Kevin Gibson – Corporate Compliance Insights

Is Your Organization Ready — Or at Risk?

How would you rate your organization’s GDPR readiness? Hanzo CEO and Chairman Kevin Gibson offers five questions every compliance officer should be considering ahead of next May’s deadline for GDPR compliance. Specializing in heavily regulated industries, Hanzo is the world leader in the legally defensible capture, preservation and analysis of web and social content. Herein Kevin provides some concrete guidance on compliance in the face of the data protection regulations.

On May 25, 2018, the European Union (EU) will see a seismic shift in data security practices as the General Data Protection Regulation (GDPR) takes effect. Proactively working toward GDPR compliance before the deadline may be the difference between smooth or choppy waters, as any failure to comply with GDPR exposes organizations to fines of up to €20 million (US $23.5 million) or 4 percent of global revenue — whichever is higher. This is true not only for organizations headquartered in the EU, but also for any entity around the world whose business involves providing goods and services to EU citizens and therefore is privy to their personally identifiable information (PII).

Knowing the answers to five key questions will prove essential to becoming and remaining GDPR compliant and avoiding both fines and potential loss of business.

#1: What personal data is stored?

GDPR covers personal data, and this data will vary by company. It includes names, addresses, telephone numbers and account numbers, as well as email and IP addresses. PII data can be client data, but it can also be employee data. This data can be stored in disparate repositories.

While most organizations are aware of PII that may be stored in their ERP and corporate systems, many aren’t cognizant of the volume of PII that comes into their system via web platforms and software brought to the table by their own employees (“BYOS”). This data needs to be taken into account in preparing for GDPR compliance.

#2: Where does PII and other data reside?

It’s easy for corporations and corporate compliance officers to become tied up in the intricacies of GDPR and forget that we are increasingly moving into a world in which property rights are attached to information. GDPR is a further step in that direction, and accordingly, organizations must decide where individual types of data, including different categories of PII, will be stored and processed — as well as when consent will be required to process or otherwise utilize data, and who must provide that consent. They must then establish and maintain a “map” that clarifies the whereabouts of each type of data and the parameters for handling it.

Wherever it is stored, data should reside only where corporate policy dictates. Employees who are aware of PII or whose job responsibilities involve working with PII must also be made to understand that they cannot share it indiscriminately, and organizations will need to determine which information lies inside and outside the data “fences” they establish.

Case in point: A corporation whose employees leverage a web-based collaborative platform to enhance their productivity must decide whether it’s permissible for others to share a colleague’s telephone number on that platform, or if that phone number belongs inside a more secure fence. Mapping the whereabouts of individual categories of data and procedures for handling and storing it bodes well for corporations in that it constitutes proof that they have made every reasonable effort to protect data that requires protection and to remain GDPR compliant.

#3: What Is our data breach protocol?

The increasing sophistication of hackers and the strong potential for unintentional and intentional mishandling of data by employees make a data breach inevitable for most, if not all companies. Consequently, corporations’ data breach protocols should set forth preventive measures that support GDPR compliance. For example, a corporation that utilizes a flexible, web-based collaborative platform could “bake in” compliance by establishing a protocol that entails archiving the contents of that platform. In the event of a data breach, the archived content would serve as proof that sensitive data is not visible.

Support for compliance might also be achieved by configuring the system to generate alerts when sensitive data that doesn’t belong there, such as PII, appears. Steps to remove the data can then be taken before more serious compliance-related issues arise.

Moreover, in the era of GDPR, effective data breach protocol doesn’t simply prescribe “patching” a data repository where the breach occurred. Rather, it dictates planning for and committing to certain actions aimed at remediation, such as describing the nature and likely consequences of the data breach, along with proposed measures to mitigate its possible adverse effects. Once again, a “map” of data’s whereabouts plays a critical role here; with such a map in hand, corporations should experience no difficulty identifying which data was breached and where the breach occurred. Those that lack the answers to these questions will encounter far more dire consequences, no matter the extent of the data breach.

#4: Do we have a data privacy policy, and what are its components?

A data privacy policy is an imperative for corporations in light of GDPR and the fact that property rights apply to PII under the GDPR umbrella. Employees must know the boundaries of acceptable behavior when it comes to handling data, and customers want and need to understand exactly what an entity will do to protect their PII.

Every data privacy policy should:

Clearly state the company’s information practices — explaining how it operates with regard to data and what it does with each type of data. This should be presented in simple terms, rather than couched in multiple pages of legalese that neither employees nor customers may fully comprehend.
Note individuals’ right to opt out of sharing their PII for internal use, as well as for use by third-party companies.
State that individuals may access any of their own PII in the company’s records and have the right to modify or delete this PII, even data that appears on websites.
Clarify the company’s serious stance on data security, stipulating that it will continue to invest time, effort and financial resources in enforcing data security policies and safeguarding their PII. This includes harnessing high-quality technology tools to protect data.

#5: Is our privacy policy up to date?

The framework of the GDPR will likely change and evolve. Corporations must keep an eye on that framework and alter their privacy policies accordingly.

Corporations and compliance officers who underestimate the will of EU authorities to enforce the GDPR regulations do themselves and their organizations a great disservice. Conducting periodic compliance risk assessments is a sound business practice anytime, but assuming a proactive stance now with these questions as a roadmap is a far more prudent approach on the cusp of great change.

The post 5 Questions Compliance Should Be Asking About GDPR appeared first on Corporate Compliance Insights.

What Compliance Professionals Need to Know About Employee Data

The deadline for the General Data Protection Regulation (GDPR) is on the horizon, and a customer’s information is not the only thing that should be on a compliance practitioner’s radar. After all, the mishandling of an employee’s information can pose as much financial risk – therefore, it is important to understand the potential GDPR issues from extended rights and burden of proof to social media snafus and the need for defined policies.

Heads up: There’s more to the General Data Protection Regulation (GDPR) and GDPR compliance than meets the eye. That’s because the regulation — which takes effect on May 25, 2018 — doesn’t simply cover personally identifiable information (PII) belonging to the customers of corporate and government entities that are headquartered and/or do business in the European Union (EU). It also applies to employee PII which, as with customer PII, encompasses everything from telephone numbers to gender preferences.

