It’s the stuff of internet lore: dozens of employees fired after distributing e-mails with violent or obscene messages; a firm brought into disrepute after a lewd e-mail exchange between employees is published on the Internet; or revelations of steamy e-mail messages to a space shuttle pilot.
Perhaps you are too sensible to create such problems for your company. But are you geared up to avoid less obvious e-mail infractions? In the highly regulated financial services industry, managing the content of all communications — including e-mail — is critical. And with e-mail volumes increasing, financial advisors face a growing challenge as they try to stay within their firms’ compliance guidelines.
It’s easy to see how concerns could arise. The word “guarantee,” for example, carries significant implications in a financial setting, even if used in an offhand way by an advisor in an e-mail exchange with a client. Why take the risk?
Regulations such as the Sarbanes-Oxley Act in the U.S. em-phasize the need for content monitoring. In Canada, the Investment Dealers Association of Canada says any channel used to deliver investment recommendations to clients must be monitored for suitability and unbecoming conduct. Monitoring methodologies must be “effective,” according to the self-regulatory organization, but those methodologies aren’t specified.
“We only assess their effectiveness as the subject arises in the course of our field reviews,” says Connie Craddock, vice president of public affairs for the IDA.
What constitutes effective monitoring? Vendors of e-mail compliance tools generally divide e-mail content monitoring into two types: pre-review and post-review. The former tries to analyse mail before it is sent; the latter involves checks after e-mail has been delivered.
Stephen Marsh, founder of Portland, Ore.-based financial
e-mail compliance software vendor Smarsh Inc. , says few companies have implemented pre-review effectively. “Part of it is that the person doing the pre-review becomes a bottleneck,” he says.
But isn’t the point of e-mail content monitoring an attempt to automate the process?
E-mail content monitoring systems typically use keyword recognition to try to catch problems. Expletives and other inappropriate phrases may be part of the keyword list, but others may pertain to a particular industry.
“We worked with a compliance consulting firm to develop a list of hundreds of words and phrases related to financial services organizations that might be troublesome if they were sent outbound or received inbound,” says Amy Dugdale, spokeswoman for Torrance, Calif.-based LiveOffice Corp. , whose products compete with those of Smarsh.
Like Smarsh, LiveOffice advocates the use of a compliance person who can approve or disapprove e-mail. Keyword recognition can throw up false positives (e-mail that is flagged but is not a problem), especially when dealing with ambiguous words and phrases. The compliance officer must check
e-mail flagged by the system to see whether it presents a problem. But in smaller firms, the compliance officer may also be the financial director, office manager or accounting administrator. It’s easy to see how bottlenecks occur.
Just as auditors work to weed out false positives, those people are needed to avoid false negatives — problem e-mail not caught by the system. Even the best configured system won’t catch all keywords, especially if employees manipulate them with misspellings and substitutions. A system may catch “bank fraud,” but would it catch “b3nk fr@ud”?
For this reason, LiveOffice president Matt Smith recommends random audits in which up to 5% of e-mail is checked, regardless of whether it is flagged by the system or not. This should lead to greater diligence in sending e-mail.
Another way to overcome the limitations of keyword searches could be smarter linguistic analysis. Kieron Dowling, president of Toronto-based e-mail content-monitoring appliance vendor Jatheon Technologies Inc. , says the firm is working on natural language-processing technology using techniques similar to those used by some larger search engines. The technology will then try to evaluate concepts underpinning the text. This technology, however, won’t be ready for about a year.
In the meantime, there are other techniques available to help structure an auditor’s workload, if not minimize it. Smarsh includes a rules-based e-mail scoring system that weights e-mail according to the keywords messages contain and their senders and recipients. An e-mail sent to an external address from an advisor and containing the word “guaranteed” might warrant more immediate attention than the same e-mail sent from, say, the office assistant to the office manager.
@page_break@Jatheon doesn’t score in this way — that feature is still being worked on. Instead, the software enables the post-review of individual e-mail messages to be delegated according to set criteria. An e-mail containing a keyword raising potential compliance issues might go to the CEO for review, whereas correspondence raising corporate governance issues might be sent to a line manager.
Doesn’t a post-review of e-mail raise the alarm too late — after the damage has been done? The important thing for heavily regulated companies, says Smith, is they are seen to be taking steps. If a company can document that it was checking for problems and that it took action after an event, it is probably less vulnerable in a legal situation. Outlining a clear e-mail usage policy in employee handbooks and orientation is also a good idea.
Many smaller firms may not have the technical resources to deploy and manage such systems. Some may not have a dedicated IT person. Many systems promise ease of use, but price is another issue. Jatheon’s system starts at $16,000. That’s a hefty investment in something that doesn’t generate revenue.
An alternative is a hosted service — e-mail monitoring from a central location by a service provider. LiveOffice provides compliance monitoring as part of its e-mail hosting service, which would enable small firms with limited resources to hand over the job and concentrate on their core business.
Other communication channels should come under just as much scrutiny as e-mail. Instant-messaging systems, such as Microsoft Messenger and AOL Instant Messenger, have long been cause for concern for IT departments in heavily regulated industries. If financial advisors use instant messaging for business communication, it should come under equal review. There are corporate versions of instant-messaging systems that have structured instant-message logging capabilities.
The same cannot be said of Internet telephony network Skype, which, in addition to instant messaging capabilities, offers voice-over Internet protocol capabilities, meaning tech-savvy employees can hold encrypted voice conversations from their PCs to outside computers. Even Skype executives say that such systems can be dangerous, from a compliance perspective. IE
E-mail monitoring critical in financial services
Smaller firms can outsource the job of sifting through messages for inappropriate words, phrases, activities
- By: Danny Bradbury
- April 3, 2007 April 3, 2007
- 10:35