Tablets, smartphones and other mobile devices are everywhere in business, and the financial services industry is no exception.
Unlike those in less-regulated industries, financial services firms and their employees have to worry about more than the device being lost, stolen, or otherwise compromised. Regulations mandate that all business-related communications sent over the device, including email, social media, text messages, instant messaging, and other apps, be archived, supervised and ready to present to regulators when they ask for it.
The 2013 Smarsh Electronic Communications Compliance Survey found that policies and archiving solutions for mobile communications still lag behind device adoption, leaving advisers and their employers vulnerable to today’s rigorous regulatory rules.
Here are some steps you can take to ensure mobile devices aren’t putting your firm at risk for compliance violations or other regulatory issues:
1. Know the rules and regulations
Both the SEC and FINRA have strict rules regarding the monitoring and retention of electronic communications, and mobile communications are no exception. FINRA, for example, specifically provides directives on the use of personal and corporate-issued devices in FINRA Regulatory Notice 11-39. According to it, the definition of business communication is not dependent on the type of device or technology used to transmit communication, but rather, on the nature of the content in relation to a firm’s business. Therefore, the content of an electronic communication determines whether it is business communication, not the device. Email sent on a mobile device needs to be archived and supervised, just like email on your office PC. Other types of communications, such as texting and social media posts, also need to be archived and supervised across platforms.
Notice 11-39 also says a firm’s policies and procedures must include training and education of its employees regarding the difference between business and non-business communications and the measures needed to ensure business communications are archived, supervised, and retrievable.
2. Know which mobile devices are allowed for business purposes
Financial advisers should make sure they have a clear understanding of what devices are allowed for business purposes. This should come from the compliance and IT teams, who should work together to ensure that technology decisions are made with regulatory requirements in mind. IT can also help ensure corporate-issued devices are set up with the appropriate usage and archiving settings before they are given to employees.
The proliferation of bring-your-own-device (BYOD) in the financial services industry creates another layer of compliance complexity. While many firms only allow their reps to have corporate-issued mobile devices for business communication, it’s increasingly difficult to prohibit personal devices in the workplace. A recent Osterman Research white paper, Managing BYOD in Corporate Environments, indicates organizations that don’t address BYODA (Bring Your Own Device and Applications) increase their risk on a number of fronts, including the possibility of security breaches, malware intrusion and an inability to meet corporate governance, legal or regulatory obligations.
A sound mobile device policy will indicate whether your firm allows or prohibits mobile devices (corporate or personal) from accessing the company network—and will give directives about viewing data and transferring or storing data on a mobile device. Ideally, your firm’s legal, compliance and IT teams will create the parameters for this part of the policy together.
3. Keep your mobile device policy up-to-date
Over time, your firm’s policy should evolve to address the evolution of devices and regulations. For instance, will your firm allow reps to use social media for business use on corporate-issued devices, but prohibit use on personal devices? The mobile device policy should provide specific guidance for the platforms and applications that advisers will be allowed or prohibited from using on both types of devices. It should also be clear on steps your firm will take in e-discovery situations (remote collection of data) or device loss/theft (remotely wiping data).
Other guidelines may include rules for security, areas where mobile use is prohibited (a particular geography or place), and supervision of mobile communication and content for audits and regulatory examinations. Specifics about your firm’s archiving platform should be included along with employee instructions for enabling archiving on mobile devices. An outline of consequences for those who don’t follow the guidelines is also essential.
Once these first steps are taken to build a mobile device policy, the selection of a comprehensive archiving solution can help your firm supervise the various electronic messages found on mobile devices and enforce policies where needed. This is especially important at the points where your firm’s social media communications and mobile devices connect.
It’s a wild mobile world out there. Make sure your firm is up to its challenges.
What do you think? What are some of your own guidelines for using mobile devices on your business?
Stephen Marsh is the CEO and founder of Smarsh, a leading provider of hosted archiving and compliance solutions for email and electronic communications.