Neglecting to address the employee PII aspect of the GDPR is not simply foolhardy; it puts organizations at risk for financial repercussions. EU authorities have a record of imposing penalties for noncompliance with mandates, as well as for doing so early on. Their approach to the GDPR will be no exception. But just as significant, in today’s economic climate, PII is increasingly viewed as a valuable commodity and as individuals’ personal property. Employees and former employees want control over this property and will undoubtedly capitalize on opportunities to gain it as afforded by the GDPR. Accordingly, it’s important to clarify key issues surrounding the GDPR and employee data.

Extended Rights

Right to Request Fair Processing Notices: The GDPR grants extended data access and control rights to current and past employees. Employers must provide current and prospective employees with detailed fair processing notices that specify what personal data they collect, as well as how they process each type of data, what they will do with it and how long they will maintain it. Fair processing notices should also specify the rights of employees to data portability/access and erasure, as outlined below.

Right of Portability: Employees and former employees have the right to request that a free copy of any of their PII in an entity’s files be provided to them or a third party. The document must be machine-readable (i.e., in a format that can be read by a computer).

Right of Erasure: Employers and former employers can be asked to remove or erase from their records any PII that is no longer necessary. For instance, an individual who leaves a company can request that his address be stricken from the files. Individuals also have the right to request the removal or erasure of personal data when they object to its processing and when they withdraw consent to process it.

Burden of Proof

Current employees typically make few data erasure requests, especially if they themselves have shared the information (for example, on a collaboration tool). Employees who are involved in litigation with a company or who are otherwise disgruntled — and likely no longer on the payroll — are more apt to do so, however.

Regardless of employees’ status, companies and governments are required to document and furnish proof that they have deleted data as requested. They must also ensure that any third party with which the information was shared (for example, a contractor) does the same.

Equal Treatment

Employers must be prepared to treat employee PII as they would customer PII. For all employers, this means performing an assessment to determine what employee PII they have, as well as where in their systems it is stored and to which areas of their operation it is related. The extent of such data and the scope of the assessment will vary, largely in accordance with the volume of communication among employees across one physical plant or multiple locations around the globe.

Some employee PII (e.g., structured data contained in employee and payroll records and emails) is typically easy to find during assessments. Unstructured data (e.g., PII shared via Wikis and web-based collaboration platforms) may be more difficult to uncover.

Regardless, knowing what PII exists within systems and its location is half the battle. Once this has been accomplished, it is possible for employers to determine the extent of their employee PII “problem” and address it appropriately rather than to underreact or overreact to it.

Social Media Snafus

Be it chatbots, platforms such as Facebook and Instagram or a combination thereof, almost all organizations use some form of social media to engage with existing and potential customers — and employees will share their PII there. Employee PII is also shared on internal social platforms such as Slack and, for the purpose of promoting a company or recruiting new employees, on LinkedIn and its ilk. Under the GDPR, organizations must, when requested, find and possibly delete this information — even if it resides in old systems they no longer use or in the archives of expired contact pages.

The breadth of such data is almost unfathomable; for example, it extends to personal information shared among colleagues in a casual conversation on an internal social platform. This makes awareness of precisely what PII an entity has in its possession and where that information is ever more critical.

Location, Location, Location

Locating employee PII — not deleting it — is the real burden of GDPR compliance. The volume of employee PII contributes to this burden. So, too, does the fact that the GDPR gives individuals the right to request that any entity at which they are or have been employed reveal exactly what information about them it maintains, where it maintains the information and how the information is used. The best approach here entails implementing a highly automated process (e.g., software tools) for locating employee PII and maintaining a map of its whereabouts. Such a step will allow employers to satisfy the burden of compliance at a reasonable cost.

Strategic management of employee PII also means deploying information management tools and/or engaging professionals to address GDPR compliance issues now — not just before the regulation goes into effect. Bucking the compliance challenge will otherwise be difficult at best.

Pervasive Policies

Employers need defined policies that govern how and where PII is shared and by whom, particularly on social media. These policies should be pervasive, applying organizationwide to reduce the risk of noncompliance with the GDPR. Large companies may find that they have no single set of information governance policies, and — again to minimize noncompliance risks — should put uniform policies in place.

The GDPR will continue to pose challenges for organizations to which it applies. However, common sense and mindfulness of the issues discussed here will go a long way toward facilitating compliance and minimizing risk.

The post Don’t Overlook This Aspect of the GDPR appeared first on Corporate Compliance Insights.

Information Management vs. Information Governance

Do you know the difference between information governance and information management? Kevin Gibson of Hanzo outlines four questions to differentiate between the two concepts. The details below can also help to shape your organization’s policies related to GDPR compliance.

“Information management” and “information governance” are one and the same. Or are they? The answer is “no” — and it’s important to understand the difference between the two. This is especially so given the General Data Protection Regulation (GDPR), slated to take effect in the European Union (EU) on May 25, 2018. Reviewing the answers to the following four questions can help clarify the intricacies of information management and information governance, as well as help create information management and information governance policies that best support GDPR compliance.

#1: How are “information management” and “information governance” defined, and how do they differ?

Information management is the process of handling information throughout its lifecycle. This lifecycle includes the acquisition of data from various sources, its custodianship and its distribution, as well as its disposition through deletion or archiving based on information governance policies. Information that requires management ranges from very simple, structured data that can be easily stored and searched using basic algorithms (e.g., customer histories) to unstructured data (e.g., data shared via social media and collaboration platforms).

While information management centers on action, information governance is proactive. It encompasses the technologies, policies, processes and strategies used by organizations to minimize risk by adhering to industry and legal regulations while simultaneously meeting their business needs and objectives. Thus, information governance strategies cover control over information creation, valuation, use, storage and deletion.

#2: Why is information governance as critical a component of organizations’ business strategy as information management?

Information governance provides the structure and rules — in other words, the framework — necessary to effect information management. Without these elements, it would be impossible to mitigate risk. For example, organizations that run afoul of the GDPR can face stiff fines when a breach in any of their systems exposes personally identifiable information (PII) associated with any EU citizen — whether customer or employee. However, if an organization’s information governance policy calls for using technology designed to safeguard PII, the risk of a data breach is lessened. There is also the additional bonus of cost savings stemming from that reduced risk.

