

You may manage communication channels in one of two ways:

  1. You can make sure that all relevant communication through a specific channel is recorded and stored appropriately.
  2. You can make these channels inaccessible as a means of communication.

Keep in mind that the regulations specify that the requirements for recording data include all communication that may lead to the provision of investment services or the exercise of investment activities.


Step 2: Store data from multiple channels in one central system

One of the main challenges for compliance officers is to get an overview of all contact points between multiple people on both sides of a transaction, spread across a wide array of communication channels. 

This is especially true if that information is stored in different systems depending on what channels have been used to communicate.

The only sustainable solution to get a complete overview is to have one central system that enables you to collect, store, search and replay all forms of communication.

A centralized system makes it easier to create a complete audit trail because compliance officers can search across multiple channels to verify that all interactions have been handled appropriately.


Step 3: Record all interactions with stored data

Data security – and more specifically how data is stored and processed – is central to both financial regulations and the GDPR. According to the regulations, no one should be able to change or delete data in an audit trail.

Sensitive information shall only be available to the person, or persons, who constitute the company’s control function. Therefore, you must use a system that can document who has access to what information, how the data is stored, and for how long this data will be stored.

Additionally, your system should offer a "Data Life Management" function that ensures that the data is stored for exactly the period specified by the regulations, and tracks who has accessed and/or retrieved data throughout its life cycle.


Step 4: Automate risk management and reporting

By using a centralized system for recording all communicating channels, you have the option to prioritize and automate communication monitoring based on data-driven risk assessment. The system should be able to identify deviating trading patterns, or particularly exposed transactions, such as first-time purchases or high-volume agreements.

Additionally, you should have access to standard information about your customer, which broker he spoke to, when the conversation took place and what they talked about across all channels, in one single interface,  enabling you to add comments, tag important segments and classify the different conversations for quick retrieval at a later date.

The system should also enable you to generate templates for compliance reports that provide additional information and contribute to more efficient reporting.


Step 5: Whitelist surplus information

Regulations require you to avoid storing surplus information. To comply with these requirements, compliance officers need smart whitelisting features that enable them to easily define what to record, and what not to record.

There are two main types of whitelisting:

  • Global whitelisting: This includes communication with local services such as car services, takeaway restaurants, and the café on the corner. Additionally, recording calls to emergency services is prohibited.
  • Private whitelisting: Communication with friends, family, and relatives.

These are typical examples of surplus information that should be filtered out before recording, and not deleted afterward. This can be achieved by entering phone numbers, email addresses, chat IDs, and employee IDs.


Questions to reflect on:

  • How can you implement these steps to streamline your compliance efforts?
  • Do you have access to a system that offers smart tools and functions to aid your proactive compliance work?



Streamline your compliance efforts with guardREC® Compliance

Streamline your efforts with guardREC® Compliance

guardREC® Compliance is a centralized data management and recording system designed and developed for and by compliance officers within the banking and financial services to ensure proactive compliance.

Get a complete overview

guardREC® Compliance enables the storage of communication data from multiple channels in one centralized system that provides you with a complete overview of all sources and ensures compliance with relevant regulations and directives.

Optimize your risk-based approach

guardREC® Compliance provides compliance officers with powerful, customizable dashboards and a range of options to highlight vital information – helping you with identifying and managing potential risks and breaches before they have a chance to develop.

Work smarter

Our Compliance Comments tool enables in-system note-taking and collaboration while auditing. Save valuable time switching between applications, while keeping critical compliance notes within the system – accessible for authorized users only. 

Effective documentation for inspection

Spend less time retrieving, collecting, and sharing data with customers or financial supervisory authorities upon request.

Powerful whitelisting functionalities and automated reporting

guardREC® Compliance comes with powerful whitelisting functionalities that work across all channels. Additionally, the automated reporting solution provides you with effective, built-in reporting tools, pre-populated templates, and a simple structure allowing you to easily produce and share incident reports with just a few clicks of a button. 


Download whitepaper

Ensuring proactive compliance in an increasingly rigid regulatory environment

Fill out your details below to download the complete whitepaper:

Ensuring proactive compliance in an increasingly rigid regulatory environment

Learn more about guardREC® Compliance

guardREC® Compliance is a centralized compliance solution specifically designed for financial services to support all relevant requirements and regulations. The guardREC® Compliance solution includes state-of-the-art compliance functionality enabling financial services to assure regulatory compliance in an easier, less complex, and far more cost-effective way. 

  • Ensure regulatory compliance
  • Global view of all communications data
  • Review queues
  • Risk detections
  • Automatic transcription
  • Compliance dashboard
  • Automatic reporting


Learn more about guardREC Compliance

Global oversight of all communications data with guardREC Compliance

Why Choose guardREC®

Robust and Reliable

The guardREC® record ing solution is the most robust and reliable system on the market – providing high stability and ensuring constant compliance. Choose whether to keep your data stored in-house, on-site, or opt for our secure cloud-based storage.

Built-in Connectivity

The future-proof guardREC® recording and replay solution comes with a multitude of built-in integrations with other systems and technologies – giving you unparalleled flexibility when choosing a set-up that covers all your needs.

World Class Customer Support

Our world class customer support team provides you with the security and assistance you need – regardless of where you are located. Quick response times and rapid resolution of critical incidents ensures minimal downtime and maximum efficiency.

guardREC ATC recording solution


Discover the world's best recording solution for Bank & Finance

Request free demo