Bloomberg Law
March 4, 2020, 9:00 AM

INSIGHT: Compliance Officers Must Ensure Collaboration Platforms Meet FINRA, SEC Rules

Marc Gilman
Marc Gilman
Theta Lake

The compliance risks and regulatory requirements for the use and supervision of digital communication channels, including new collaboration tools like Zoom, Microsoft Teams, and Cisco Webex, were key parts of FINRA’s 2019 Exam Findings and Observations and its 2020 Risk Monitoring and Examination Priorities Letter.

The Financial Industry Regulatory Authority outlined its expectations for the use of collaboration tools in its 2019 findings, stating that if “a firm permits its associated persons to use a particular application—for example, an app-based messaging service or a collaboration platform—the firm must preserve records of business-related communications and supervise the activities and communications of those persons on the application.”

From a practical perspective, this means that compliance officers will need to ensure that their firm’s use of collaboration platforms meets FINRA and Securities and Exchange Commission expectations in preparation for the 2020 exam cycle.

And, since global fines for communications supervision failures topped $150 million in 2019, proactive compliance teams will need to employ sophisticated RegTech tools to help them manage collaboration platform risks.


In the U.S., broker-dealers must ensure that collaboration data can be captured and retained to meet the SEC’s Rule 17a-4(f) requirements and FINRA Rule 4511. These rules should be familiar to most and dictate that, among other things, electronic communications must be archived in “non-rewritable, non-erasable” storage.

Moreover, collaboration communications must be supervised pursuant to FINRA Rule 3110. FINRA’s observations in the 2019 exam findings essentially clarify that these electronic communications requirements apply to modern collaboration platforms.

Additionally, cybersecurity mandates described by the SEC and FINRA in an ongoing series of risk alerts and observations must be considered as should overlapping privacy regulations like the California Consumer Protection Act and the EU’s GDPR.

Collaboration Platform Features

Collaboration tools like Zoom, Microsoft Teams, and Cisco Webex contain nuanced communication features that have challenged the regulators’ notion of what constitutes a business communication. Collaboration applications include video capabilities such as webcams, screen sharing, and native whiteboarding, which provide simple ways to create, present, and distribute dynamic content with a few clicks.

Integrated chat, calling, and video capabilities make it far easier to share sensitive client and firm information like account numbers, product prospectuses, and Social Security details. While these features are ideal for wealth managers and reps servicing geographically dispersed clients, they also increase the risk of misuse, data leakage, and exfiltration.

Video-enabled features sit alongside traditional communication capabilities like one-to-one and one-to-many instant messaging, calling, and document sharing.

The diversity of these collaboration feature sets present challenges for compliance teams tasked with ensuring that the use and supervision of these platforms comport with recordkeeping and oversight rules.

RegTech for Risk Mitigation

Traditional electronic communication supervision technologies designed decades ago provide the rudimentary ability to sift through emails and instant messages using simple keyword searches, static lexicons, or basic phrase guessing with manual tuning. Legacy platforms still mostly dump basic datasets into 1990s-era user interfaces for painful hunt-and-peck reviews and rely on staff to “train” their so-called natural language processing (NLP).

Even tools delivered five years ago designed to layer voice on top of e-communications surveillance over-promise automation and do not provide solutions for modern collaboration platforms.

However, the dark ages of supervision are over. Contemporary compliance platforms are designed to provide transparency into the multifaced nature of modern collaboration applications and seamlessly analyze video and audio data in addition to traditional text content.

Dynamic Content Analysis

RegTech supervision solutions must be able to analyze the dynamic video, audio, and text content being exchanged through collaboration platforms. Modern compliance tools use transcripts as the building blocks for richer analysis conducted with the latest in natural language processing and modern machine learning (ML) techniques to more accurately identify regulatory and security risks across what was shown, spoken, or written

Leveraging new NLP and ML technologies reduces false positives, facilitates increased automation, and alleviates the manual burden of supervision. Again, these new RegTech capabilities provide insight into visual and image detection including corporate logos, whiteboards, documents, inappropriate content, and even the faces that have appeared across collaboration conversations.

Smart Workflow, Review and Audit Trails

In addition to the ability to detect financial services-specific risks, supervision platforms must be configurable to meet the size and scope of each firm’s compliance operations. The power and flexibility to route data to review teams based on geographic location, the inherent risk of the content, or another customizable parameter is essential.

After content has been routed appropriately, systems should have intuitive, AI-enabled review capabilities that point teams directly to potential risks for fast, effective analysis. At the end of the review process, a full audit trail of every action taken on a piece of content must be generated and retained in 17a-4 compliant storage to demonstrate compliance with FINRA supervision requirements and to support subsequent examinations or investigations.

The supervisory platform you select should make workflows, reviews, and auditing easier and more efficient than reliance on spreadsheets or other legacy processes.

Audited Security Controls

Finally, make sure that your RegTech vendor has established, audited security and privacy controls in place. The SOC 2, Type 2 certification is now effectively mandatory for any technology vendor providing software to financial services clients.

Compliance officers should also expect RegTech vendors to have supplemental self-certifications like participation in the Cloud Security Alliance’s Security Trust Assurance and Risk Registry. Given the sensitivity of collaboration data, RegTech vendors must demonstrate meaningful security controls validated by experienced, third-party auditors.

As firms deploy collaboration tools like Zoom, Microsoft Teams, and Webex, supporting compliance technologies purpose built to manage the risks of these new interactive video, audio, and text features is critical. Failing to consider the inevitable migration of digital communications to collaboration platforms will put compliance teams at a significant disadvantage.

Incorporating the guidance above into your RegTech strategy will demonstrate a forward thinking, risk based approach that aligns to digital modernization and transformation efforts.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Marc Gilman is general counsel and vice president of compliance at Theta Lake. He is also an adjunct professor at Fordham University School of Law. Follow him on Twitter: @marcwiki.