By Douglas Weeden, Esq., 17a-4 LLC
DECEMBER 2018
The production of electronically stored information such as instant messaging and other forms of real-time communication, is now routine for enterprises verifying regulatory compliance or responding to civil litigation. While corporate legal and compliance departments dutifully recognize this shared responsibility, they rarely are aligned when it comes to its performance. In fairness, these departments certainly differ in corporate function and professional skill set, but the stark misalignment between the two is troubling, considering that both groups use identical information sets and leverage similar search and data analysis tools.
Recognizing today’s pace of innovation and the proliferation of platforms used to conduct business, it is imperative for compliance departments to lead on this issue by continually adapting supervisory systems and security processes to complement eDiscovery programs and improve their efficiency. The old notion that compliance’s job is limited to the timely capture and monitoring of all corporate communications, while eDiscovery’s exclusive domain is to conduct detailed legal analysis of large datasets, is an excuse for the status quo. Compliance departments that recognize their unique position as stewards for corporate information and proactively coordinate with legal teams to integrate their processes are leading the way, empowering their companies to leave unprepared competitors behind.
Risk-based Compliance
Compliance teams are stepping up by monitoring corporate activities and attempting to find legal, HR or regulatory issues before they become either an external enforcement matter or a legal action against the organization. To do that, departments are implementing creative and proactive approaches for anticipating potential risks or problem areas. In the financial industry, FINRA understands this implicitly and its guidance challenges financial firms to take a ‘risk-based’ approach toward compliance. In no uncertain terms, FINRA insists that when looking at activities within a member, that firms focus on areas and types of communications where inappropriate behavior or illegality is likely to occur and design systems that address those risks.
In a trading culture, for instance, it is appropriate to monitor language that may indicate harassment, words offensive to customers or inappropriate representations of financial products. Monitoring conversations on a trading desk has proven to be an effective complement to employee training and management. If the organization is involved in international commercial transactions, on the other hand, compliance departments should monitor for words that may indicate gifts, inappropriate entertainment and other activities that may indicate violations of internal policies or regulations such as the Federal Corrupt Practices Act (FCPA). While the business risk is unique to each organization, the requirement for proactive and creative approaches to identify and mitigate risk is imperative for all the enterprises.
Compliance’s mandate, however, is now perceived to be much larger than simply regulatory compliance or corporate culture. Rather, it expands into many other areas of a firm, including protecting its Intellectual Property (IP) assets and securing confidential data, employee personal health information (PHI), and corporate financial records. To that end, it’s important to regularly work with clients to implement tools that discover if software code or confidential information on pending transactions is being sent out of the firm. Each type of issue requires its own sampling processes and flagging lexicons.
In the U.S. all three major regulators, the SEC, FINRA and CFTC, have mandated that compliance departments capture all forms of messaging and collaboration. This gives compliance teams the raw material for powerful search tools to ferret out problems. With that, investment in strong compliance programs will be more than offset by the savings from the legal and eDiscovery costs if issues are not caught before litigation.
One recent example was the 1MDB bond offering that netted Goldman Sachs $600 million in underwriting fees and involved bribes and kickbacks to senior Malaysian officials. The situation leads to questions on how the bankers communicated and whether they used encrypted messaging apps. Most firms have employees sign documents in which employees agree not to use these apps to conduct business. If the bankers did use these apps, were there any words used in non-encrypted messages that suggest that the participants use WhatsApp or Telegram? Was there consistent communication with the Malaysian officials on Goldman’s messaging platforms or did the communications stop at some point before the transaction? If so, that could indicate the messaging was moved to an encrypted, non-compliant platform. These are not easy cases for compliance departments to find, but more often than not there are discernible red flags.
Compliance Technologies
Can compliance technologies save money in legal and eDiscovery processes? Potentially, yes, but the first and most important issue is for compliance teams to have most of the required content in its systems. Over the past 10 years, great strides have been made to capture messaging, social media, collaboration and presentation content and incorporate all these disparate formats into a single archive. This allows compliance to search for words and patterns across email, chat, SMS text messaging, social, and industry platforms such as Bloomberg, Reuters, Symphony and Slack.
Even though an organization may have collected this information for compliance regulations, in many cases legal departments want to re-collect content to bring into their eDiscovery system. To justify the re-collection, legal departments may claim the metadata associated with the compliance archive is not sufficient or lacks effective ‘chain of custody’ from the information in archive. Often a discussion between compliance, legal and IT teams during the development of the archive system will find solutions for these issues and greatly simplify and reduce the cost of eDiscovery collection. For instance, one easy way to address the concern of the ‘chain of custody’ of a record is to add a hash code when the original message is captured in the archive. The hash code makes a calculation of all the information in the original message that may be re-calculated when offering the document as evidence. If the hash codes match, then the original and the evidence records match, too.
Some clients, however, are currently leveraging compliance technologies to implement a defensible posture in preparation for a ‘Meet and Confer’ conference according to FRCP Rule 26(f). To better combat expensive fishing expeditions, compliance documentation and processes can clearly articulate to both the court and opposing counsel the information that is available in response to an eDiscovery request.
Annual Review
Legal and compliance departments need, at least annually, to review the archive as an organizational resource for both departments. If an eDiscovery request has not been performed during the year, then an ‘eDiscovery fire drill’ should be performed to ensure that all needed processes are in place for an effective eDiscovery production. If new messaging or collaboration systems have been put into production during the year, then both departments should review to make sure that the metadata information is adequate. For instance, many industry platforms don’t use the corporate email address to identify users. Bloomberg messaging uses the format of name@bloomberg.net. If a legal department is performing an eDiscovery production for a custodian, it must use all the addresses associated with the user or the production will be incomplete.