Trust is part of the equation as well. Stakeholders as a whole (customers and employees) have increasingly come to view PII as a valuable commodity, worthy of protection. They demand that organizations treat their PII as such, and organizations in turn want them to trust that this is the case. Earning and maintaining that trust all comes down to good information governance.

#3: How should information management processes be configured or changed to foster GDPR compliance?

The type and volume of PII data in organizations’ custodianship will vary based on the nature of their business. However, compliance with the GDPR necessitates having in place information management processes that facilitate remaining “on top” of the PII lifecycle, no matter how much data exists and into which PII subcategory it falls. For all organizations, at all times, this means knowing what data they have and precisely where that data can be found.

Complying with the GDPR is easier when information management processes are created or modified to include the process of pinpointing and “mapping out” the whereabouts of individual categories of data. This supports compliance by making it easy to figure out whether or not data that should not be exposed is safe behind the “fence” of an appropriate repository and to rectify the situation if needed.

Under the GDPR, organizations are also required, when asked or following a breach of their systems, to prove that they have made every reasonable effort to protect data that warrants protection. When mapping is part of organizations’ information management processes, furnishing such proof is easy.

#4: How should information governance practices be laid out, in general and to facilitate compliance with the GDPR?

In general, information governance practices should align with business goals and objectives. For example, organizations may, in an effort to strengthen engagement with their best customers, want to structure certain data repositories to make it easier to access data pertaining to “preferred” clientele. Exploring a few key issues will help here as well. These encompass, but are not necessarily limited to, the importance — or unimportance — of all individual pieces of data to running the business and how the data will be used on a regular basis.

Meanwhile, to support compliance with the GDPR, information governance policies should dictate how and where customer and employee PII is shared and by whom. Organizations would also do well to carefully craft policies that specify how they will fulfill requests made by “data subjects” (i.e., customers and employees) in keeping with rights extended to them under the GDPR. For instance, the GDPR gives data subjects the right to ask that their PII be removed from any company system, even if they themselves have shared it and/or the platform is no longer in active use.

Finally, solid information governance practices allow for built-in GDPR compliance facilitated by technology. Such technology includes solutions that detect the presence of PII in systems or on platforms where it should not reside and automatically extract it without impacting functionality or users.

Creating and maintaining comprehensive information management procedures and information governance policies alike has always been important for organizations of all sizes, but some haven’t fully embraced the process. With the GDPR less than one year away, moving forward on this front now — rather than later — is more important than ever.

The post 4 Questions to Help Prepare for the GDPR appeared first on Corporate Compliance Insights.

BYO Software, BYO Vulnerabilities

The shadow IT phenomenon—in which employees use their personal technology on the job—looms larger than ever. The latest twist- bring your own software.

First up was the bring-your-own-device (BYOD) movement, with employee-owned smartphones, tablets and laptops replacing company-owned devices in the workplace. Now there is a newer shadow IT twist—bring your own software (BYOS). In this increasingly popular model, employees download and utilize software, apps and the like—in some 99 out of 100 cases, web-based—for such work-related purposes as collaborating or exchanging information with colleagues.

Like its BYOD counterpart, the BYOS model affords employees the flexibility to use the tools that best help them fulfill their responsibilities, in turn increasing productivity and benefiting corporations’ bottom lines. But as is true of BYOD, BYOS also opens doors for significant risks, making risk mitigation a must for all corporations that embrace it to any extent.

The Risks

What, exactly, do organizations risk when they embrace BYOS? Governance-, litigation- and compliance-related complications rank at the top of the list. Quite often, corporations are unaware that certain data resides in employee-acquired software until such data is found during the discovery stage and/or in the midst of litigation. Negative consequences can ensue here. For one case of which we are aware, in-house corporate counsel was deeply involved in discovery before learning that data pertaining to pending litigation could be found on a collaboration platform that had been downloaded by an employee. This revelation was an extremely unwelcome surprise—and it had a poor impact on the case itself.

Additionally, companies can, as a result of BYOS, experience leaks of intellectual property or expose data that is mandated to be protected—e.g., personally identifiable information (PII) pertaining to customers or employees. The risk of PII disclosure from BYOS merits particular attention in light of the General Data Protection Regulation (GDPR), which takes effect on May 25, 2018. The regulation applies to PII that belongs to the customers and employees of corporate (and government) entities that are headquartered and/or do business in the European Union (EU). Fines for violating the GDPR will be stiff—up to €20 million ($23.5 million U.S.) or 4 percent of global revenue, whichever is higher.

Policies and Procedures

Mitigating BYOS risk begins with analyzing where the most significant vulnerabilities lie, which workflows lead to them and what individual platforms are meant to help employees to accomplish. With this in mind, organizations can formulate policies that govern the type of software employees can bring to the workplace and those they cannot, as well as how BYOS “products” are to be used.

Nonetheless, policies cannot completely eliminate the potential risks of permitting employees to download software to any device for use in the course of their work. Why? In certain instances, employees are so tempted by the ease of downloading and experimenting with software tools prior to purchasing them that they fail to consider whether accepting so-called “try before you buy” offers from vendors would violate corporate BYOS policy. Some circumvent policies, either unintentionally or based on the belief that they need the software to get their work done, no matter what the rules dictate.

Moreover, it is not uncommon for employees to inadvertently store data and/or make data accessible to others when it should not be so. For instance, employees communicating socially on a BYOS platform may move into a work-related discussion and, in the course of connecting, add sensitive customer information to the system, where it remains and can be accessed by anyone. Although policies might prevent employees from utilizing a certain type of software, they cannot prevent them from sharing or keeping data purely by accident.

The Technology Edge

Thus, technology is an essential weapon when it comes to shadow IT. Risks inherent in BYOD can be partially mitigated through BYOD management and monitoring software. On the BYOS side, corporations should implement survey and collection solutions or leverage them in software-as-a-service (SaaS) mode. Such solutions support BYOS risk mitigation by harnessing artificial intelligence to determine what data has been shared and on which software platform, as well as by collecting legally defensible data as necessary. Data can be archived for later retrieval during eDiscovery and for other purposes, again minimizing exposure to BYOS-induced risk. It can also be easily located, so that it may be promptly deleted from the system when an employee, former employee, or customer makes such a request in keeping with the Right of Erasure afforded by the GDPR.

