Professional. Compliance & Ethics. 19 The seven deadly sins of unethical organizations. 49 Anti-corruption and global supply chains

Transcription

1 Compliance & Ethics April 2014 Professional a publication of the society of corporate compliance and ethics Meet Tyrell J. Campbell Investigator Pinnacle Investigations, Inc. See page The seven deadly sins of unethical organizations John Cross 29 Small organization compliance and ethics programs: No one size fits all Melvin Oden-Orr 39 The elements of an integrated compliance platform Kathyrn Kemp Chociej 49 Anti-corruption and global supply chains Craig Moss and Leslie Benton This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at or with reprint requests.

2 by Kathyrn Kemp Chociej The elements of an integrated compliance platform Electronic content, including social media, must be archived to meet regulatory requirements. Both a social media policy and an archiving solution are vital to your firm s social media presence. Plan ahead for communications that need to be retrieved for litigation hold and e-discovery requirements. When writing a social media policy, address expectations around behavior, clearly outlining whom the policy holds accountable. By using data for lead generation, an organization can offset some of its costs for its integrated compliance platform. We are all aware of the significant consequences for failing to manage electronic communications content properly, including damage to your organization s reputation, legal exposure, and regulatory penalties incurred for non-compliance. As a result, compliance is often perceived as a necessary evil and treated as such. Many organizations strive to meet the bare minimum level of compliance and may find it difficult to get budgets approved for any efforts beyond that. However, for compliance programs to be effective, they need Kemp Chociej to be thoroughly and consistently implemented across the entire organization. At the same time, for an area such as marketing, compliance may not be top-of-mind or a priority. In fact, marketing and compliance may be at odds with one another, given their two distinct functions. Realizing this, some organizations have started to implement centralized, integrated supervisory platforms that in effect streamline company-wide initiatives, where implementing a comprehensive compliance solution may ultimately pay for itself and provide value to marketing functions of an organization. Understanding the key elements of an effective, integrated compliance platform can help free up company resources for other ongoing initiatives. A compliance platform that provides archiving, security, and compliance and marketing analytics can help organizations achieve robust IT security while integrating strategic compliance and marketing efforts. Archiving A common requirement of all regulations is the implementation of IT controls that protect critical applications, data, and systems and processes from unauthorized use or access. Many organizations have implemented integrated platforms to manage, audit, and monitor user access to network resources. Another common requirement is archiving all electronic communication, including social media. Because of litigation hold and e-discovery responsibilities, organizations need to treat social media activity just like any other electronic communication, and always be prepared to secure and retrieve content under a litigation hold for long periods of or

3 time in a defensible manner. In that vein, solutions are needed to provide social media monitoring and supervision of out-of-policy content. Conversation and content archiving are strongly needed for litigation hold and e-discovery responsibilities. FINRA Regulatory Notice is the key piece of guidance in the financial services industry for the use of social media for advertising purposes. With the publication of FINRA Regulatory Notice 10-06, compliance officers now know that they have to meet similar requirements that have existed for and instant messaging when evaluating social software technologies. The problem for regulated financial institutions is that inappropriate use of such widely available communications and collaboration tools can mean non-compliance with government and industry regulations, resulting in significant fines, potential loss of business, and fraud. Much has been debated concerning exactly what the social media compliance rules are related to FINRA and the SEC. Here are the basics: A social media policy is necessary. Your policy will then define your written supervisory procedures. Social media archiving is essential. It is helpful to utilize a central dashboard that you control to perform record retention and surveillance. Understanding the differences between static and interactive content is imperative. When writing a social media policy, address expectations around behavior, clearly When writing a social media policy, address expectations around behavior, clearly outlining whom the policy holds accountable, as well as where and how it needs to be maintained. outlining whom the policy holds accountable, as well as where and how it needs to be maintained. Some key elements to include in a social media policy might be: business confidentiality, online interaction as a registered representative, online goal achievement using social media to implement strategy, appropriate source/credit given to information posted online, and the firm s target audience for engagement. Mitigating risk around the use of social media may involve identifying your strategy for incorporating social media into communications, establishing and defining your guidelines and policy, and deploying the tools to use, archive, monitor, and report on social media. FINRA Notice states that the use of Internetbased social media communications must be viewed and monitored in the very same way as written communications and in-person conversations. Therefore, these regulations and suitability requirements also apply to any forms of advertising, sales literature, and correspondence when used in social media situations. Additionally, firms must retain records of all communication via social networks as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110, including Facebook status updates, tweets, LinkedIn updates, and blog comments. Keep in mind that: or

