Blog - Just Commentary - Not Legal Advice and Not the Views of the firm or any of its clients!
Zooming toward Regulator Enforcement!
Emerging compliance issues in the COVID-19 “work from home” era era.
Author: Gerry McGeachy, C.S., CAMS, CFCS, CFE, FIP
Quick Takeaways for regulated organizations who need to invoke a modified compliance program to address the current pandemic situation:
- Take steps to formally employ a risk based approach to the new expanded “work from home” reality;
- Generate clear documentation surrounding the risk assessment, options, decisions and implementation;
- Engage in education and training specifically related to the use of additional communication tools when working from home;
- Integrate your changes and decisions into the formal organization Code of Conduct and business level guidance and policy;
- Demonstrate support from senior management by having the right decision-makers involved and by allocating appropriate funding for the implementation of the decisions made;
- Ensure clear lines of communication with senior management regarding the decisions, and strive for a unified organizational approach;
- Generate appropriate metrics for evaluation and use them to refine the approach;
- Prepare now for questions from regulators and litigation through smart information governance, classification of documents and create a record that defends your organization’s decisions and actions.
Have you ever heard the saying “when the cat is away, the mice will play?” These days to a large degree both the cat and the mice are away, working from home and not subject to the usual compliance supervision, monitoring and surveillance. For the most part everyone is getting their work done admirably, managing the pressures of home life and their work day. If you operate in a regulated industry, are you taking steps to ensure that “work from home” is covered by an effective compliance regime?
“…having investigated Canadian banks, and other business entities involved in financial transactions in Canada and internationally, I am convinced that the human factor is the one of the largest areas of ongoing vulnerability… and the most likely to generate a regulatory sanction.”
Employees are now able to be on their home phones or their personal cellphones, sitting at a desk with their personal computer alongside their work computer, with access to any sort of third-party communication tool that they should choose to utilize. Without creative thinking and controls, there is no compliance presence, at least in the human, personal sense.
The exodus of personnel from the business office to their home locations is a significant regulatory compliance issue. As I set out herein, one of the greatest concerns and dangers that needs to be managed is the ready availability of additional third-party communication tools in an unmonitored environment. Having prosecuted many cases involving financial crime and having investigated Canadian banks, and other business entities involved in financial transactions in Canada and internationally, I am convinced that the human factor is the one of the largest areas of ongoing vulnerability. It is the hardest area to manage and the most likely to generate a regulatory sanction.
In addition to being a crown attorney and prosecutor for many years I was one of the senior litigation counsel in the enforcement branch at the Ontario Securities Commission in 2018 and 2019. At the OSC I was an investigator into companies that range from large international banks all the way down to small internet-based companies offering financial services.
One of the investigations I participated in as senior litigation counsel with the OSC involved Canadian bank foreign exchange traders’ internal and external electronic communication. This investigation resulted in a settlement by TD Bank and the Royal Bank of Canada. The allegations and settlement revolved around a failure to have sufficient supervision and controls in place and insufficient promotion of a culture of compliance. It was agreed ultimately that these failings put customers at risk of harm, could undermine market integrity and were contrary to the public interest.
The world of financial institutions and related businesses seems vast at first glance but it makes sense to break it down into smaller functional groups where specific people have specialized skill sets. The business activities are often performed by people who move around from institution to institution over the course of their career. This results in ongoing relationships which are healthy and great for business, and enable people to get things done. But it also means that your personnel have old friends and trusted contacts who work for, or even own, other businesses. This reality exposes your customers to risk. In areas of operation such as OTC transactions, options, “M&A”, or other areas where salespeople, financial advisors, dealers, brokers and traders who make deals are in a position to share critical confidential deal information with external third parties, the risk is heightened. There may be temptation for individuals or groups to benefit through collusive or manipulative behaviour.
This quick blog article does not delve at length into the larger misconduct issues. This article is mainly about a particular vulnerability that has grown vastly in scale since the arrival of “social distancing” and the overall COVID-19 pandemic response - the availability of unmonitored third-party communication tools (i.e. - Zoom, Viber, Telegram, Signal, Houseparty, WeChat, Line, Pryvate Now, Wickr… and the list goes on. Some are specifically designed to ensure encryption and anonymity and are marketed as such).
“…These days … both the cat and the mice are away, working from home and not subject to the usual monitoring and surveillance…”
Right now regulators (appropriately) recognize the severity of the COVID-19 situation and many are relaxing a number of procedural requirements. Things like deadlines and methods of reporting are being modified for the near future but the ultimate obligations regarding substantive regulatory requirements are generally not being modified. For example, the Ontario Securities Commission has published what it has described as temporary blanket relief from deadlines for filing and FINTRAC has required that reporting entities submit a “voluntary self-declaration of non-compliance” which will be “taken into account in future compliance activities”.
This means that when regulators finally catch their breath and begin to look back to consider early to mid-2020, they may have questions for you. Months from now, when things will have (presumably and hopefully) returned to a more normal state, regulators may still be prepared to overlook lapses in some timelines, failure to meet specific date requirements and irregularities in how information was reported. One important way of dealing with a true inability to comply with a deadline is to notify the regulator of the failure, preferably before it happens, provide the reason and confirm that it is documented and provide a plan to address the issue as soon as possible. That will help somewhat with a due date for filing a document, but substantive failures which reflect true regulatory failings are unlikely to get a pass. For true substantive violations where the required level of diligence cannot be established, it is more likely that the COVID-19 pandemic response will translate into a reduction in overall penalty or other sanction, if the error was in good faith. It is worth noting that a reduced regulatory penalty does not necessarily translate into a reduction in reputational harm in the eyes of the public or the capital markets community.
