Skip to content

Last Mile Maturity Model

It’s time to assess digital maturity in a more advanced and comprehensive way. To help, we’ve developed the Last-Mile Digital Maturity Model.

How leading firms are rethinking their supervision models

No two Compliance organizations are exactly alike, especially when it comes to their approach to supervision. There are however some common best practices in how leading firms structure their supervision model. Over the past decade, Hearsay’s Compliance Strategy lead, Iain Duke-Richardet, led compliance teams for some of the world’s largest financial services firms. I had a chance to sit down with Iain recently to talk through a few key areas where hours can be gained and lost for compliance teams.

William: Iain, we work with clients that prefer a centralized model of supervision as well as others that prefer decentralized. I know that you’ve worked with both over the course of your career. My question to you is… is there a correct set up?

Iain: How first and second line control functions are set up, or any setup for supervisory controls really, is dependent on how an organization is structured. What might be best for one is not necessarily going to be right for the other. I’ve actually seen instances where an organization has started with, for example, a decentralized model and moved to a centralized model for efficiency gains or simply because they’ve had supervisors leave an organization and therefore they’re restructuring. So, it really is incumbent upon the regulatory Supervisor to evaluate and implement what makes the most sense.

All firms—regardless of their model—can align on certain best practices to put themselves in the best position to succeed. For instance, they can all look to reduce the instances of data fragmentation. So if a supervisor’s looking at a profile and the profile has been archived in such a way as to make it very fragmented, that’s not really very straightforward or easy. Our approach is to actually crystallize all those changes into an easy to read and review format so that the process is seamless and there’s no pushback from whichever group is assigned that review.

William: In your experience, what’s been the main driver of efficiency for the compliance teams you’ve led?

Iain: I find the way financial services organizations have structured their compliance functions very interesting. Efficiency is always at the top of their priorities. In this space, there are two main drivers toward efficiency. One is the efficacy of the organization’s lexicon, and by that I mean, is the firm using the terms that most align with the behaviors they’re trying to prevent. This is relevant because including an overabundance of terms in the lexicon will mean that items that get flagged much more often than they need to be. You won’t end up getting to the type of behavior you want to identify to correct through the supervisory process, due to too many false positives.

The second component is around how the review is being performed. It’s important to align reviewers with different components of the review process, leveraging a hierarchy of some kind, so that there’s no duplication in the work that is being done but identification is still prioritized through the process.

William: Thanks. Finally, taking a step back, at the enterprise level there’s been this rise of centralized databases and business intelligence systems, but really these tools are only as valuable as their inputs. We like to say, “Garbage in equals garbage out.” So, as advisors and clients communicate on more channels than ever before, does the same hold true for compliance and supervision technology? How can firms be more confident about the quality of their input?

Iain Duke-Richardet: I think that’s a great point. The “garbage in, garbage out” absolutely holds true in the compliance and supervision space where, as advisors use more and more channels to communicate, there is a notion of channel hopping; an advisor might move from one channel to another very quickly. Sometimes it’s an effort to perhaps circumvent some of the control or it’s simply because that’s the form in which the customer would like to interact. Having clear data that’s properly time stamped with the right author attribution, as well as having any corresponding attachments like 3rd-party links, is the key to seeing context. Because, ultimately, as the supervision is being performed, the ability to see the context of a conversation or a communication, regardless of the channel in which it occurs, is going to be the way that advisors and supervisors of those advisors will be able to identify any behavior that is not ideal.

In Summary:

  • Both centralized and decentralized supervision are valid options; supervisors must decide what makes the most sense for their organization.
  • There are two main drivers of efficiency for supervision in financial services firms: efficacy of the lexicon and a prioritized review process
  • The ability to see the context of a conversation or a communication, regardless of the channel in which it occurs, is the way supervisors can identify risky behavior

Properly managing compliance includes regularly assessing compliance strategy, tuning of policies & procedures, and evaluating technology. Our experts at Hearsay are ready to help. Learn more about our Hearsay Compliance Advisory Services and how we can offer compliance insights, analytics, and training to meet your program needs.

