Regulated Companies, Give Your Employees the Communications Tools They Want

By Robert Cruz

It’s no secret that there are plenty of business, legal and regulatory risks associated with social media and collaboration apps in regulated industries. “Stealth” social media and collaboration accounts going undetected by IT departments could potentially put regulated companies in peril if IP is leaked or communications can’t be retrieved for discovery in the event of a lawsuit. With this in mind, IT, security and compliance professionals in regulated companies usually divide communications channels into two buckets: 1) those that can’t be archived and monitored, and thus should be blocked, and 2) ones used by employees to conduct company business, all of which have use policies, audit capability and archiving applied to work-related accounts.

But contrary to what seems like conventional wisdom to many folks in these industries, that first bucket should be fairly empty, reserved only for ephemeral messaging apps like Snapchat that by their very nature can’t be archived. It might seem like we’re breaking convention by loosening the reins when it comes to what tools employees can use to connect with clients, but when you think about it, preventing the use of consumer-facing apps and services like Facebook, Twitter, WhatsApp, Instagram and the like is actually far from wise.

Companies should rely less on blocking the installation and access of apps and accounts—this is rarely effective because determined employees often find their way around virtual walls. Instead, companies should strive to enable, not inhibit, the use of tools employees and customers are most comfortable with in and out of the workplace.

This is especially true of the younger generations, which, unlike many regulated-industry veterans, do not use email as their primary mode of communication. They’ve connected to the world through the aforementioned consumer options for so long that it will cause more problems than it solves to block access to these channels during work hours.

Similarly, BYOD is fact of life for all generations, so although you address one problem by issuing separate work smartphones, you create another for your employees who have to juggle multiple devices and do their best to keep friends, family, coworkers and clients on their respective appropriate lines.

So how can regulated organizations empower their charges to take advantage of nearly all of the tools found in consumer and work environments without compromising compliance and security? Here are some finer points.

Capture and Search Should Suit Today’s Channels

It’s tempting to limit employees to enterprise solutions like Slack, Jabber and Jammer for messaging and social-networking needs; IT and compliance get more control and deal with less data. However, managers, client reps and clients want Facebook, LinkedIn, Twitter and Instagram, so face it, you must enable these options, which means you are on the hook to capture and archive all material posts, messages, comments, attachments, embedded files and the like.

But how do you comb through terabytes of data for relevant information? Here is where many organizations get tripped up. Traditional archiving solutions are built for email, in that they utilize text docs or other static means to store data. This simply won’t work for organizations that are expected to quickly get to the heart of an issue during an investigation, or as part of discovery.

Modern archiving solutions preserve posts, messages, comments and links in their native form. They preserve moment-in-time communication in their full context. Most important, they can recreate an entire cross-channel conversation, including edits and deletes to posts, in their order. For example, a trader may discuss a transaction with a client over email, add that client to a LinkedIn discussion about the commodities in question, later edit or delete a comment in the thread and then ultimately resume the conversation with the client by phone. Firms must be able to recreate all of that activity in order, along with exact time stamps for each activity, which static archives can’t do.

Stakeholders Want Their Phones, Not Yours

To sanction personal smartphone use, firms should start by giving employees a separate work phone number that can be deployed on an existing personal device, not a separate phone itself. This is an option for regulated firms in large part because similar archiving technology used to capture, record, store and analyze landline conversations can be used for voice and text activity conducted via a number ported to a personal phone. Sure, it’s possible an employee could accidentally text or call someone from the “wrong” number, but the same risk is present if the employee has separate devices.

As is the case with social media channels, archiving solutions must operate in a manner that makes finding and laying out these communications easy, should regulators come calling. Content should be captured and archived contextually from beginning to end in an easy-to-view format, and organized into logical conversation threads. This is especially critical for financial services firms operating in the EU because MiFID II requires this capability, and voice capture has arguably posed the most difficulties for MiFID II compliance.

Focus on Policy, Not Technology, for Prevention of Rogue Communication

True, there’s always the risk that employees circumvent approved channels, but that possibility will also exist if you block these technologies outright. A better route would be to set stiff penalties for those who try to do so, and explain them clearly to staff. You are better off having use of these channels out in the open with rules that prevent inappropriate information sharing or problematic intra-company interaction (e.g., traders and researchers at investment houses).

When it comes to the challenge of supporting all types of communications tools in the enterprise, regulated companies should be ready to tackle, not block.