Understand the compliance requirements, identify opportunities for improvement and adopt a truly proactive approach to your compliance work.
Compliance officers in the banking and financial sectors face challenges that can be both comprehensive, challenging and time-consuming to solve on a daily basis.
In a rapidly developing environment, where technological advances and new requirements, regulations and regulations are continuously reshaping the operational landscape, keeping your head above water can be challenging – particularly if you do not have the right tools, smart processes and a good compliance culture within the company.
This whitepaper has been developed by guardREC to tackle some of the most important questions, wishes and demands we have received from our customers.
Our goal is to map the current market situation, highlight the most important facets of compliance work in an ever-changing environment, discuss the most common challenges we face and provide some useful tips on how your business can adopt an efficient and proactive approach to compliance.
This guide is divided into six sections, each covering a specific subject:
(Click the links to jump directly to a specific section.)
Heading into a meeting? Download whitepaper as pdf here
SECTION 1: REGULATORY COMPLIANCE
The first prerequisite to keeping up with the changes in customer communication, tackling the biggest compliance challenges we face today, and identifying how to work proactively to ensure compliance is to have a core understanding of the most important regulations and laws that affect how we work.
MiFID II, Dodd-Frank, MAS, SYSC, FINRA, SEC, and a range of other regulators, acts, and directives are designed to improve customer rights, increase transparency across financial markets, and improve competitiveness by standardizing regulatory requirements for accessible information.
This complicated landscape of requirements and regulations challenges institutions to find new and effective solutions to ensure compliance, and many organizations struggle to adapt and adhere to changes in their operational environment.
An important change that has been introduced in recent years is the requirement that all companies that provide investment advice must employ proactive monitoring of their processes and compliance with the regulations.
Previously, companies were only required to collect the necessary information and provide this data at the request of internal sources, a customer, or the financial supervisory authorities.
Now, you are obliged to prove that all processes are monitored, show that all information is recorded, inform the customer about admission and ensure that the customer can easily gain access to all relevant information you may have.
Banking and financial institutions have long been required to record and document all calls made with broker phones. However, the introduction of directives such as MiFID II expands this requirement to include all customer communication across all channels, including:
Additionally, current regulations emphasize that the requirements for recording do not only apply to conversations concerning the transaction itself, but rather to all customer communication that may result in a transaction.
For investment companies offering advisory services, this may result in a very long audit trail – from the very start of the customer journey until the actual transactions are completed.
Regulatory changes and updates have created and will continue to create major upheavals in how banking and financial institutions handle customer data. This particularly affects the workday of one specific group: Compliance officers.
According to current directives, companies must have full control of rules and regulations – a responsibility that ultimately falls on the company's compliance officer. As such, compliance officers are dependent on working efficiently to verify and document all steps within the customer journey.
The most important criterion for working effectively with proactive compliance is complete control over all data, ensuring the recording and documentation of all required communications.
If a compliance officer has to extract information from several systems, and in several formats, it will make the process of providing relevant information time-consuming and unnecessarily complicated. If, on the other hand, all data is securely stored in one central system, COs can segment specific segments and offer customers or financial authorities insight into exactly the datasets that they request.
SECTION 2: GDPR
In May 2018, merely five months after the introduction of MiFID II, a new comprehensive EU directive came into force in the European market: GDPR, the General Data Protection Regulation.
In broad strokes, the purpose of the GDPR is to give control over one's data back to the person, as well as to create more openness, transparency, and overview when it comes to the storage and processing of personal data.
Simply put, the GDPR boils down to answering one important question: Why does your organization store specific personal information?
In 2018, the introduction of two comprehensive EU directives in less than six months presented several challenges for the banking and finance sectors. The biggest challenge – mapping how GDPR works with MiFID II and other regulators – is still an ongoing process three years later.
In practice, directives such as MiFID II may in many ways simplify the requirements of the GDPR. The requirement that all institutions engaged in the brokerage or trading of securities must record all communications that may lead to a transaction will simplify the process of consent to the storage of personal data under the GDPR because a call related to a possible transaction can not be conducted without recording.
According to GDPR, consent must be obtained each time a new type of information is stored, but because the requirement to record all customer communication means that new information will be added continuously throughout the customer journey you may be exempt from this requirement in some scenarios.
Additionally, financial regulations state that stored data must be searchable on customer identification, broker identification, and time period. They also define what kind of personally identifiable information is to be stored. In other words, the requirement in e.g. MiFID II trumps the GDPR legislation. However, you are still obliged to inform the customer that they are being recorded.