Compliance Must Embrace – and Understand – AI

Hand Over Tablet

Compliance teams are overstretched. It’s become imperative they find ways to leverage technologies to become leaner, more effective, and better able to handle increasing demands. But they’re not alone in these efforts; the most recent OCIE risk alert indicates that organizations are also responsible for compliance programs that are sufficiently supported with both staff and technology.

As we’ve discussed before, an over-reliance on manual functions means compliance teams are overwhelmed by low/moderate risk issues. Technology and automation have to be considered as part of the equation so that teams can focus on the riskiest issues that matter most to the business.

As technology gets more intelligent, an opportunity arises in artificial intelligence (AI) as a catalyst to enhance the efficiency of a program. As we’ve mentioned, this can lead to a more mature, impactful compliance program and increased trust throughout the organization.

However, as programs mature and manual processes shift into automation, compliance teams will need to understand automation more and more. AI is an important tool, but at some point, compliance will be asked to explain how they supervise and test these tools to know they’re functioning as designed and expected.

At its core, AI is designed to monitor a data set and when a logical trigger is set off, to translate that information into an action. In some instances, that translation is clear and easily understood. But in other situations, especially when the way the AI translates between data sets and actions is covered under a “Black Box” due to intellectual property concerns, it makes explaining it to a regulator more difficult.

As FINRA wrote in its June 2020 report on AI and again reiterated during its November Conference on AI, a compliance professional needs to understand how the AI they are implementing aligns with regulatory expectations. These steps include a documented understanding of the data set-to-action translation and a method to regularly test the system to validate it meets legal and regulatory requirements. When the algorithm informing your AI is hidden in a “Black Box”, this can prove difficult.

It might be time to evaluate your firm’s use of AI in its supervision policies. If in the course of your review, you have any questions on AI and how to prepare for a regulatory audit feel free to reach out to your Hearsay account team to help.

The Impact of Technology on Compliance Program Maturity

With newsworthy financial services regulations such as the Department of Labor (DOL) guidelines and Regulation Best Interest (RegBI), RegTech has recently come to the forefront. The reality is that technology has been rapidly evolving for some time to provide compliance professionals with the ability to leverage solutions designed to accelerate their programs. Yet, frustratingly, not all programs have taken full advantage of the technology available to them.  While the hurdles to adoption may vary from organization to organization, the impact of not fully utilizing the technology available to an organization are profound.

NAVEX, a consultancy that has specialized in assessing the intersection of technology and compliance, recently took a closer look at this matter in their 2020 Definitive Risk & Compliance Benchmark Report. The report delivers a number of important insights focused on the maturity of a compliance program by measuring how sophisticated, entrenched, and embedded a program is inside its organization. I’ve summarized highlights below:

  • The technology spend for organizations surveyed largely fell within consistent bounds across maturity levels. This is an important insight: the difference between maturity levels was attributable to the focus of their budget spend: lower maturity programs spent on manual processes, while high maturity programs focused on technology innovation.
  • Across the board, programs that were “Maturing” or “Advanced” were more likely to report “good” or “excellent” performance in all areas of the program, including trust, performance, outcomes and integrations with the business.
  • Less mature programs were often seen as “necessary evils,” while those that were more advanced were more likely to be seen as “partners” to an organization.
  • In addition, more mature programs typically had a higher level of trust and typically had a more substantial seat at the table for decision making in the organization.

Our takeaway? Organizations can achieve better partnerships between their business and compliance teams, increasing the levels of trust and performance of compliance, by refocusing their budgets on technology that eliminates manual processes.

There are a multitude of other important findings in the report, so I would encourage you to take a look through it. If it sparks any ideas or questions, please feel free to reach out to your Hearsay account team to drive a deeper discussion on the impact to your program.

How Compliance Can Build a Sustainable Partnership with the Business

Innovation in financial services brings its own unique challenges for compliance, notably, how to support these efforts while vigilantly complying with regulations. Having navigated these circumstances at leading global firms like RBC and Barclays, our Compliance Strategy Principal, Iain Duke-Richardet, sat down with me recently to discuss how compliance can build a sustainable partnership with the business.

William: Iain, there’s a common perception that compliance is inherently at odds with the business or growth strategies in technology issues. What do you think lies behind that?

