Remote working doesn’t just create logistical challenges for businesses, it can also create new compliance issues.
As the volume of electronic communications increases, compliance reviewers risk being deluged with excess content if supervision policies are not configured properly. And as new communication channels emerge, companies could find themselves wrong-footed if employees share messages on platforms that aren’t being monitored.
For compliance officers, there has never been a more important time to ensure policies are up-to-date and working effectively so that reviewers are only receiving what is relevant—and that nothing is slipping through the net.
Under these circumstances, there may be a temptation for compliance teams to cut corners by setting up a policy to try and cover as many potential risks as possible, but such an approach will likely increase the number of false positive flags, leaving reviewers swamped with irrelevant communications.
“Adding more policies reduces the flagging rate overall because the policies are focused on a more specific target, so there’s less noise—you’re getting more relevant content and a reduction of overall flagging rates,” said Donald McElligott, VP for compliance at Global Relay.
How to build a successful supervision policy from scratch…
Let’s take trade spoofing as an example. The first step is to assemble basic keywords that people might use when they are talking about spoofing—‘orders’, ‘transactions’, and so forth—followed by words to capture the concept that those orders never intend to be completed.
Of course, those words on their own will be used in many different circumstances, so it’s essential that policies take into consideration the proximity of those words and the context they are being used in.
Once those keyword combinations have been pieced together, the next step is set up some flagging rules. There are two ways to do this—either using negative context or positive context.
- Negative context: remove all the instances where you don’t want to flag a particular word. So for trade, you would eliminate phrases such as ‘trade union’ or ‘trademark’.
- Positive context: highlight the specific phrase you want to flag, automatically ignoring everything else.
By starting with negative context, you can get a better sense of how those words are showing up in your content. If there’s too much noise, try using positive context instead.
Next step—test your policy. First, search your archive for your positive keywords to make sure there aren’t any phrases that you’ve overlooked or if those terms are being used in a different context that you hadn’t expected. Then as you remove negative terms, test those too—do you really need to ignore them? Finally, run the policy in test mode. This way you can catch if it is flagging too many irrelevant messages.
How to refine your policies…
Occasionally policies will throw up false positives where the right terms are being flagged but they are contained within a communication that doesn’t need to be reviewed, such as marketing materials or research documents. These can easily be excluded by using information embedded in headers that will indicate the message is safe to ignore. One example of this could be confidential information. If confidential information is being sent in an encrypted format, then the policy can be set to ignore it. But if that information is being sent in an unencrypted format, the policy will flag it for review.
Another common source of noise is disclaimers and email signatures. In these cases, it is important to identify the wording that is triggering the policy and then ignore that phrase without excluding the message. That way if there is content that needs reviewing, the policy will simply ignore the signature or disclaimer and still flag the actual message.
How to keep your policies in shape…
A mistake compliance teams often make is to set up their supervision policies and then forget about them. This can cause problems later because policies will lose their effectiveness over time as words and phrases change, risks evolve, and new communication channels are used.
The latter is particularly relevant amid the coronavirus pandemic as organizations turn to new online collaboration platforms so employees can stay connected remotely. If those platforms aren’t being monitored, then organizations could face regulatory action. Another impact of the pandemic is that people who didn’t need to have their communications monitored in the office might need to be added to those supervision policies while working from home.
By periodically reviewing how policies are working, compliance officers can quickly make adjustments if those policies have diverged from their original purpose or are not capturing messages from relevant people.
Regularly monitoring policy performance data can also help compliance officers spot if something looks amiss. If a policy is suddenly flagging more messages than usual, it could be because email signatures or disclaimers have been changed, or there is a new product being sold that uses language that triggers a policy and needs fixing. Catching that early will prevent reviewers being overwhelmed with noise and ensure they are only spending time scrutinizing the content that matters.
This post has been sponsored by Global Relay. If you want to know more about Global Relay, go to www.globalrelay.com PlanetCompliance only publishes sponsored content from companies whose products and services we think our audience will find valuable or interesting. For additional information about we handle partnerships and content production, please have a look at the PlanetCompliance Disclosure Policy, which you can find here.