Data security, and more specifically how data is stored and processed, is a topic that is central to both GDPR and financial regulations such as MiFID II.
All data must be processed in such a way that they satisfy the requirements imposed on you by financial supervisory authorities through directives, while also safeguarding the security of personal data per the GDPR.
Two of the most important questions you need to be able to answer according to GDPR and MiFID II are:
Regulations state that no one should be able to change or delete data in an audit trail. All data must be stored securely and encrypted so that no unauthorized persons have the opportunity to manipulate the information. The data must be monitored, but should only be available to the control function within the company.
In other words, a compliance officer responsible for monitoring the data must have full control over who has access and insight, so that no one can enter the system and delete e.g. three lines of an email or one minute of a phone call.
According to the GDPR, a customer may, in principle, demand access to all their personal data in a company’s database. However, when looking at conversations between a broker or advisor and a customer it is a bit unclear how to cater to this demand.
If a customer requests to have all information about them retrieved, this would also include recordings of all communication, but because a conversation always includes two or more parties, you will then automatically give the customer access to private information about the broker – who is also entitled to the protection of their personal data.
In this situation, how to best comply with both the GDPR and the recording requirements of directives such as MiFID II may propose a challenging dilemma.
Per the GDPR, a person has the right to retrieve, move, and share any personal information kept by a company, and may also demand that all stored data be deleted. This raises two new dilemmas for companies that are subject to the MiFID II regulations.
Personal information linked to communication with a broker may be considered confidential company information that should not be disclosed to competitors. As such, retrieving or moving this data may be complicated.
Similarly, a customer can not demand that information related to communication with a broker or adviser be deleted, because certain regulations, e.g. MiFID II, stipulate that all recordings of all communication must be stored for exactly five years. To comply with the requirement for a complete audit trail, you are not allowed to delete parts of this communication.
These are just a few examples of the dilemmas that the banking and finance industry is still in the process of investigating, and which must be interpreted individually until a firm precedent is set.
SECTION 3: CUSTOMER DIALOG
Imagine the following scenario: A finance agency arranges an online meeting with 100 participants and presents an investment opportunity. In the following days, interested parties contact the broker via phone to ask for more information.
The broker sends information to a prospect via email and the interested party replies in a short SMS that they want to know more about the risk surrounding the investment. A consultant in the company calls the customer and arranges a meeting.
After making contact numerous times, and across multiple communication channels, the two parties enter an agreement and the transaction is completed. The question now is: Is there a complete audit trail available?
This scenario is a typical example of a modern customer journey. The time when all communication took place via telephone or fax is long gone, and today brokers and consultants often communicate with the customer through a wide array of channels – from mobile phones and email to chat services and social media.
Regulatory directives, such as MiFID II, require you to have a complete overview of all customer communication, across all channels, and this task generally falls to the compliance department. Not only do they need to know how brokers communicate with customers, but they must also ensure compliance with all rules and regulations.
Two important aspects of an efficient and proactive compliance approach are clear routines and guidelines for communication within the company, and a systematic set-up of permitted channels that grant compliance officers complete control.
For this to be achieved, it is crucial to have one central system for recording and storing data that makes it easy to record all communication in all permitted channels. This system must also provide compliance officers with access to all relevant information, as well as a complete audit trail for each customer relationship.
SECTION 4: CHALLENGES
Due to the ever-changing and increasingly stringent requirements and regulations, along with potentially severe repercussions to any compliance violations, compliance officers tend to work under constant pressure.
Through speaking with our clients we have identified five common challenges faced by compliance officers.
The biggest challenge for compliance officers is getting an overview of all contact points between multiple people on both sides of a transaction, spread across a wide array of communication channels.
Collecting fragmented information, stored in multiple locations, on different servers, or in separate systems is very time-consuming, and may create problems when the need to provide supervisory authorities or customers access to relevant data arises.
Additionally, it can be challenging to track and reconstruct a transaction when the information is spread across multiple systems.
By storing all information in one central system, you simplify and streamline the process of obtaining relevant data, allowing you to define specific segments as needed. With automated processes for granting access, you can easily provide authorities and customers access to the relevant data.
Many compliance managers worry about whether or not their company fully complies with regulations, as even a small breach may have major consequences.
Here are three recurring concerns:
Adequate documentation of compliance efforts is alpha and omega when supervisory authorities come knocking. And yet, many compliance officers find it challenging to provide proof of their approach and routines.
Three challenges, in particular, are giving compliance officers headaches:
In addition to monitoring multiple communication channels, many compliance managers have to spend a significant amount of time ensuring complete audit trails, as well as generating reports.