Iain: Will, I think that’s a great question. In truth, Compliance did earn this reputation through a generation of compliance officers who said no to any ask, even the most reasonable ones. Compliance doesn’t necessarily trust easily; it wants to see and touch and confirm that controls do in fact operate as designed, and therefore the organization is not facing supplemental risk. Change can therefore be challenging because it demands an assessment of those controls, and even an adjustment without always necessarily knowing the precise outcome. It requires some degree of flexibility in a field that is all about inflexible rules and regulations.

More recently, though, and certainly in my own experience, compliance functions are increasingly interested in technology and innovation. In fact, in some circumstances, compliance may actually be driving that conversation. The response to both growth and technology has pivoted from a reflexive no to, at the very least, a ‘let’s discuss it.’

William: Quite the evolution. In your experience, when have you seen the partnership between Compliance and the business work best?

Iain: This is going to seem fairly straight forward, but the partnership between Compliance and the business is one that calls for both groups to understand each other’s priorities. Too often, the partnership doesn’t work because Compliance is not willing to consider the business’ needs or the business is coming to Compliance with too broad an ask. The business wants to sell or develop widgets or provide the service, and compliance is focused on the controls that minimize any risk to the organization. So the partnership really works best when compliance has an opportunity to assess the business’ outcome and the business tailors outcomes to align with any limitations that already exist. If the business objective is designed with absolutely no controls, they’re unlikely to receive a great deal of support from the compliance function.

William: So putting it into practice today, what are some initial steps or next steps that firms could take towards building this cohesive partnership between Compliance and the business?

Iain: I think a lot of the progressive organizations have taken a couple of steps in terms of building this partnership. One of those is to bring a compliance partner into the early stages of a business project, sometimes even as early as the actual ideation. Given that opportunity, a compliance partner can flag early in the exercise any kind of risk or hurdles that may lurk, which then means that those can be addressed throughout the planning, development, and execution. So rather than the business coming with everything prepared, having put a lot of work into an exercise, with compliance seeing it for the first time right before launch, the groups are actually aligned and both have skin in the game to see it succeed. As part of this process, I think it’s always helpful when business and compliance come together to learn about the technologies that underlie the desired outcomes; again, they’re working together.

The other step that I’ve seen organizations take is cross functional training and education. So if the Compliance team understands and has a little bit more exposure to the business, as well as the business stakeholders having more exposure and understanding of the compliance framework, the impact is that the functions can actually appreciate each other’s objectives and work towards them and within them as opposed to coming at each other focused only on their own side of things.

In Summary:

  • To strike a balance between innovation and compliance, it’s critical to insert Compliance directly into the ideation or strategy phase.
  • Too often teams put ideas in front of business leaders without vetting with Compliance first, which inevitably leads to challenges down the road with compliance.
  • As new ideas, technologies, and campaigns are ideated, firms should naturally confer and align with Compliance before presenting to the business. One way to systematically ensure this happens is to instill dedicated partners cross-functionally, for instance nominating a compliance technology partner.

Regulatory Scrutiny of Client Engagement is Here – Are You Ready?

In light of a recent SEC penalty, now is not the time to rely purely on policy.

As part of my role with Hearsay, I am frequently asked for compelling Compliance-grounded reasons why customers might contract our products and services. In the past, a recitation of the relevant rule and laws, in conjunction with reference to regulatory smite, was sufficient to sway any customer. Recently, however, the underlying motives behind this conversation seem to have shifted. It seems the relative cost of a compliant product and service – usually measured by the license fee, without consideration to the benefit of the product and service – is being weighed against the likelihood, or severity, of regulatory censure. This is a worrying development. Since regulatory frameworks typically don’t prescribe how firms comply with the obligations, some have increasingly shifted responsibility to the employee, adopting a policy prohibiting certain activity, but not actually monitoring results that regulators have become more adept at testing for.

This approach may reflect the softening of regulatory censure for non-compliant communication in the email, texting and social media messaging channels, with penalties decreasing in size and frequency. Over-indexing on this trend, however, strikes me as concerning. In just a few short months, brokers and advisors went from meeting a friend for lunch at a restaurant or attending an event, to maintaining those relationships digitally from their home. In order to adjust to the world of social distancing, market participants have had to rethink their engagement model to adapt to new realities. The uptick in the use of social media and text messaging is significant, Hearsay observed a 300% spike in digital communications since the onset of the global pandemic.