Without harnessing survey and collection solutions, it is difficult, if not impossible, to render software discoverable and compliant. If a corporation is unaware that BYOS in the form of an app, Wiki, collaboration platform or other software exists and that certain data resides within it, such discoverability and compliance cannot be achieved—the “unknown,” as it can be called, continues to exist.

Organizations can also benefit from adding another layer of risk mitigation by harnessing technology that permits them to regularly execute “discovery crawls.” Through these crawls, they can determine which new software platforms employees have brought to the table and, if warranted, take action to foster compliance with BYOS policies.

Shadow IT will, without a doubt, continue to present new risks to organizations as it evolves. Understanding and addressing these risks with a combination of policies and technology constitutes the best approach for minimizing existing vulnerabilities and limiting the negative effects of emerging ones.

The post BYOS: Mitigating the Risks of Shadow IT’s New Twist appeared first on Corporate Compliance Insights.

Be Proactive About Data Handling

Compliance with FINRA and similar regulations can pose serious challenges to organizations. Understanding and learning to navigate these potential challenges will go a long way in avoiding excess fines for non-compliance.

The numbers are staggering: Last year, the Financial Industry Regulatory Authority (FINRA) brought 1,434 disciplinary actions against registered individuals and firms and levied $176.3 million in fines for non-compliance with its regulations. The agency also ordered $27.9 million in restitution to harmed investors.

Though some of these fines may have been unavoidable, others could likely have been circumvented had the organizations involved been more proactive in their approach to adherence to FINRA’s rules. Such a stance extends to the manner in which data is handled. With a deeper understanding of this issue, companies can increase their potential to steer clear of financial repercussions resulting from FINRA violations. That understanding starts with the answers to four key questions.

It has been said that the issue of FINRA and FINRA compliance surrounding data creates a real conundrum for financial firms. Why is this so?

Financial firms have seen a marked increase in internet use for conducting investment research and tracking account details, internally and by customers. At the same time, the growing population of “digital natives” (i.e., millennials) who want little or nothing to do with using paper-based systems is establishing a strong presence in the financial products and services markets.

Companies want to cater to this new customer demographic, as well as to better serve all clients, by providing them with both the accurate, personalized real-time information they demand and the tools through which to access it (e.g., social media platforms and online investment calculators, to name a few). At the same time, they want to avoid running afoul of FINRA regulations.

Moreover, unlike the information conveyed by financial entities in printed literature, statements and other traditional communication vehicles shared with existing and prospective customers, this information is dynamic rather than static. Interest rates and other details change often—even by the hour. Calculations and projections vary in accordance with such factors as individual customers’ assets. Other parameters differ by state and country.

What is entailed in FINRA compliance when it comes to customer interaction and the sharing of information with clients and prospects?

Under FINRA, organizations must be able to furnish proof of exactly what information they have conveyed to customers and prospects at any time, be it investment projections, transaction records, terms and conditions, details of available products and more. FINRA also puts the onus on companies to preserve records of customers’ journeys to making financial decisions on their websites. This includes individuals’ use of online investment calculators, access to terms and conditions and harnessing of any other interactive website features.

Proof of steps taken by analysts to conduct online research—for instance, web searches related to a particular set of possible trades—also must be retained and made accessible to regulators on request.

What are the most significant steps firms can take to foster FINRA compliance and avoid fines?

The most significant step toward FINRA compliance and fine avoidance includes implementing a solution that enables collection, preservation and retrieval of legally defensible data related to all social media and online interactions on individual screens and web pages. This encompasses interactions that occurred on public-facing platforms and internal collaboration tools, as well as on internal websites. Such a solution should also facilitate the archiving of internal and external emails, and of all documentation pertaining to trades and the research that preceded them.

In addition to supporting FINRA compliance itself, the right archiving solution reduces the cost of compliance by decreasing the time needed to respond to regulators’ demand for information.

It benefits organizations to choose a solution that provide archives in a native format, so every archived replica of documents, platforms, web pages and customer journeys is legally defensible. Such legal defensibility is a cornerstone of FINRA compliance.

What are other best practices that organizations can implement to decrease the likelihood of violating FINRA regulations and facing subsequent financial repercussions?

Companies can also benefit from being proactive about data management, consistently collecting and archiving new data as it is generated and as it changes, rather than in “fits and starts.” This way, all data that should be gathered and stored will be so, with no inadvertent oversights. Even tools that are provided to customers must be archived with each change. Investment calculators comprise a good example. Analyzing existing archives for any potential FINRA violations is also a good idea.

Following both of these practices not only makes it easier to comply with FINRA rules, it also facilitates cooperation with regulators should an investigation of possible non-compliance be launched.

One final note: Along with financial services companies that are headquartered in Europe, U.S. firms that maintain operations within the European Union (EU) will want to apply at least some of the above technology recommendations to compliance with the Markets in Financial Instruments Directive (MiFID). Applicable across the EU since November 2007, MiFID is a critical element in the EU’s regulation of financial markets. Fines for non-compliance with MiFID can be as steep as those for non-compliance with FINRA regulations.

The post The Secret to Avoiding FINRA Fines appeared first on Corporate Compliance Insights.

Fines are Sky Rocketing, Make Preparations While You Can

The prospect of record-breaking fines for noncompliance with regulations set by the Financial Industry Regulatory Authority (FINRA) continues to loom large for financial organizations and their CEOs. Executives should take a proactive approach to dodging the FINRA fines bullet. Read on for five practical compliance strategies.

Go Back to Basics

CEOs—and other executives of financial products and services firms, for that matter—tend to grow flustered when thinking about avoiding FINRA fines. They worry about whether they are addressing the right areas first and if their companies have the tools and technology necessary to achieve compliance. The more they try to determine answers to these questions, the more confused they become.

However, there is a better approach. It involves a return to the basics: simply taking a look at what FINRA wants financial firms to do—i.e., to maintain high-caliber, legally defensible records of their activities and communications with customers—and doing it. CEOs must step back and think about what their organization should be doing, and why—irrespective of technology. The objective of this approach is not merely to steer clear of financial repercussions for failure to comply with FINRA regulations, but to earn the trust and confidence of the financial community. CEOs who eschew simplicity here will only find themselves—and their organizations—falling down the rabbit hole, so to speak.