The more fragmented the information, the more difficult it becomes to refer to a complete audit trail. Storing all data in one central system will simplify the task of verifying the audit trail and streamline the reporting process.
A good compliance system should include an automated reporting solution that gives compliance officers access to integrated and efficient reporting tools, as well as ready-made report templates that make generating and sharing incident reports simple.
Although the task of ensuring compliance with all laws, rules, and requirements ultimately falls on the compliance department, the responsibility is shared by all employees in the company. A company-wide compliance culture is crucial for ensuring quality at all levels, but developing such a culture requires both time and effort.
Clear guidelines, good routines, sufficient staff training, and top-down commitment are key elements of creating a proactive attitude towards compliance work in the organization.
SECTION 5: COMPLIANCE TIPS
Streamlining your compliance efforts requires a detailed and actionable plan. Here are five reliable steps you can follow to optimize your efficiency, based on our own experience from the industry and experiences shared by our clients.
To ensure compliance with MiFID II, Dood-Frank, and other regulations, you must get a complete overview of all channels your company uses to communicate with customers and verify that your internal regulations and routines for recording and storing data include these channels.
You may manage communication channels in one of two ways:
Keep in mind that the regulations specify that the requirements for recording data include all communication that may lead to the provision of investment services or the exercise of investment activities.
One of the main challenges for compliance officers is to get an overview of all contact points between multiple people on both sides of a transaction, spread across a wide array of communication channels.
This is especially true if that information is stored in different systems depending on what channels have been used to communicate.
The only sustainable solution to get a complete overview is to have one central system that enables you to collect, store, search and replay all forms of communication.
A centralized system makes it easier to create a complete audit trail because compliance officers can search across multiple channels to verify that all interactions have been handled appropriately.
Data security – and more specifically how data is stored and processed – is central to both financial regulations and the GDPR. According to the regulations, no one should be able to change or delete data in an audit trail.
Sensitive information shall only be available to the person, or persons, who constitute the company’s control function. Therefore, you must use a system that can document who has access to what information, how the data is stored, and for how long this data will be stored.
Additionally, your system should offer a "Data Life Management" function that ensures that the data is stored for exactly the period specified by the regulations, and tracks who has accessed and/or retrieved data throughout its life cycle.
By using a centralized system for recording all communicating channels, you have the option to prioritize and automate communication monitoring based on data-driven risk assessment. The system should be able to identify deviating trading patterns, or particularly exposed transactions, such as first-time purchases or high-volume agreements.
Additionally, you should have access to standard information about your customer, which broker he spoke to, when the conversation took place and what they talked about across all channels, in one single interface, enabling you to add comments, tag important segments and classify the different conversations for quick retrieval at a later date.
The system should also enable you to generate templates for compliance reports that provide additional information and contribute to more efficient reporting.
Regulations require you to avoid storing surplus information. To comply with these requirements, compliance officers need smart whitelisting features that enable them to easily define what to record, and what not to record.
There are two main types of whitelisting:
These are typical examples of surplus information that should be filtered out before recording, and not deleted afterward. This can be achieved by entering phone numbers, email addresses, chat IDs, and employee IDs.
SECTION 6:GUARDREC® COMPLIANCE
guardREC® Compliance is a centralized data management and recording system designed and developed for and by compliance officers within the banking and financial services to ensure proactive compliance.
guardREC® Compliance enables the storage of communication data from multiple channels in one centralized system that provides you with a complete overview of all sources and ensures compliance with relevant regulations and directives.
guardREC® Compliance provides compliance officers with powerful, customizable dashboards and a range of options to highlight vital information – helping you with identifying and managing potential risks and breaches before they have a chance to develop.
Our Compliance Comments tool enables in-system note-taking and collaboration while auditing. Save valuable time switching between applications, while keeping critical compliance notes within the system – accessible for authorized users only.
Spend less time retrieving, collecting, and sharing data with customers or financial supervisory authorities upon request.
guardREC® Compliance comes with powerful whitelisting functionalities that work across all channels. Additionally, the automated reporting solution provides you with effective, built-in reporting tools, pre-populated templates, and a simple structure allowing you to easily produce and share incident reports with just a few clicks of a button.
Ensuring proactive compliance in an increasingly rigid regulatory environment
Fill out your details below to download the complete whitepaper:
guardREC® Compliance is a centralized compliance solution specifically designed for financial services to support all relevant requirements and regulations. The guardREC® Compliance solution includes state-of-the-art compliance functionality enabling financial services to assure regulatory compliance in an easier, less complex, and far more cost-effective way.
