Trial and Error: When It Comes to Compliance, the Bare Minimum Isn’t Enough Anymore
Too many financial institutions view compliance as a finite qualification. Either your firm is compliant, or it's noncompliant and thus subject to any combination of fines, penalties, litigation and negative publicity. And if compliance is treated as a Boolean equation, then the logical response is to do as little as possible to demonstrate compliance.
It is important to distinguish that this mentality is not true across the board as some regulations, such as Reg NMS, MiFID and Basel II, garner great attention and investment because they open the door to new business strategy and change the dynamic of how firms compete.
But the remaining regulations that do not have a direct impact on business lines or product are typically treated as commodities, and compliance with their requirements is considered a necessary evil. Building out robust compliance functionality in these areas often is overlooked within an organization because "regulation is viewed as overhead and not as value-added [activity]," says Cubillas Ding, senior analyst, securities and investments, of Boston-based Celent.
"For many institutions the compliance activities serve primarily to avoid fines and also to protect the reputation of the firm," Ding says. "They may not have necessarily asked themselves questions with the long-term view." Ignoring the long-term implications of compliance programs can result in solutions that can cost firms more time and money down the line. One firm that is taking the long-term view is Detwiler, Mitchell, Fenton & Graves (DMFG).
The Boston-based broker-dealer has continually reevaluated its technology solutions, leading the firm to implement its third e-mail management solution in as many years. For DMFG the improvement of its e-mail records retention solution was not intended to simply keep the firm in compliance with related regulations, including NASD 3010 and SEC Rules 17a-3 and 17a-4, according to the firm's chief compliance officer, Robert Jeffords. The decision to change providers twice since 2004 was an attempt to make the process quicker, more secure and less expensive.
If at First You Don't Succeed
DMFG went through two e-mail compliance solutions before settling on Norwalk, Conn.-based Fortiva in mid-2006. Jeffords declines to name his previous providers, but he is happy to spell out the difficulties he experienced in switching to a hosted retention and management solution.
The foremost trouble with the previous vendors, says Jeffords, was performance. Running queries and viewing messages was sluggish at best, and with DMFG's supervisors expected to review as much as 10 percent of their workers' messages daily, the process was a drain on efficiency.
Additionally, when trying to resolve the ineffectiveness of keyword searching, Jeffords uncovered a security liability. "When the president of the company was trying to save our account ... he was on the phone with us. We were telling him all of the search problems we were having, and he said, 'Well, give me some terms and I'll search it,'" Jeffords recalls. "So he searched the database and was reading our e-mails."
The realization that DMFG's sensitive archived messages could be accessed at will by its vendor was the last straw, Jeffords says. One of the main selling points of the Fortiva Archiving and Compliance Suite was its "double-blind" encryption feature, which keeps all parties other than authorized DMFG employees from reading archived data.
Jeffords' decision to move to DMFG's third e-mail archiving provider has resulted in several business benefits, he reports. Efficiency of reviewing the thousands of messages that move in and out of the company via e-mail and instant messaging has soared. An activity that once took hours each day has been reduced to minutes, he says. And thanks to a new user-friendly interface, the message-review workload now can be distributed to five supervisors within the organizations who conduct reviews as part of their daily responsibilities, he adds. Previously, DMFG had one full-time employee devoted to e-mail supervision.
The most valuable benefit is the peace of mind that comes from knowing that DMFG can pass a regulator's inspection, Jeffords says. "The more review that you do and the more that you can document your review, the less likely you'll be to have a failure to supervise," he says.