Citigroup recently agreed to pay a $15 million penalty for failing to enforce compliance breaches that technology could have prevented. As evidenced by such high-profile cases, even some of the leading financial firms overlook the role that technology can play in avoiding costly compliance failures.
"Today's high-speed markets require that broker-dealers and investment advisers manage the convergence of technology and compliance," Andrew Ceresney, director of the Securities and Exchange Commission's Division of Enforcement, said in an Aug. 19 news release.
According to the SEC, Citigroup failed to enforce policies and procedures to prevent securities transactions that involved the misuse of material, nonpublic information. Moreover, Citigroup's policies and procedures to avoid the improprieties were not reasonably designed or implemented.
Like the SEC, the Financial Industry Regulatory Authority Inc. is scrutinizing more closely areas of risk that technology — like a double-edged sword — can both cause and combat. For instance, in September, Finra issued an alert to warn investors of so-called "pump and dump" stock promotions sent through instant messaging applications.
With businesses increasingly reliant on technology, regulators are weighing the preventive measures companies employ to protect the most sensitive, technology-dependent functions of the enterprise, such as trading, communications, document management and cybersecurity.
A common thread across technology-driven breaches is the failure of firms to establish and enforce policies and procedures that are reasonably designed and implemented, and to conduct periodic risk assessments.
Compliance breaches stem from organizations' inability or failure to identify and mitigate risks that are not actively controlled. Widely endemic manual compliance management methods, such as the use of spreadsheets to track assessments and compliance manual reviews, make it impossible to easily cross-reference and collaborate on supervisory tasks across divisional lines.
Making matters worse, the growing demand for compliance talent has led to acute industrywide staff turnover risk. This is particularly true for companies that rely on manual methods to manage compliance and are ill-prepared to face the dangers of key-man risk. When compliance officers depart, they take significant institutional knowledge with them. The company is thus unable to piece together its compliance exposure, particularly in the event of a breach.
Here are some questions that firms need to ask … and answer:
•What is the history of the firm's compliance issues?
•What measures were taken?
•Where is the evidence?
•What steps should be taken next?
A number of single-function compliance management systems have emerged, such as email archival, trading surveillance and anti-money laundering solutions, to detect and prevent these and other types of malfeasance. But the vast majority of compliance solutions lack the ability to centralize data and deliver visibility across areas of risk exposure.
The integration of tools that deliver an enterprise-wide view of compliance activities helps firms manage tasks such as staff certifications and risk assessments more easily and effectively. A dynamic dashboard and secure online portal can deliver broad visibility, with centralized document and task management. Automated reminders can be routed and time-stamped as an audit trail of which actions are taken when and by whom. In addition, turnover risk is mitigated to the extent that a firm leverages technology to capture and replicate a departing individual's expertise.
Given today's fast-paced interconnected markets, financial firms should seize every opportunity to manage the convergence of compliance and technology. By leveraging comprehensive solutions, companies can link controls to the sources of risk and document their proactive efforts to stay ahead of perpetrators. A technology-enhanced approach to managing compliance benefits clients by safeguarding their information and assets. But it also demonstrates to regulators that firms are committed to running a business that is audit-ready and operationally responsible.
Carlos Guillen is president and chief executive of BasisCode Compliance.