Consider FINRA’s Top Enforcement Issues

As a complement to zeroing in on the basics mentioned above, one should know in which areas FINRA is focusing its enforcement efforts and levy the bulk of fines. In 2016, these areas included money laundering, variable annuities, trade reporting, books and records and unregistered securities.

Money laundering merits particular attention, given the ever-closer link between matters of national security and financial trust. International crime and tax evasion are an increasing concern, and companies’ compliance or lack thereof with anti-money laundering (AML) requirements will, therefore, become more of a focus. This is especially so because financial crime is easier to track and investigate than many other activities. Nefarious actors can communicate using covert means, but the money must move in some way—and it is not difficult to see how.

Still, more can be done with technology in order to support AML efforts. Technology options for addressing money laundering are expanding rapidly, and a focus on this area should include making room in the budget for that technology.

Address the Gap Between Requirements for Regulatory Compliance and the Human Resources Available to Handle Them

The number of mandates set forth by FINRA and other regulatory agencies continues to grow and their scope continues to broaden. Clearly, CEOs cannot sanction the expense of expanding their companies’ workforces to fully accommodate such change.

Significant investment is now being made in the area of governance risk and compliance from a technology development perspective. Many financial organizations are earmarking funds for these solutions. CEOs should keep an eye on the governance risk and compliance technology stack. Sketching out potential deployment options now will ensure that their companies do not become the last to adopt the necessary tools, which could make them more prone to violating FINRA’s rules, even inadvertently.

Ensure Thorough Documentation of Customers’ Web-based Journeys

FINRA regulations stipulate that companies must capture information about and retain records of their customers’ journeys as they research financial products and make financial decisions on company websites. It is incumbent on CEOs to ensure that such documentation is comprehensive, boosting the trust and confidence of the financial community and making any details requested by FINRA in the course of an investigation readily available to examiners. The key: recording and archiving not only customers’ access to product/service descriptions along with terms and conditions but also their use of online investment calculators and other interactive web features.

Vigilance in archiving every aspect of and step in customers’ journeys is especially important given companies’ need to cater to an ever-expanding cadre of “digital natives.” These customers expect—if not demand—that financial firms leverage sophisticated digital assets to share information about their offerings.

Moreover, by supporting the practice of archiving every customer journey from start to finish, CEOs help to foster their companies’ compliance with the newest version of the Markets in Financial Instruments Directive (MiFID 2). MiFID 2 also mandates recordkeeping when it comes to the steps customers take as they learn about and decide on financial products. The directive went into effect across the European Union (EU) on January 3, 2017, and applies to both financial services companies based in Europe and U.S. firms that maintain operations in the EU.

Avoid Being Lulled into Thinking that FINRA and Other Regulatory Agencies are Not Serious About Compliance

Focus on compliance tends to occur in waves that crest when high-profile cases concerning violations come to light and recede at other times. Nonetheless, a degree of vigilance is always good practice.

Financial firms now have access to many tools that facilitate such vigilance. In recent years, there has been a shift toward cloud-based tools. These tools are easy to sign up for and belong to an ecosystem of solutions that integrate with each other; as a result, they are easier to use than their standalone counterparts. When making technology investments to enable such vigilance, CEOs should ensure that their chosen tools include eDiscovery capabilities.

Not all FINRA fines can be avoided. However, applying the five strategies outlined above is a giant step in the right direction.

The post 5 Strategies CEOs Can Apply to Avoid Record-Breaking FINRA Fines appeared first on Corporate Compliance Insights.

Feeling Invincible is Ignorance to Reality

The Financial Industry Regulatory Authority is under the radar for many organizations. Being fully aware of the violations and their consequences can prevent unneeded issues.

“It won’t touch us.” Such is the position of many organizations when it comes to the Financial Industry Regulatory Authority (FINRA). Rather than keeping FINRA firmly on their radar screen, these organizations downplay its power and their own vulnerability, believing themselves immune to the potential for violating FINRA rules and facing the consequences. However, gambling on this immunity is dangerous at worst and foolhardy at best, for several reasons.

The incidence of disciplinary actions remains on an upswing and is broadening in scope.

In 2016, FINRA successfully brought a total of 1,434 disciplinary actions against registered individuals and firms, up from a mere 173 in 2008. A record 27 of these disciplinary actions involved individual compliance officers, with at least one such action exemplifying FINRA’s heightened enforcement of such simple duties as updating industry registration forms to include current information. In this instance, Allen Holeman, the former chief compliance officer of Oppenheimer & Co. and now chief compliance officer of David Lerner Associates, was fined $10,000 and suspended for 30 business days for “willful” failure to disclose $116,000 in tax liens on his U-4 registration forms and on annual firm compliance questionnaires.

Additionally, as a result of its disciplinary actions, FINRA expelled 24 firms from the security industry last year. Twenty-six firms and 727 brokers were suspended from security industry participation during that same interval, with 517 individuals barred from associating with FINRA-regulated firms.

Financial repercussions for violations continue to increase.

In 2016, FINRA levied a record $176.3 million in fines and ordered $27.9 million in restitution to harmed investors. Of these fines, 29 exceeded $1 million, up from 23 in 2014 and 21 in 2015.

However, fines represent just the tip of the iceberg where the financial consequences of FINRA violations are concerned. Firms found to be in violation—intended or unintended—also incur significant expenditures related to customer loss and reputational damage. Additionally, there is the steep cost of marketing and public relations initiatives necessary for companies to repair their reputation and regain their position in the market.

The movement of money is becoming a national security issue, as well as a market regulation issue.

As a result of this development, FINRA is paying heightened attention to firms’ compliance with regard to anti-money laundering (AML) procedures and programs. FINRA’s actions in May 2016 against a broker-dealer for failures pertaining to AML procedures at two of its divisions demonstrate that it is indeed sharpening its AML teeth and is unafraid to use them.

Specifically, Raymond James & Associates Inc. (RJA) received a fine of $8 million and Raymond James Financial Services Inc. (RJFS) a fine of $9 million, both for failure to establish and implement adequate AML procedures. This FINRA alleged, rendered both divisions unable to properly prevent, detect, investigate and report suspicious activity for several years.