The adaptations of market participants – as well as ill-intentioned individuals – has not gone unnoticed to regulators who have issued myriad alerts, FAQs and guidance to protect investors and remind organizations of their obligations. This can be viewed as both a warning and an opportunity. To prepare for what I believe to be a more stringent environment around texting, firms should be looking at the controls they have for their social media and electronic communications programs, assessing whether the channels being used by their employees are permitted, being used effectively, and are compliant with their organizations’ regulatory obligations. It’s only a matter of time before regulatory sweeps start focusing on remote electronic communications.

For those firms that already permit, with controls, engagement on social media and through text messaging, now is the time to assess whether their programs and controls remain effective and adequately address regulatory obligations as well as pandemic related adjustments. Those that are relying on a policy to prohibit control must assess whether the policy is sufficient and to extensively test – remediating and sanctioning where necessary – the effectiveness of the prohibition. Case in point –  just recently the SEC levied a $100,000 penalty for over-reliance on policy and non-technical controls, such as attestations. This is indicative that such an approach can leave firms with a false sense of security regarding their texting program.

Regulatory scrutiny of such programs is already in progress and examiners have extensive tooling and a broad set of lenses by which to evaluate compliance (i.e., approved users/channels; content quality; required pre-approvals; extent & adequacy of post-review processes; accuracy & completeness of records made and retained). Given the rapid growth in the use of these channels, it does not seem unreasonable to expect a resurgence in the frequency and, for the most egregious cases, the size of penalties imposed by regulatory agencies in the ensuing months and years. As such, now does not strike me as the time to rely solely on a policy prohibiting certain activity, nor to ask whether implementing technical controls would be deemed a reasonable approach. Now is the time to ensure you have the appropriate solutions, processes, and expertise in place to confidently empower your field in a time when digital client engagement is table stakes.

The Key is Context – Unlocking the Modernization of Archiving & Supervision

Why mess with a good thing? Sometimes we hit on something that works so well that it never changes – like Coca Cola. Unfortunately, most things are not Coke and need to evolve. Email-based archiving – particularly when applied to client engagement activities across social and texting – is one of those areas begging to be modernized.

To meet regulatory recordkeeping requirements and standards (i.e., SEC, FINRA, CFTC, FCA and others), firms have long relied on an email-based approach to take delivery of client communications into their archives. Email-based archiving (SFTP) is akin to sending a package – data is stripped down and organized to fit nicely in a box that can be sorted in a similar way with all the other packages. While the approach results in compliance with archiving mandates, it hampers compliance teams, rendering them less effective and efficient. What this approach lacks is context. Activities are delivered into the archive sometimes as they occur – most commonly with a delay – and are siloed by channel, forcing supervision to piece together conversations that are taking place across days, networks, and channels. This approach conjures up images of old police TV mysteries with cork boards and pinned pieces of yarn to connect suspects – it doesn’t reflect the technological progress we’ve made in other areas of financial services.

However, that is beginning to change. As more efficient, modern methods of data transfer have been introduced, some firms are re-examining how this data is being transferred to them. Archiving via API provides full context of digital communications and real time access. They have a thread based on a full view of the interactions between two contacts instead of the legacy structure imposed by an email-based configuration.

With API-led approaches, firms are gaining real-time access to communications in order to bring speed and efficiency to the archiving and review process.  We’ve made investments in Hearsay’s Compliance API to offer real-time access to a stream of activities that unlocks integrations with API-led platforms simplifying and modernizing recordkeeping, supervision, and discovery. Critically this offers Supervision teams a unified view of activities across channels to see a full, clear picture, so that the right activities are flagged and remediated.

All this to say that now is the time for firms to consider evaluating whether their archiving processes are as effective as they could be. An API archiving process doesn’t require a massive transformation of the existing setup – for example Hearsay’s open APIs allow our platform to integrate seamlessly with existing infrastructure bringing more value to your existing compliance foundation. And as you evaluate options, our team stands ready to lend our expertise.

Sometimes, change is a good thing.

Client Connection in a Socially Distanced World

In order to help advisors thrive in the current environment, corporate teams need to rethink how they guide the field through and beyond the present crisis to adapt to new realities and seize the very real opportunities to make their practices stronger than before.