4 Preapproval from users is not necessary. Supervision and post-review by the Compliance department are required. No matter what device you post content from, FINRA regulations state that all business-related social media content must be archived for a minimum of three years. Therefore, no matter what forms of content advisors are creating online, both a social media policy and an archiving solution are vital to your firm s social media presence. Archiving is not just a best practice, it is a required one. Not only will archiving keep you in compliance with FINRA and SEC requirements, but documenting all activity provides peace of mind. Once you have developed the social media use policy for your organization, real-time alerts or daily/weekly reports should be generated, based on your organization s policy. Use surveillance lexicon and policy to apply across all social media types or at the site level (e.g., Facebook, LinkedIn), delivering the ability to monitor differing social media sites and their content types per the customer policies for Facebook, LinkedIn, Google+, Twitter, YouTube, Vimeo, Chatter, Yammer, Bloomberg, blogs, SMS, and instant messaging, and other new social channels. The bottom line for compliance regarding archiving content is to have a method to securely capture and store all electronic communications, including , instant messages, and social media. Whether communications need to be retrieved for litigation hold and e-discovery requirements, Not only will archiving keep you in compliance with FINRA and SEC requirements, but documenting all activity provides peace of mind. to substantiate a compliance issue, or just to confirm a contractual modification, it is essential for organizations to have a tamperproof archiving of content, with real-time content inspection, which preserves the communication or conversation order. Security There are a few key areas of concern for IT functions, which may include user roles, group membership, and access policies. To achieve strong IT controls, organizations will want to incorporate identity and access management, monitoring and auditing, and encryption of messages with personal identifying information. Your security platform should address issues such as message security, digital loss protection, encryption, and disaster recovery. With this platform, every message needs to be scanned for personally identifiable information (PII) and securely delivered. Track the entire life cycle of an message through your compliance audit system. Start with the original (pre-encrypted) message and track all actions taken on it. Essential elements for a security platform to meet compliance requirements include the following. Monitoring Because certain improper or unauthorized administrative actions can pose security threats, the privileges of each administrator and all administrative events should be audited closely and consistently. This can be accomplished if the platform provides logs of these events in a format that can be used by or

5 oversight personnel and that is available to managers or auditors of activity. Essential elements for a security platform to meet compliance requirements include the following: Rule-based correlation of event information. Audit capabilities. Auditing must be done across all platforms to correlate platform events. Dashboard capabilities. Visual displays that bring an administrator s attention to anomalies or suspicious event patterns better support the organization s ability to establish strong controls for event responses. Report and log file customization. It is critical that reports and audit logs are customizable so that information or events that are of particular interest to the environment are reported in a meaningful way to the local administrator. Alerts. It is important for administrators to define which events are important in their local environments so that they can be reported appropriately. It is also important that procedures are implemented to ensure this information is distributed to the appropriate people, based on the event. Automated workflow Appropriate approvals for certain user actions, specifically requests for access rights, are required by most regulations. An automated workflow capability strengthens internal controls and makes access events easily auditable. Centralized management of all users Delegating the management of specific groups of users allows for the ability to delegate administration of certain user groups. Best practices include: Centralize authorization activities. Employ role-based authorization. Provide fine-grained authorization for administrator privileges. Protect critical system files, applications, and data across all platforms. Role-based policies Specific user roles should determine the user s access rights and enable the auditing of user access rights. Tracking of active accounts When an advisor has left the company or changed roles within the company, accounts may go inactive. Your security platform should scan existing accounts periodically, correlating accounts with valid user identities, and removing or flagging any accounts that appear to be abandoned. Analytics A compliance program that combines compliance and marketing analytics can help an organization integrate its strategic compliance and marketing efforts. Here are some suggestions for how to accomplish this. Compliance analytics Conduct an automated vulnerability analysis. Correction of these vulnerabilities can eliminate problems proactively. Also, capabilities that allow post-review analyses of policy violations can expedite the event s resolution and allow for a more effective remediation. Your analytics platform should have the capability to focus on regulatory content surveillance and reporting, trade surveillance notification and reporting, advertising review notification and reporting, and business intelligence functions such as bi-directional lead generation notification and reporting, to help reduce review time spent across all channels or

6 Apply your surveillance policies to , instant messages, and social media, using directional searches based on your organization s content definitions. Evaluate content for compliance across all media types. Marketing analytics Capture social listening and life event notifications from social media channels and funnel them for lead generation notification and reporting efforts. Real-time management and contextual capture of messages and data across all forms of real-time communication channels combines enhancements in compliance reporting with a streamlined workflow, thereby providing more insight into messaging activity throughout the organization and expediting the supervisory review process. Repurposing data from compliance activities for lead generation helps spread the cost of the compliance platform across the organization and helps create buy-in from functions other than IT and compliance, allowing for more effective implementation of policy as well. Taking the next step For regulatory compliance efforts to be truly effective, compliance should be viewed as a critical business component and as part of a larger strategic initiative. When leveraged appropriately, the solutions introduced by compliance have the potential to impact a company in numerous positive ways. These changes will help increase the overall efficiency of company-wide operations and help strengthen performance and competitiveness. One of the most effective ways to achieve this level of control is through an integrated compliance platform. Once implemented, an automated compliance platform can help organizations reduce compliance costs and improve compliance efforts, while lowering total cost of ownership and potentially paying for itself in the form of lead generation. Kathyrn Kemp Chociej (kchociej@erado.com) is the Director of Marketing and Public Relations for Erado in Renton, WA. CCB certification made easy The Compliance Certification board has released a new Candidate Handbook for its newest compliance and ethics professional certification. The handbook includes: Candidate Handbook Certified Compliance & Ethics Professional- International (CCEP-I) Steps to become certified and to renew your certification Information about online CEU tracking Candidates FAQs Resources to help prepare for the examination All the forms you ll need for certification and renewal Information about SCCE s online certification study groups View and download the new handbook on CCB s website: CCB_NewHandbooksAnnounce_CCEP-I_halfpagead_4c_CEP1112.indd 1 CCEP-I certification Scan the QR code at left with your mobile phone to visit the CCEP-I section of the CCB website Enhances your credibility Develops professional standards Demonstrates knowledge & Dedication 10/11/12 3:53 PM or