Updating the archive system is also a useful exercise during an annual review. This includes the archival platform, the types of content ingested by the archive, the metadata associated with the content, the hashing or ‘chain of custody’ processes in place and the normalization of information such as user names, time and date formats, languages used, password and encryption key methodology, etc.
The resulting system document is valuable in the FRCP Rule 26(f) ‘Meet and Confer’ as it provides both the court and opposing counsel with the information that is available for an eDiscovery request. We have encountered many situations where the two departments weren’t working together resulting in incomplete reporting, including things like emails being pulled from an archive and provided to legal but without associated chats. Or productions in which emails and chats were provided, but not those from a required industry platform such as Bloomberg. Courts have little tolerance for legal teams that do not understand what information they can produce in a ‘Meet and Confer’, putting legal firms at risk for penalties associated with non-compliance.
After the annual review, the legal team should go over the system with the outside counsel it uses for litigation. Is outside counsel comfortable with the archive system and does counsel understand what records are available and in what format? Again, an eDiscovery fire drill is a valuable exercise to make sure that the Bloomberg or IM files are brought into the preferred eDiscovery platform in a usable format and fully searchable. Agreement is necessary if that format is a .pst file, a text document, or a specific export format such as EDRM XML. If emails or documents are encrypted, the eDiscovery system needs to flag that content and prompt for the encryption key. If a messaging system is used which does not decrypt the messages, then those messages need to be flagged and identified.
Both the review between compliance and legal and the resulting documentation should also be signed off by senior management. For financial institutions, this falls under FINRA rule 3120, which requires that compliance departments review supervision policies and procedures annually with the firm’s CEO. If the CEO or other senior management is aware that a new system is being introduced such as Salesforce’s Quip, Slack or Microsoft’s Teams, then the compliance team should schedule a meeting with the IT department to make sure the archive can capture the content before production.
Data Loss Prevention [DLP] Policies
Many financial firms archive messaging and collaboration content, yet these systems are all post-send/receive instead of capturing content before it is sent either within or outside the organization. To protect the institutional assets such as Intellectual Property (IP), software compliance or personal health information (PHI) should also implement systems that flag and prevent content from being sent out of the organization. Finding out after this information has been sent is too late. To address this aspect of compliance, the institution’s messaging team needs to identify and incorporate Data Loss Prevention policies. Many of the messaging and collaboration systems now have sophisticated systems that allow for pattern matching, document names and lists of key words. These may then flag outgoing messaging and alert compliance. Compliance may then review and approve the message or block the message and alert the sending party of the violation. Here is a list of the typical DLP options in a messaging system:
- Alert compliance departments whenever a password-protected attachment is sent and stop the email from going out of the organization, while alerting the user of the company policy’s against issuing outgoing password-protected attachments.
- Alert compliance departments whenever a credit card number is included in an email, in which case, the compliance team can review the email before it is sent.
Record Categorizations
Another area where compliance programs should be incorporated is in documents classified as both compliant and legal material. For instance, DLP policies that monitor financial information classified as confidential can prevent the disclosure of the next quarter’s financials before they are made public. Other classifications can include:
- Software design specifications and code
- Clinical trial results
- Employee compensation
Both DLP and archival searches can use these classifications to monitor communications regardless of whether they are emails or tweets.
The legal department’s role in defining risk
In working with clients, it’s important to focus first on developing a comprehensive archival architecture and effective DLP policies and record classifications. In combination, these provide senior management with an understanding of how compliance teams can monitor messages and be pro-active in protecting a company’s electronic records and confidential information. This means that it is important to implement an on-going and interactive relationship with both the records management and IT teams within the organization.
As mentioned earlier, there is an element of risk-based analysis to understanding how compliance policies should be implemented. Here, a company’s legal department must understand the risk posture of its organization and the policies that mitigate risk. Legal teams, with their understanding of the structure of the organization, can anticipate where legal issues may arise and work with compliance departments to incorporate appropriate compliance policies.
For instance, if a legal department is concerned about specific areas in the company that have a hostile working culture, then monitoring communications for language, jokes and other signs within that area could prevent a future harassment case. As well, if the results of clinical trials, for instance, are known by a select group of clinical staff, then related emails or chats could be monitored for the name of the drug or other words indicating a leakage of the results.
This is an on-going process and policies should change as a company changes. If a new sales team is hired in certain geographical areas, for example, then the firm’s legal department should have its compliance team monitor the group’s communications and expenses to ensure that compliance with FCPA and other anti-bribery regulations are ongoing. Likewise, if a new drug enters clinical trials, then the key words relating to that drug should be incorporated into the monitored keywords.
Restructuring to combine the technologies of compliance and legal
Technologies that support both compliance and legal requirements have undergone incredible changes in the last ten years and promises to continue to change. These innovations bring two challenges to these departments in that each department must understand the technologies of the other, including:
- Legal departments’ understanding of the compliance technologies being used and that the compliance team has incorporated policies that represent the risks to the organization.
- Compliance teams’ designing of systems that allow legal production to be responsive and complete.
Compliance teams’ primary purpose is to be the first line of defense against malfeasance, disclosure or theft of IP. When compliance departments do their job, their organizations should recognize significant savings in regulatory fines and legal costs. The crux is for legal teams do their part, too, by giving their compliance teams clear instructions on how compliance technologies can be used to implement risk-based policies. By working together, legal and compliance departments provide a strong team for their organization.