FINRA also claimed that the broker-dealer had failed to conduct the requisite due diligence and periodic risk reviews for foreign financial institutions and that its AML compliance officer (AMLCO), who was handed a separate $25,000 fine and a three-month suspension, had neglected to ensure that such reviews had been executed. The company’s failure to establish and maintain an adequate customer identification program (CIP) was cited as well.

Size doesn’t matter.

Flippancy as to the power of financial regulatory bodies, the importance of adherence to rules and the possible end results of noncompliance was doubtless a catalyst in the demise of such major financial industry players as Lehman Brothers and Arthur Andersen. There is no getting around the fact that just as “it” happened to them, “it” could happen to any other company in the market, regardless of size.

Customer expectations demand compliance.

The financial industry is built largely on trust. In following regulations set forth by FINRA and demonstrating that they are doing so, organizations engender that trust among their customers. Just as travelers would likely hesitate to patronize airlines that flout Federal Aviation Administration (FAA) regulations, customers will not feel comfortable conducting business with financial firms that do not take FINRA seriously.

In short, there is no denying that FINRA requires the support of the companies and industry it regulates. As such, it behooves leaders to remain abreast of developments in technology and to invest in updates of their companies’ technology to foster compliance. It is equally critical to hire and leverage the right human resources across all departments so that the proper procedures and modifications can be implemented as needed.

Think of FINRA as you do the referees who work the sidelines at sporting events. Everyone shouts at the men in black and white striped shirts, but they are needed to ensure the game continues as it should—and they can be neither ignored nor scoffed at any stage of the game.

The post Why You Need to Worry About FINRA appeared first on Corporate Compliance Insights.

Out With The Old, In With The New

In the digital arena, it’s “out with the old, in with the new” as technological advancements increasingly compel companies to replace enterprise applications with next-generation ones. However, the process of retiring older applications—from deciding which should be retained in an archive and which should be disposed of, to managing the archiving process and beyond—cannot be executed in anything but the most methodical manner, or problems will ensue.

This necessitates considering and formulating answers to four key questions:

What is our policy for retiring enterprise applications?

Retired enterprise applications can be destroyed or archived, and common sense should dictate the policy that governs their disposal. In many instances, archiving is imperative.

Any application containing data that a company may need to access—in the case of litigation, regulatory request and so on—falls in the archiving category. For example, customer-facing websites can serve as proof of what information was shared with customers during the customer journey. Other examples include external social media applications, collaboration platforms used in developing products and intellectual property.

Internal enterprise applications containing data that could be needed in a labor or employee-related litigation should also be maintained in the organization’s archives instead of being destroyed. Wikis and similar applications utilized by the human resources department rank at the top of the list here.

Any policy that governs the retirement of enterprise applications should also include checkpoints for when the retirement will occur and for what duration archived enterprise applications should be maintained. Common sense and individual company requirements will play a part in setting these parameters and other factors may come into play. Case in point: Companies are typically mandated to wait seven years before discarding copies of retired enterprise applications that may give rise to regulatory requests for a response. Nonetheless, the actual time frame may vary based on the individual regulation in question.

What might happen if we fail to archive the enterprise applications?

Failure to produce business records when asked to do so can put organizations at a grave legal disadvantage. Suppose a company is involved in litigation and cannot substantiate its claims or defense because the pertinent business records existed in an enterprise application that was destroyed following its retirement. At best, the organization would be in a significantly weaker position to emerge victorious in court. At worst, it could incur financial penalties and reputational damage or in extreme cases, like that of Enron and Arthur Andersen, implode entirely.

The more a company is unable to properly defend itself in legal or regulatory matters, because it no longer has access to the information needed to do so, the more it will develop a reputation for poor record-keeping. Such organizations will eventually become a greater focus of regulatory investigations and more subject to litigation than those that can produce records on demand. They will also be more likely to lose cases that they may have won if they had presented archived information in court.

The absence of certain records may also complicate internal matters. For example, suppose a company’s human resources department is attempting to determine how a particular issue was handled in the past. If the necessary information existed in a Wiki which was destroyed on retirement rather than archived, discord rather than efficient problem-solving could be the end result.

Who will be accountable for the enterprise application retirement process?

Companies, especially large companies that operate in multiple locations and have many moving parts, must appoint a responsible party to oversee enterprise application retirement initiatives. This means ensuring that the policy and plan are enforced across the board and with no exception. It also means keeping the corporate compliance department abreast of all plans to retire enterprise applications and move to new ones, whether they are individual solutions or entire platforms.

Who will handle archiving initiatives, and how should they occur?

For best results, it bodes well for organizations to engage a professional archiving firm. Such a firm should have the credentials and ability to create legally defensible, native archives of each enterprise application. In cases where it may not be necessary to archive the entire application, the firm should be able to provide guidance as to which data should be maintained. Determining this ahead of time and proceeding accordingly is critical: It is impossible to recreate data that was removed from the enterprise application before archiving occurred. Attempting to do so invalidates the archive—and compromises companies’ credibility.

Organizations will continue to embrace new applications, moving from solution to solution and from platform to platform as new digital capabilities and use cases emerge. Those that carefully map out and follow procedures for migrating to new digital applications stand the best chance of avoiding the consequences of poor decisions and the ability to make a smooth transition.

The post Retiring Enterprise Applications: 4 Key Considerations appeared first on Corporate Compliance Insights.

What Compliance Should Be Doing Now

CCI has covered the General Data Protection Regulation (GDPR) extensively, and by now most readers may know that the deadline for GDPR compliance is barreling toward us. Kevin Gibson walks us through what businesses must do to prepare.

May 25, 2018, the day on which the General Data Protection Regulation (GDPR) takes effect, is fast approaching. Some firms have been proactively working toward GDPR compliance, which is wise given that failure to do so exposes organizations to fines of up to €20 million (US $23.5 million) or 4 percent of global revenue — whichever is higher. However, it appears that a majority of firms whose business requires them to comply with GDPR have yet to do so and are instead waiting to take action until just before the deadline or worse, after it passes. Such procrastination is ill advised. The GDPR compliance countdown, as outlined here, should start now.

4… Get motivated by understanding the consequences of waiting to address GDPR preparations.

