Holes in the System: Exposing the Gaps in Modern-Day Compliance
Under pressure from the regulators, financial services firms are ramping up investment in smart tech and innovative systems to monitor employees and draw out risks. But can any system ever be fully watertight? Radar explores where the weaknesses lie, and how firms can patch up the gaps.
In June 2019, the UK Financial Conduct Authority (FCA) was successful in a case against a senior compliance officer at UBS who had used her position to identify and pass on inside information. Fabiana Abdel- Malek used a pay-as-you-go mobile phone, disguised as her work phone, to pass on private information to her family-friend who was a day trader. Both defendants were sentenced to three years imprisonment.
As a compliance officer, Abdel- Malek was able to manipulate her position and the trust that came with it. Firms often overlook control of the controllers, assuming they will prevent malpractice, and not commit it. From personal devices to risky individuals, Abdel-Malek’s activities exposed some of the loopholes that can be exploited time and again.
In the last year, regulators around the globe have ramped up pressure on firms to move away from relying on a manual approach and to instead invest in technology and systems that ensure non-compliant activity is captured. There’s no doubt that compliance systems are rapidly improving, but even the tightest-run outfit will have areas that lie exposed, or employees that can game the system. Radar reached out to industry experts to establish where those holes appear and what, if anything, can be done to seal the cracks.
On the trading floor, calls are still king. An effective voice monitoring solution is imperative. It’s no surprise, therefore, that regulators are looking for robust systems that capture the conversations being had across the business.
Firms are approaching voice in different ways, both positive and negative. Some firms opt to capture voice, even in the absence of regulatory burden or pressure. It offers them interesting insights about their employees’ interactions that they might not previously have been able to glean. Other firms are keen to keep voice monitoring at arms length – or put it off for as long as necessary – often it can be incriminating, or uncover instances of bad behavior that perhaps they’re not yet ready to cleanse. In some cases, firms record calls so that they’re able to settle a trade dispute, but delete those records fast to avoid cost burdens, as well as the inquiring eye of the regulator.
The market feel would generally suggest that demand currently far outweighs supply; people want to capture voice, but the tech is seldom up to the job. While voice monitoring systems are undoubtedly improving, gaps are inevitable in the current offering and arise on a number of different levels.
Short calls – “no one is eloquently describing how they’re going to manipulate the market”
A recurring issue raised at Behavox roundtables is that voice monitoring systems fail to capture and analyse short calls to any effect, which are often the most valuable. Most voice-to- text systems need to ingest a certain amount of data in order to accurately identify the speaker, an accent and their language. There is widespread scepticism on accuracy rates touted by vendors, but the tech is improving fast as data sets grow and more investment is made into the R&D.
Off the trading floor, conversations of five minutes and under might generally be considered uninteresting or unimportant. As an experienced expert in supervision and conduct noted, the first few seconds “are where we’ll actually find the stuff that’s material – because no one is eloquently describing how they’re going to manipulate the market.” This is a common concern, with a head of market conduct monitoring adding that “with brokers, their conversations are really short. So most of their conversations are about one to three seconds. And that just won’t get captured audibly.” That’s not to say, however, that longer calls don’t produce some insights too; for some, random monitoring of long calls has proved the most fruitful.
There’s a chance then that some of the most important or illicit calls will fly under the radar until such a time that voice analytics can find accurate signals in seconds rather than minutes. Until that day, one can only wonder what firms might miss.
Franglais and foreign languages
The length of a conversation isn’t the only challenge for compliance officers looking to glean meaningful information from voice. From conversations we’ve had with compliance and enforcement professionals, it seems that voice-to-text and voice monitoring systems generally offer returns of around 70%-80% accuracy. Exceptionally, some systems, including Behavox, offer 90% accuracy rates. So what comprises this other 10%? Where are the outliers?
Foreign languages can challenge even the most comprehensive systems. In most instances, the approach has been to start with a system that can detect and transcribe calls made in English and to subsequently bolt on a suite of languages as and when they are developed or demanded.