The “Work from Home” Change Brought About by COVID-19
There are numerous developments taking place as a result of COVID-19 but one of the greatest is that vast numbers of workers are now operating out of their own homes, and not coming into the office.
Is your organization ready to:
- Take steps to ensure that your “work from home” employees are not engaged in misconduct at home that affects your business?;
- Defensibly capture and document the development of your in-house compliance approach to the new reality such that you will be able to satisfy your regulators that you have done a sufficient job?;
(This latter point (ii) is not about factually doing good a good job. It is about the equally important task of generating a defensible evidentiary record that can be produced on demand to demonstrate to a regulator that there is no need for an investigation or enforcement proceeding. You have to comply. You also have to be able to show that you complied.)
“…You have to comply. You also have to be able to show that you complied.”
People are Great – They are also a Great Source of Vulnerability
Human skill, creativity, motivation, experience, relationships and intelligence underly all successful business operations. But some of the problems with humans within a regulated organization include that they:
- occasionally make mistakes;
- have limited capacity to remember and process large data sets;
- are often ambitious;
- can at times be lazy or procrastinate;
- rationalize when confronted with a choice between ethics/compliance and self-interest;
- can be wilfully dishonest, sometimes in creative and unpredictable ways.
In order to adequately assess what is required and to ensure that the “work from home” reality is addressed we should look to current best practices including:
- establishing an overall risk appetite for the organization and for business units;
- “Tone from the Top”;
- education and training;
- global and departmental codes of conduct;
- whistleblower programs;
- appropriate compensation structure;
- training and awareness about the presence of surveillance and monitoring;
- deterrent practices including appropriate sanctions for misconduct ranging from education to dismissal.
These are all applicable and important during the rapid shift to “work from home” that is required to address COVID-19.
There are “carrots” and “sticks” built into these practices. Some are intended to encourage and push people toward the right behaviours. Appropriate compensation structure falls into this category, particularly if compliance behaviours are factored into decisions surrounding compensation and career advancement.
Some of the practices are intended to identify misconduct and punish. A number of them have a blended effect. Surveillance and monitoring is a “stick” because it catches misconduct and facilitates on enforcement step. But additionally, widespread distribution of information about the existence of surveillance and monitoring or a whistleblower program encourages appropriate behaviour. It encourages those who would apply a cost vs. benefit approach to misconduct to attach greater costs to misconduct due to the increased likelihood of being caught. This makes misconduct appear less attractive to those types of individuals.
Negative financial or reputational harm often flows from honest human error (often caused by sloppiness or curiosity) such as in the case of phishing type attacks and those involving human engineering. But there is also human dishonesty, fraud and corruption to address. We know from experience that there is a risk that some misconduct may be tolerated by senior management if the bad actor generates enough profit, or if the behaviour can be rationalized into a dubious form of acceptance or even wilful blindness.
And then there are organizations where people openly behave unethically because that is “what you have to do”.
At the current time, there is a huge looming compliance risk for regulated financial sector businesses arising out of the massive changes and the “work from home” status of such a large number of employees. In addition to the number of employees, there are a number of roles that would not traditionally have been amenable to “work from home”. Regardless of the role of the personnel, the goal should be to modify compliance practices and procedures in order to ensure a reasonably similar level of oversight. Are you managing to enable the same level of monitoring and surveillance of personnel working from home? Are they sitting in their home office using their home computer on their desk alongside their work computer? Would this have been permitted if they were working in-house?
It is equally as important to consider whether the “work from home” employee has the appropriate resources in the home environment. If not, then effors should be made to ensure that the right tools are available to do the job. For example, a front line employee who conducts new account onboarding and CDD should have access to the same information remotely as they would have in the office. This includes sanctions checks, negative news, proprietary and open source tools.
Additionally, there are unique features of current COVID-19 transition/attempts to get people working in a socially distant way. It happened so quickly and without the usual planning or implementation of controls and performance indicators that undoubtedly compliance gaps have arisen. Of course, this change has been out of necessity. Businesses are being forced to get work done in a very different way using different communication tools and in a less monitored and surveilled environment, on a quicker timeline than they have been implemented after careful consideration of all the risks associated with this change.
“…Regardless of the role of the personnel, the goal should be to modify compliance practices and procedures in order to ensure a reasonably similar level of oversight.”
How are you going to address employees who are now able to use third-party communication channels to communicate in an unmonitored way? Are you allowing new communication tools to be installed on work devices during this period of change? Have they been properly evaluated not only through a privacy and data security lens, but also from a surveillance perspective. Can all the communications be ingested into your existing monitoring system? There is a considerable risk that senior management or business unit managers are taking steps, again out of a sense of necessity, to enable third-party “off the book” communication tools such as Zoom or other chat type tools for off-site employees.
This effectively eliminates the ability of any electronic transaction monitoring system to capture communications with third parties. Even if the installation of software on a “work device” is not permitted, people are now operating out of less secure locations. It is simply not possible to have compliance personnel or business unit compliance people visit with everyone in their home office or be present and visible and in a position to observe and make inquiry. Perhaps even more importantly, there may be a sense that they’re not as available to mentor and assist personnel with issues requiring clarification or interpretation. The essential message is that companies need to employ the full range of compliance program thinking to the new “work from home” reality. At its core is a risk based approach, enabling resources and thinking to be applied efficiently and proportionally to the most realistic and probable threats.
Graydon McGeachy Law LLP would be pleased to discuss how we can help you address any of your regulatory concerns. Before moving to private practice in 2019, Gerry McGeachy was a crown attorney in Ontario for 15 years, worked at a national law firm on matters for institutional clients and was a senior litigation counsel at the Ontario Securities Commission – Enforcement Branch. He understands evidence and government investigations.