The GDPR is designed to safeguard the privacy and security of personally identifiable information (PII) belonging to citizens of the European Union (EU). If previous efforts to enforce regulations are any indication, European authorities will immediately impose penalties on any company that is found to be in violation of the new rule. Pandemonium will ensue when this occurs, with a long queue of other EU citizens initiating their own attempts to recover damages for noncompliance.

The longer this queue becomes, the greater the number of organizations that will simultaneously scramble for resources to assist them in navigating the road to GDPR compliance and overcoming any obstacles they encounter. As more companies reach out for these resources, organizations’ difficulty in engaging the right services will increase. Additionally, as the shortage of competent GDPR-compliance resources increases in scope, so too will the price of their services.

3… Develop a GDPR compliance plan.

The GDPR clearly specifies how organizations that maintain and/or process PII must handle that data. This includes everything from requirements for storing and safeguarding the security of customer and employee PII to responding to requests that PII be deleted from companies’ records. It also encompasses documenting and furnishing proof that companies have followed through on requests for PII deletion and that the data no longer resides on a particular system or system. And that is just the beginning.

Companies must formulate a plan stipulating their intended method of satisfying all requirements set down under the GDPR. For instance, what measures will they take to ensure that customers’ PII is never exposed on their website? How will they respond to employee requests for PII erasure? How will they know where particular data resides? Who will be accountable for ensuring that PII that should not be exposed is not exposed? Who will be responsible for GDPR compliance as a whole? Without such a plan, organizations will find themselves frantically improvising as they go along — and quite possibly, making decisions or taking actions that could have financial or other repercussions.

2… Locate and engage appropriate resources.

Small organizations (i.e., those with just a few individuals on their payroll and a limited number of EU citizens on their customer roster) will likely not require as much assistance in attaining GDPR compliance as their larger counterparts. However, as stated above, all companies will need some help with GDPR preparations, whether in implementing the proper tools and utilities for identifying, controlling, analyzing and acting on web, social and collaborative content or in deploying technology that performs audit trails around GDPR compliance.

No matter their size, companies should, when choosing from among resources, limit their selection to those whose capabilities support all aspects of GDPR compliance. Organizations with multiple data repositories and operations in various geographic locations should be certain to engage only those resources that can provide a solution for finding the same data in more than one system, so that if it must be erased, it is erased from all systems rather than just one. All companies should also ensure that their resources offer tools that make the whereabouts of all data in the PII category — structured data, unstructured data and web data — easily evident, whether it resides in an ERP or corporate system, on a web platform or even in employee-owned software.

1… Assess compliance levels.

By early May, at the very latest, companies should be at a stage where they are performing dummy tests to assess their degree of GDPR compliance and making any necessary adjustments before the rush. Such assessments should look at the process of responding to different GDPR-related requests — for example, an employee’s request to be furnished with information about what the organization does with his PII or for that data to be expunged from the company’s records. Also worth including are spot checks of various data repositories to make certain that PII is not exposed and accessible when it should have been placed behind a firewall.

Blastoff.

Admittedly, not all companies will be entirely positioned for GDPR by the coming deadline in May. However, the closer to the countdown they can come, the smoother the sailing for all parties concerned.

The post Countdown to the GDPR appeared first on Corporate Compliance Insights.

Leveraging Compliance to Build Regulator and Customer Trust

Bitcoin and other cryptocurrencies continue to gain ground as investors buy in, looking for high returns, and as acceptance of it as payment takes hold. However, with such growth come risks and challenges that fall firmly under the compliance umbrella and must be addressed in a proactive, rather than reactive, manner.

Cryptocurrency Challenges

One of the greatest challenges faced by the cryptocurrency industry is its volatility and the fact that the cryptocurrency markets are, unlike mainstream currency markets, a social construct. Just as significantly, all cryptocurrency business is conducted via the internet, placing certain obstacles in the path of documentation. The online nature of cryptocurrency leads many, especially regulators, to remain dubious of its legitimacy and suspicious that it is used primarily for nefarious purposes, such as money-laundering and drug trafficking, to name a few.

This leaves companies that have delved into cryptocurrency with an onerous task: building trust among regulators and customers alike, with the ultimate goal of fostering cryptocurrency’s survival. From a regulatory standpoint, building trust involves not only setting policies and procedures pertaining to the vetting of customers and the handling of cryptocurrency transactions and trades, but also leveraging technology to document and communicate them to the appropriate parties. Earning regulators’ trust also means keeping meticulous records rendered legally defensible by technology. Such records should detail which procedures for vetting customers were followed; when, by whom and in what jurisdiction the vetting took place; and what information was shared with customers at every step of their journey.

On the customer side, records must document the terms of all transactions and the messages conveyed to customers throughout their journey. Records of what customers were told regarding how a company handles its cryptocurrency transactions and any measures it takes to ensure the legitimacy of activities connected with transactions should be maintained as well.

Once regulators are made privy to detailed records, they will become more confident in the legitimacy of individual companies’ cryptocurrency activities. They will trust that companies are acting in good faith and will be easily able to differentiate good actors from bad actors, based on the transparency of records and the lack of opacity with regard to revealing information. The same will be true of customers, increasing their inclination to invest their funds in cryptocurrency rather than using their funds for other purposes.

Beyond Recordkeeping

While meticulous recordkeeping and a lack of opacity will go a long way toward reducing some of the risk inherent in cryptocurrency dealings, compliance departments must also grapple with regulatory issues. Notably, money services businesses — among them, financial institutions — are required to comply with regulations and laws set forth in the Bank Secrecy Act of 1970. This includes Anti-Money Laundering (AML) requirements and Know Your Customer (KYC) rules.

The procedures mandated within AML requirements and KYC rules are intended to afford financial institutions and similar entities an enhanced knowledge and understanding of their customers in general, as well as of those clients’ financial activities. Thus, they are rather complex, involving not only the collection and analysis of basic identification data, but a search for known nefarious actors by name-matching against lists of known parties. These procedures also entail deeper examination to determine individuals’ propensity to commit money laundering, engage in identity theft for the purpose of supporting nefarious activities funded by cryptocurrency or utilize cryptocurrency to finance terrorist activities.

