Written by: Mitch Avnet | Compliance Risk Concept
As a Former Chief Compliance Officer, I am frequently asked by my clients to help them find /understand where the “risk” is in their compliance programs / throughout their organizations. For me, a huge part of an organization’s risk profile comes down to the quality of their surveillance protocols and the quality of information gleaned from these processes.As most Compliance Officers within Financial Services recently saw in the widely publicized insider trading case involving the Ex-JP Morgan Banker and his father – the two were able to devise a scheme utilizing “golf-related code” in their illegal emails, where “tips” were provided, enabling the Banker’s father to earn over $1 million in illegal profits.In case you missed this, read it here:
http://www.sec.gov/news/pressrelease/2015-90.html Know the Code?
The following “coded” emails were pinpointed and referenced by the SEC in their case. Do you think your electronic surveillance platform could have surfaced these communications?Based on the answer I’m sure most of us would be afraid to utter, Compliance Officers should be pondering if their electronic surveillance platforms are doing all that they can to help detect, prevent, and
mitigate the risk associated with deceptive communications.
Searching for a Needle in a Stack of Needles
Within the Financial Services vertical, electronic communications surveillance has become an area where most firms / Compliance officers have become “accepting” of their process. It has almost become an area where firms /individuals rest on their laurels – assuming their process will pass muster with the regulators, satisfying the
review and retention requirements stipulated by FINRA and the SEC.This “comfort” leaves firms exposed. Since most electronic surveillance technologies are based on key word / key phrase searches, they often come up short in terms of their overall utility to an organization. In fact, most individuals charged with the supervisory responsibility of reviewing emails often complain about the redundancy in the process / the amount of false positives – and the valuable time wasted reviewing and approving emails that have no applicability nor present any true risk to their organizations. Truthfully, I’ve heard the process described as worse than “finding a needle in a haystack”. It’s more like “finding a needle in a stack of needles”.
Is There a Better Way?
As fraud-detection technologies have evolved, better solutions have emerged. Now, technologies exist that are policy driven, relying on complex algorithms to identify “behaviors”. As these technologies improve, they will actually learn from the behaviors you don’t want to see versus the ones you do.The Ex- JP Morgan Banker case presents an interesting dilemma for firms. Do you still rely on
antiquated technology – or do you use this as an opportunity to test the waters for improved surveillance /detection systems that can help better defend your firm from these types of outcomes.
Is There a Business Case Here? Something All Compliance Officers Should Ponder…
In the end, nothing can protect a firm against an employee driven fraud. Fraudsters are smart – and will always devise schemes that allow them to penetrate company defenses. The question is – how quickly can you catch these individuals and mitigate against reputational risk, regulatory issues and financial loss.It’s a very interesting problem and dilemma to contemplate. In the end, it is my opinion that when these market events occur, Compliance Officers have a limited window of opportunity to improve their company’s defenses – and they should seize the opportunity!