Who is watching the watchdogs? | The potential risk of misuse of surveillance software.
22nd February 2022 by Brielle Hewitt
Why must robust policy and procedures be implemented when utilising surveillance software to protect staff, clients, and third parties?
The latest news from the city has shed light on the misconduct of compliance staff and their misuse of surveillance software at a global lender’s London offices. Bloomberg states:
“In early 2019, BNP Paribas SA compliance staff were handed a powerful new tool designed to help them police a massive trading division that handled billions of euros of transactions each day.
The monitoring software let front-line supervisors search through thousands of employee emails and documents to suss out wrongdoing. Within months, BNP was conducting an internal probe into allegations that a trio of compliance staffers who were testing the application. The employees, part of the French lender’s London-based Front Office Conduct & Surveillance team, had access between March and June 2019 to emails as well as other sensitive information for employees in the global markets division. An internal investigation named Operation Ingot heard allegations that they had used the surveillance software to look up the bonus of a senior staff member at the bank, as well as searching other confidential records, according to people familiar with the matter”.
What’s also completely understandable is this case has landed in the hands of the FCA and ICO due to data privacy breaches and regulatory misconduct.
This complete abuse of position and misuse of the surveillance tool was not inevitable, but much could have been done to stop it from happening. Because the fact is, even those employed and trusted to police an organisation to keep employees on the straight and narrow can also do the wrong thing.
Now, as a provider of ‘surveillance software’ or ‘supervision software,’ as we prefer to call it, it seems left of field to be highlighting this latest piece of news. Our software was not used in this case, and we’re not going to hang the service provider out to dry either. However, we are very aware of the power of our tool and others out on the market, but they are just that, tools. The risk ultimately lies with the users of these tools and how they conduct themselves, not the technology itself.
To demonstrate the point.
Our flagship communications supervision platform, Fingerprint Supervision, captures ALL in scope communications across an organisation (voice, email, WhatsApp, Teams Chat and Calls, Bloomberg chat… you name it, we can ingest it). All of this unstructured communications data is transcribed and standardised. It is then made available to compliance and surveillance staff through an automated risk ranked ‘to-do’ list, allowing users to review and investigate their organisation’s communications to ensure they are finding or even preventing wrongdoing in their organisation.
You don’t need to be a technology wizard to use our platform – we designed it to be simple and user friendly. It is a platform that empowers compliance and surveillance users and takes away so many siloed processes, giving compliance staff complete, automation supported oversight over their entire organisation. That is a severe amount of power sitting with individuals, and, as has been the case with employees at BNP Paribas, it can potentially be misused if not governed appropriately.
So, how do you prevent something like this from happening at your organisation? Do you even implement supervision software?
Well, yes, you do.
The FCA states very clearly that no matter the size of your organisation, you should have ‘effective’ monitoring processes in place (watch our CEO James Hogbin explain precisely why you must have appropriate oversight in place).
With most of us either hybrid working or working remotely, the sheer volume of communications data that flows through a business daily, weekly, monthly cannot be overseen with manual processes and random sampling conducted by compliance staff. These processes are flawed and ineffective, with the potential for complete breach of privacy due to the nature of having to sit and listen to an entire call, warts and all, or read through full email trails to find a particular ‘risky’ word or phrase. You can not effectively oversee an organisation with these processes anymore.
Technology is the answer. It can support financial organisations to run compliant and well-governed operations with complete oversight over communications. And technology is the answer to watching the watchdogs too.
So, what can you do to ensure these powerful and necessary tools are not misused?
Be transparent and be clear on your company culture and expected conduct of ALL employees.
We don’t like the word ‘surveillance’. Our tool is not surveilling people. It monitors communications data across an organisation and provides compliance staff with a strategic tool that gives them total oversight over how people conduct themselves in their communications.
- Be clear about what supervision/ monitoring tools like ours are used for and why:
- To oversee ALL communications to prevent wrongdoing
- Because the FCA insists that regulated firms monitor communications effectively.
- In terms of market data, to prevent market abuse, insider trading, and general wrongdoing.
- To encourage and support good conduct that protects employees, clients, investors and third parties.
- Let the entire organisation know that supervision software is implemented and constantly monitoring communications, market data and activity etc.
- This means your organisation can be completely transparent about its expectations around culture and conduct for ALL across the organisation.
Implement a strong governance and review structure around your technology and data.
- Define your governance structure, who is responsible for monitoring the organisation for regulatory purposes, and who is responsible for monitoring and review of the activity of compliance and surveillance staff.
- Define this governance structure in a Policy and Procedures guidebook and implement training, if necessary.
- Send it out to all those it relates to, and ensure that everyone has read and taken part in relevant training. Refresh it regularly, as monitoring is constantly evolving.
- Review processes of the compliance function should be regular, thorough, and reported upward to senior management and regulators to ensure accountability of ‘watchdogs’ in the organisation.
Technology is the ultimate enabler, and with tools as powerful as communications monitoring platforms now very widely used, it is imperative to have structures and procedures in place to ensure technology is used appropriately. The FCA is embracing big data and technology, and if used correctly, it is a game-changer for firms of any size. There is so much good use of technology in the industry; unfortunately, the misuse always makes the news.
To demonstrate how Fingerprint Supervision provides effective communications monitoring and can support protecting employee privacy, ensuring compliance users are accountable, and their work is reviewed regularly, we’ve created a simple overview of some of the tools available within the platform.
- Activity audits trails: All activity in Fingerprint is preserved in an audit trail and is reportable tools available within the platform. Audit trails must be reviewed regularly for misconduct as per your organisation’s set compliance/ governance review structure, as set out in your organisation’s agreed policy and procedures.
- Obfuscation: Personal details are hidden from surveillance analysts until they request to reveal the details. All requests are audited and must be reviewed regularly to ensure appropriate use.
- Relevance: Employees should rest assured only suspicious communications will be placed on the ‘to do’ list for compliance and surveillance staff to review.
If you’d like to speak to us about implementing Fingerprint Supervision across your organisation to support compliant and data secure communications monitoring, email me, Sean Morgan: firstname.lastname@example.org or give me a call on +44 (0)203 011 4145.