While some systems are developed to understand foreign languages (most commonly English, Mandarin and Spanish), difficulties arise where individuals speak in a language unfamiliar to the system, or flit between languages throughout the call. Often the system is only created to pick up a certain language and will falter where others are used. “For me the real dark corner is the person who’s speaking a bit of Franglais,” said a commodities market professional. As a VP of trade surveillance highlighted, the system used at their firm will generate an alert in instances where a person changes language in the middle of a conversation, however if the conversation had been held entirely in French, for example, it wouldn’t pick it up as it hasn’t been trained to understand French.
What is regulatory expectation?
Voice is still a challenge. It’s a theme that runs throughout most Behavox roundtables. However, while firms have EU regulatory obligations to capture and analyse voice, one might ask whether regulators might let it slide for now, given that available technology seems to struggle to meet the strict demands of monitoring under the Market Abuse Regulation.
“The regulators understand that voice is hard.”
Another added, “I don’t really feel we have to do anything because we’re waiting for the technology to get there. It’s starting to, so we’re having to take it a bit more seriously and we’re actively engaging.” As technology advances, so too will the regulator’s interest in ensuring firms are investing in and utilising it.
Investing in a system to monitor employees is one thing, establishing who to monitor is another. A roundtable attendee who had recently returned from the 2019 Surveillance Summit said it had been suggested that “one of the hardest things is deciding who to record.” This suggestion was welcomed, with a number of attendees concurring that they are “confused as to working out who are the people who could be carrying the risk”. Whose calls should you be monitoring? Whose emails could be putting the company in jeopardy?
In February this year, Julia Hoggett, Director of Market Oversight at the UK Financial Conduct Authority, called on firms to monitor employees across the board, from cleaners to chief executives to those within the compliance team. For some, this appears a daunting task. However, Hoggett’s warnings have since been substantiated by a number of enforcement actions that have seen employees from all parts of a business acting illicitly.
Abdel-Malek, for example, was a senior compliance officer within a high-profile investment bank. In the US, a junior analyst at RBC Capital Markets was charged by the Securities and Exchange Commission with insider trading. He had only graduated from university one year prior. In 2018, a software developer at Equifax was charged with insider trading after he traded on confidential information that he uncovered when working to develop a remedial application to cope with a data breach at his company.
As the above cases show, insider risk stretches beyond the trading floor. However, it’s no easy feat to implement company-wide monitoring. Instead, firms will likely choose to monitor the employees that appear to pose the most risk.
Biggest risks at the top?
Julia Hoggett’s February speech suggested that senior management should not be immune from being monitored. “Move away from the assumption that if someone legitimately has access to information, they will always act legitimately with that information”, Hoggett urged firms. FCA’s Market Watch 60, published on 1 August 2019, echoed this sentiment in sharing the FCA’s “concerns and findings about control of access to inside information [following] the conviction of Fabiana Abdel-Malek.”
The FCA seems especially worried about leaks at the top. And for good reason. There is a strong correlation between being in a privileged position and their contact book with the best access to information. They are also in control. But monitoring senior management, and even chief executives, requires delicate handling. It’s one thing to review emails, it’s another to challenge those who run the show.
“We do have a head of advisory who reviews the supervisors’ emails – but no one wants to do this job!”
Everyone should be held to the same standard. This is the chief argument in favour of monitoring senior figures and was the general essence of Hoggett’s speech; information is precious and those with access to it, no matter their seniority, should be surveilled.
The ones you least expect
Traders, analysts and brokers are the most obvious risk group for market abuse or non-compliant behavior. However, the clear takeaway from recent cases is that it’s seldom the person you most suspect. Establishing employee risk can’t be left to intuition and gut feel. As such, businesses need to be creative, not only in the technology or systems that they choose to employ, but also in choosing who they’ll monitor. What about those right under your nose or who are self-reporting regularly?
As one surveillance expert responded, this was exactly the point of the FCA’s warnings. “Most often this is coming from people that you don’t expect, so compliance systems should go into all areas. In the future, the reality is that no one should have the ability to assume that they’re not being monitored.” They added that the IT team present a particular challenge for compliance as they “think they’re outside of scope…in fact, the concept for IT that they’ll ever be in scope is so ludicrous that they’re really not thinking about how they communicate.”
Whether it’s those at the top, those at the bottom, or those that you’d never suspect, regulators are only going to increase the pressure on firms to monitor employees from all corners.
