By: Robert Cruz
Evolving Communication Tools Pose New Challenges for Security
Banks aren’t strangers to reining in their employees’ use of communications tools. However, the methods preferred by customers and client reps continue to change, and if banks don’t keep up with these rapidly changing tools, even those that have made a massive investment into a compliance infrastructure over the years may find themselves struggling with regulatory compliance.
In regulated industries such as financial services, it is common practice to set boundaries for employee use of communications tools. With these restrictions in place, banks protect themselves from allowing sensitive information to be shared egregiously, at the same time working to remain in compliance with bookkeeping regulations. As new communications tools continue to be introduced and used by customers, banks must adapt their client engagement practices while continuing to avoid accruing fines.
The growth of new communications tools
Customers are moving away from email toward more dynamic tools and banks need to mirror these changes to fulfill their customers’ needs. However, while meeting customers at their preferred methods of communication allows banks to remain flexible and competitive, it also produces an additional risk.
The archives that the biggest banks installed in the early 2000s were once considered state-of-the-art. However, they are now finding that they are not designed to optimally handle the wide variety of digital communication channels used regularly in the workplace today. As these systems have aged – with data volumes doubling every 18 months – performance has become even more sluggish and unreliable.
The increased adoption of social media, encrypted messaging and collaboration tools has created numerous challenges for IT and compliance teams. In addition to creating terabytes of more data to comb through and review, the interactions on these channels differ greatly from the static text-based formats of emails.
New Challenges Arise from MiFID II and GDPR
Although MiFID II and GDPR are both EU regulations, the applications are not limited to EU-based organizations. Even if an organization doesn’t have a physical presence within the EU, if any of their clients are based within EU borders, they are, by extension, subject to the rules of the regulations.
For MiFID II, context becomes much more significant when archiving digital communications. According to Article 16, firms must capture all communications leading up to a transaction, including all electronic correspondence, to construct a single narrative instead of treating each interaction as an independent event. With over 100 different communications tools available, client-company representative correspondence is no longer a “linear” exchange between two parties. Compliance programs must now equip themselves with the tools to navigate the multiple threads that these new interactions create. For example, a conversation can now be initiated through email, followed up on over LinkedIn, and carried over onto a personal cell phone, which has become a more common occurrence with the rise of BYOD.
GDPR was developed to protect all EU citizens and provide them with more control over the use of personal data by organizations. The new regulation will grant EU citizens the right to erasure, or “right to be forgotten”, allowing them to initiate the removal of their data deemed no longer necessary in relation to the purposes for which they were collected. As concerns over the management of user data continue to grow, organizations must prepare for an overwhelming wave of erasure request submissions to avoid creating bottlenecks in their responses.
With MiFID II in effect and GDPR quickly approaching, regulations will continue to adapt to cover new technologies, in turn requiring banks to upgrade their archiving and compliance capabilities to adapt to the new regulations.
Embracing modern technologies and practices
To best equip themselves for new data regulations like MiFID II and GDPR, banks need to take a more modern approach to data archiving:
- Bring their archiving to the cloud. By moving their archiving away from legacy technologies and incorporating newer cloud-based technologies, banks can ensure they have the scalability to handle the increase in volume generated by today’s tools. In addition, hybrid cloud environments allow the flexibility to customize deployments for meeting different geographical and regional data privacy requirements.
- Partner with the right vendors. MiFID II’s and GDPR’s complexity make compliance a task bigger than any single organization can handle on their own—it’s a team effort that requires the right vendor partners. If it’s discovered that a bank is using a cloud vendor which doesn’t meet GDPR’s requirements, the bank can also become liable for fines as a result. Given the high cost of the penalties (up to 20 million euros or up to four percent of the total worldwide annual turnover of the preceding financial year, whichever is higher), it’s key that banks partner with companies that meet both their technical needs and regulatory requirements.
- View the new regulations as opportunities, not burdens. Avoiding financial and reputational penalties is definitely a strong incentive to ensure data management regulations are met, but it shouldn’t be the main driving force. Many of GDPR’s requirements address numerous customer concerns regarding how their data is being collected, stored and used. By outfitting the communications tools customers prefer with better data security and privacy services, banks are gaining more trust from their clients by interacting with them on their terms, which often correlates to longer lasting relationships. They’re also gaining more control over their company’s data, allowing greater insight into bottom-line business improvements and the ability to better apply the latest analytics technologies to predict and respond to important trends — benefits that extend far beyond avoiding fines.
Meeting the requirements of MiFID II and GDPR
When it comes to data archiving and information governance, for MiFID II and GDPR, compliance is more than checking a box. Unfortunately, the limitations of legacy archiving solutions prevent companies from meeting the data-privacy standards set forth in these regulations. But with the development of the cloud and advanced analytics, banks today have the help they need to meet the challenge.
Robert Cruz is Senior Director of Information Governance for Actiance, the leader in communications compliance, archiving and analytics. Mr. Cruz leverages more than 20 years of Silicon Valley experience in providing thought leadership on emerging topics including cloud computing, information governance and discovery cost and risk reduction. Prior to Actiance, Mr. Cruz was Senior Director of Information Archiving & eDiscovery for Proofpoint, Inc. Earlier in his career, Mr. Cruz served in a variety of management capacities at Electronic Evidence Discovery (EED), FileNet/IBM, BroadVision and Hewlett-Packard. Mr. Cruz holds an MBA degree from the Stanford University Graduate School of Business.