Not surprisingly, completing the steps needed to remain in compliance with AML requirements and KYC rules is a time-consuming endeavor. At best, the process spans two to three days, but it often takes a week before all the boxes can be checked off. However, cryptocurrency is a volatile instrument whose price can change drastically from one day to another as compliance departments work through AML and KYC procedures. Should prices move in the wrong direction, companies will encounter frustration, anger and other negative reactions from potential customers, placing companies in jeopardy of losing these individuals’ business.

Just as solutions harnessed for recordkeeping help to build regulator and customer trust in the cryptocurrency market, technology can play a role in overcoming some AML- and KYC- related challenges. Solutions that automate the procedures mandated under AML requirements and KYC rules hasten the completion of necessary investigations and follow-up, thereby reducing the likelihood of losing customers. They also support more thorough investigations than would otherwise be feasible, bringing to light important information (e.g., patterns of activity that indicate possible plans to use cryptocurrency toward a less-than-scrupulous end) while simultaneously reducing costs.

Additionally, the technology enables companies to keep more detailed accounts of steps taken to investigate their prospective cryptocurrency customers as prescribed by AML requirements and KYC rules. With comprehensive records in hand, it is easier to build a robust legal defense in court, should the need arise. Ready access to comprehensive records that can be shared with regulators and will doubtless increase their trust also bodes well for companies.

In fact, the combined advantages of solutions for automating AML and KYC compliance render the solutions worthy of over-investment. It is even possible that the latter could allow players in the cryptocurrency industry to become better at compliance than their counterparts in the mainstream financial services market.

Cryptocurrency and the cryptocurrency market do not enjoy a guarantee of support equal to that given to mainstream financial institutions. It is incumbent upon companies and their compliance officers to act as exemplars of best practices (i.e., engendering trust, exercising proper governance and leveraging technology along the way) for the good of the cryptocurrency industry now and in the future.

The post Cryptocurrency Challenges and Opportunities appeared first on Corporate Compliance Insights.

Easing the Burden for Financial Services Firms

Financial services firms that are headquartered or do business with customers in the European Union (EU) have been subject to the Markets in Financial Instruments Directive (MiFID) since its enactment in 2007. But now there is a new wrinkle — an enhanced version of this cornerstone of capital markets regulation. This wrinkle is known as MiFID II, and it needs to be addressed with a combination of technology and common sense.

General Goals and Requirements

MiFID II was designed primarily to further strengthen investor protection and improve the functioning of financial markets by rendering them more efficient, resilient and transparent. The list of rules set forth by this legislation is extensive, but in a nutshell, MiFID II requires that financial firms act with honesty, fairness and professionalism at all times and in the best interests of their clients. Should questions about a trade or transaction arise or regulators approach firms with potentially credible complaints of malfeasance, the institutions must demonstrate that they understood clients’ investment criteria and offered suitable recommendations, promoted products that correlated with individual customers’ needs and investment objectives and shared relevant reports with their clients.

To promote the fulfillment of these objectives and requirements, MiFID II also includes recordkeeping and surveillance mandates. Firms must record all communications that are “intended to lead to a transaction,” including, but not limited to, electronic communications via email, social media platforms, wikis and collaborative tools such as Slack. Records are to be made available to clients for five years and to regulators for up to seven years, so all parties may reference them and so that transactions and employee behavior during client interactions can be analyzed by regulators or the firms themselves. Only durable media that cannot be altered or deleted — e.g., Write-Once-Read-Many (WORM) — may be used to store such records and they must be searchable, as well as available upon request.

Addressing Recordkeeping Requirements

While the recordkeeping requirements contained in MiFID II appear to be straightforward, attaining and maintaining compliance with them may prove complicated for most financial industry players. Virtually all communication is moving to the web, with a vast majority of customers demanding to receive information about everything they purchase — including financial instruments — online, rather than in written form. A personalized approach to sales is the name of the game; generic information, such as that found in brochures, no longer suffices. Moreover, firms are being compelled to offer a wider array of products across myriad investment classes — in fact, even mainstream companies are exploring cryptocurrency.

For most if not all firms, successfully grappling with such challenges — and remaining MiFID II-compliant on the recordkeeping front — will require deploying technology that allows for the capture of a rich compilation of information and for the creation of legally defensible — i.e., unalterable — records. Every step and aspect of a customer’s journey, as well as the content of every conversation with employees and every online interaction, must be documented. The same is true of interaction and contact that occurs via an app or with a chatbot.

But there is more to the equation than even this. The capabilities of this technology must transcend capturing the investment calculator accessed on a website. It should be capable of producing records that also detail which stage of the customer journey the client had reached when a particular interaction occurred, along with what investment advice was given. Archiving solutions should also allow companies to document which vehicle (e.g., human, chatbot, web search) was used to convey information, as well as which products and alternatives were offered.

Easing the MiFID II Compliance Burden

To supplement solutions that facilitate recordkeeping, firms might also consider technology which, by virtue of its features, lessens the logistical and financial burden of MiFID II compliance. Solutions that bake in one or more aspects of compliance — for instance, by automating the capture of the customer journey — are one key example. Also falling under this umbrella is technology that decreases the time customers need to purchase or receive financial products and services and that also minimizes the friction they encounter in doing so. Case in point: solutions that automate the steps entailed in adherence to the know your customer (KYC) and anti-money laundering (AML) requirements implemented to regulate the cryptocurrency space.

No matter how firms opt to leverage technology in addressing MiFID II, following a few best practices when choosing from available solutions will make compliance with the legislation an easier task. Perhaps most significantly, companies will need to select technology offerings that are “future-proof” and adaptable to a changing financial landscape. Why? The number of channels through which firms are sharing information with prospective and existing customers continues to increase, as does the volume of information being communicated. Companies will be unable to maintain a competitive edge unless their technology grows along with them.

Firms in the midst of deploying technology to foster MiFID II compliance should compare their solution deployment plans to initiatives undertaken by companies of a similar size, rather than those by larger organizations. In many ways, the technology needs of small companies differ significantly from those of their larger counterparts. Larger firms may find themselves unable to scale certain solutions to meet their needs, and vice versa.

Finally, it is imperative that firms invest in the best technology their budgets will bear. This demonstrates to customers that their money is taken seriously — and to regulators that MiFID II compliance is high on the firm’s radar. And that is, without question, where it should remain.

The post Navigating MiFID II Compliance Waters appeared first on Corporate Compliance Insights.