In Market Watch 60, the FCA highlighted information access as its chief concern: “by allowing widespread and unchallenged access to individuals who do not require the inside information to do their job, firms increase the risk of that information being disclosed unlawfully,” it said.
The FCA’s concerns were inspired by the findings of their Thematic Review of the processes that investment banks have in place to control the flow of confidential and inside information. The findings highlighted industry-wide failings. In particular, it found that insider lists frequently failed to document the names of those people who had been provided access to insider information, or would incorrectly list the names of people who no longer had access. In one case, an insider list documented only 12 employees as having access to confidential information, when in reality 600 people had undocumented access. In part, this was the result of firms failing to systematically review the access rights of their staff. In some instances many continued to have access to key information after their roles came to an end.
Information access, specifically the control of who has legitimate and necessary access, is an unnecessary and preventable hole in the system. As the FCA pointed out, establishing who has access to inside information at particular points in time is “crucial”. It adds that an inability to respond to a request with accurate records of who has access to inside information is taken as an “indication of underlying weaknesses in systems”. While gaps are sometimes inevitable, the correct granting and recording of access rights is not. Regulators are unforgiving when information falls into the wrong hands. They’ll be even less so when it could have been easily prevented.
Personal devices and IM
Personal devices and private messaging services pose countless problems for the compliance team, not least because they’re difficult to monitor. In some instances, illicit activity may only be detected through trade activity; reconstruction post-trade might show that contact had been made through personal devices. Personal and private devices are the “unknown unknown” which is “the bit that scares everybody right now”.
Some firms look to prevent wrongdoing via personal channels through the simple method of banning devices on the trade floor. Others install tech that disables an employee’s phone once they enter the office, rendering it unusable until they leave work. There’s also tech that will flag when and where a mobile phone is in use – not too far removed from that used in prisons!
But it’s not always clear cut; a roundtable attendee admitted that “we let people use their phones for personal issues on the trading floor, so if your wife texts you or something like that. It’s almost impossible to enforce.”
The already complex issue of personal devices on the trade floor is only exacerbated by more subtle gadgets, such as iWatches. Or how about Levi and Google’s new Jacquard smart jacket – a denim jacket that allows you to take calls with simple hand gestures? Communicative tech is becoming smaller and subtler, and inevitably harder to trace.
“Compliance teams are potentially driving things underground whether we like it or not, so it’s just an arms race.”
However, as a Radar contributor highlighted “there’s a balance between having control and just pushing it underground”. Some firms worry that by exerting too much control over communications, they instead might move their communications onto personal devices, where they can no longer be analysed. The same could be said for encrypted messaging; employees that might usually chat over work email or IMs might be inclined to move underhand behavior and discussions onto encrypted applications such as WhatsApp, WeChat or Facebook Messenger.
This dilemma can be monitored, to an extent, by more intuitive tech. Some systems, including Behavox, are trained to detect instances where an employee suggests moving to an alternative device or application. However, if the activity had never crossed into the realm of workplace or business ecomms channels, it will prove challenging to detect. Compliance officers face a unique challenge: to monitor employees, but not monitor so strictly that employees move their activity into channels that can’t be surveilled. Alternatively, some firms opt to trust their employees to do the right thing and introduce a confessions-based approach where if they use personal or encrypted channels they deliver records of it to their compliance teams. As one attendee described it, “you have to try and find some sort of imperfect middle ground.”
It is a fact that there are holes in all systems and ways that some can be gamed by determined players, be they manual or top-of-the range SaaS solutions. It is also true that new technologies have improved greatly in a short time, meaning those gaps are diminishing. As one Radar fan told us, it was only 18 months ago that an accent on its own would have thrown the whole voice monitoring system. Now it can detect accents and deliver paralinguistic change that defy belief. If that’s the level of progress in 18 months, where will we be by 2022?
Historically, financial compliance has depended on a level of trust. It was expected that compliance officers would, as their title might imply, be compliant. However, a combination of regulator scrutiny and insider risk has shown that trust is wearing thin. Instead, the compliance landscape is moving further towards intelligent monitoring and analysis, based on real data and real facts. Good job that technology is developing at the right pace to meet regulator expectation.