The Australian Securities and Investments Commission (ASIC) has become the latest regulator to set out clear expectations around business communications. In a recent information sheet (INFO 283), the regulator clarified what it requires of firms and issued practical guidance for market intermediaries, including investment banks, securities dealers, and corporate advisors, on how to better understand and manage communications risks.
ASIC’s information release calls on market participants to “strengthen their supervisory arrangements for recording and monitoring representatives’ business communications to prevent, detect, and promptly address misconduct”.
Business communication breakdown
ASIC clarifies what it considers “business communication” for regulatory and supervision purposes, specifying that it includes:
“Any written, voice or electronic communications used by market intermediaries and their representatives to carry on their financial services business. This includes, but is not limited to, communications reasonably required to meet record-keeping obligations and enable monitoring of compliance with financial services laws.”
Particularly noteworthy is the specific mention of voice communications, as this is not something ASIC’s regulatory neighbors in other jurisdictions have spelled out quite so clearly. The release reminds readers of obligations under Futures Markets Rule 2.2.7 that they “record, via telephone lines and/or other electronic devices, all conversations with clients and other parties relating to client instructions.” The scope also mentions the importance of the recordkeeping aspect of communications capture, something we see firms continually overlook.
The information sheet goes on to drive home the importance of capturing business communications:
“In order to prevent and promptly detect misconduct and poor behavior, market intermediaries need to adequately supervise their representatives. We expect market intermediaries to take reasonable steps (in line with the potential harms from misconduct) to actively monitor and store business communications, in keeping with their obligations.”
Again, it is interesting that ASIC specifically highlights ‘misconduct and poor behavior’ as motivating factors in the need for business communications monitoring. This continues a wider regulatory shift towards firms being required to consider potential cultural and non-financial misconduct risks, as well as the more ‘traditional’ risks of “contraventions of financial services laws”.
Reviewing the risks
The information sheet and accompanying media release summarize the common challenges firms face when supervising business communications, including:
- The emergence of new and popular communication channels outside the scope of surveillance systems
- Weak or no controls to identify where data used in surveillance systems is incomplete or erroneous
- Reliance on ‘out of the box’ settings on vendor-provided communication surveillance systems
Two of these risks are something firms can take direct action to mitigate. Firstly, they can implement compliant data archiving and direct business communications capture solutions to ensure they are comprehensively capturing all communications data across every channel they use without data loss. By working with experienced vendors that understand the risks and requirements, firms are able to tailor surveillance systems to their specific risk appetite and communications usage, rather than relying on ‘out of the box’ settings.
ASIC also references “the risks arising from the widespread use of personal devices and unapproved communication channels” that have been highlighted by recent actions from other regulators at home and away, including the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC). Clearly, the prevailing risks are well known worldwide – and regulatory expectations are falling into lockstep.
New tech = no worries?
ASIC highlights the risks presented by emerging technologies driving fast-paced change within the financial and compliance spaces throughout the information release. However, the regulator balances this by saying that although new technologies present challenges, “they also offer solutions for complying with record-keeping and compliance monitoring obligations.”
The information sheet lists key measures that firms can use to adapt to the changing technology and compliance landscape, including:
- Policies and procedures that identify communications channels approved by the market intermediate for business communications
- Outlining how to handle communications through unapproved channels for record-keeping and compliance monitoring purposes
- Providing ongoing training on policies and regulatory requirements, including real-life examples
- Having representatives regularly attest that they have read, understood, and will comply with policies
- Establishing consequence management frameworks and actions for policy breaches that provide a visible, credible deterrent
- Supervisory arrangements for monitoring business communications that are reviewed regularly to consider emerging conduct risks and the impacts of communication applications
- Processes for regular independent review and testing of the effectiveness of surveillance controls and supervision frameworks
Many of these steps echo the expectations set out by other regulators and are accepted as current ‘best practice’ for compliance. However, the final two points place interesting emphasis on the need for firms to consistently review their policies and controls to ensure that they are effective in the face of evolving risks. As we’ve seen from the UK’s Financial Conduct Authority (FCA) Market Watch 79, firms that set up surveillance and monitoring solutions as ‘fire and forget’ initiatives that aren’t regularly reviewed put themselves at risk, and might end up in the sights of regulators.
Searching questions
The info sheet provides firms with an actionable resource, including a series of suggested questions that firms can use to benchmark their supervisory arrangements and ensure they are reviewed consistently, and able to adapt to industry and technology changes. Firms are encouraged to use the below questions to “consider and review their supervisory arrangements, considering the nature, scale, and complexity of the business”:
- Are supervisory arrangements adequate to record and monitor the business communications of representatives and identify potential misconduct?
- Do supervisory arrangements incorporate reasonable steps to detect the use of unapproved communication channels, incomplete conversations on approved communication channels, or insufficient record keeping?
- Are supervisory arrangements reviewed frequently enough to assess and adequately manage the risk posed by new and emerging communication channels that have not been authorized?
- Are appropriate records of business communications being kept to facilitate monitoring, reviews, and audits in accordance with regulatory requirements?
These questions allow firms to self-assess their supervision and monitoring posture against the most common risks associated with business communications. The list also includes a question that prompts consideration of the potential overlap between personal and business communications that can occur, especially with channels like Social Media, text messaging, and in many scenarios where individuals are using personal devices for business communications:
- How do representatives record informal communications that may arise with clients or other parties that are required to meet the market intermediaries’ record-keeping and other obligations?
Such ‘informal’ communications are still expected to be captured and retained, no matter what channel they take place over – or else firms could find themselves on the sharp end of an off-channel communications enforcement.
Greater expectations
This release from ASIC comes during a period of increasing regulatory transparency, with regulators aiming to foster an atmosphere of greater collaboration and clearer expectations. ASIC Commissioner Simone Constant summarizes those expectations:
“Bankers, dealers, and market participants have important roles as gatekeepers to Australia’s financial markets and stewards of market integrity. We expect them to maintain strong and effective supervisory arrangements to manage the risk of harm to clients and to market integrity.”
ASIC’s view is that firms have a very real role in keeping risk down, understanding the need for effective compliance, and reviewing their posture regularly to ensure they aren’t caught out. Backing up this idea of compliance being a constantly evolving discipline, Constant says:
“Rapidly evolving technologies, use of personal devices, and wider adoption of remote or hybrid working arrangements present challenges for monitoring and recordkeeping. We expect market intermediaries to periodically review their arrangements for supervision of business communications so they are working effectively, and are appropriate for the nature, scale, and complexity of their business.”
ASIC and other regulators are consistently giving firms all the guidance they need and setting expectations clearly around the need to ensure strong supervision of business communications. Regulatory messaging is becoming clearer and more transparent, perhaps as a result of frustration with firms repeatedly failing to get the basics right. The red lines are there, the tools are available – it’s time firms said fair dinkum.