Enterprise 2.0 in Financial Services: Balancing Opportunity with Compliance

Growing Collaboration Culture Will Force Compliance Breakthroughs—Moving to London

The Global Human Capital Journal’s coverage of Financial Markets World’s Web 2.0 in the Capital Markets Industry conference continues. In this session, Eran Barak, Global Head of Strategy for Reuters, moderated a discussion with panelists David P. Olener, Director Legal Discovery Solutions at Orchestria, and Warren Roy, President & CEO of Global Relay Communications. They are well qualified to discuss this topic: As a former litigator, Olener has extensive experience with complex discovery and has consulted to numerous Fortune 100 clients in compliance, security and risk management. Roy’s company is a hosted compliance archiving and messaging suite used by over 1,200 financial and legal firms for regulatory purposes.

Their consensus was that enterprise 2.0, notably IM (instant messaging, chat) introduces significant issues with highly regulated financial services firms. Although this is widely known, many of the details of how the technologies can pose problems were illuminating. We will provide a summary of the panel before adding our insights.

Enterprise 2.0 Technologies and Regulatory Issues

• IM is widespread throughout capital markets. Professionals value its specificity, leverage and timeliness. In being digital, however, IM is easily machine-readable, and regulations specify how information is to be treated. Numerous software solutions analyze IM, email and other digital data, including real-time chat functionality in Bloomberg terminals and other services. They are looking for unethical activity, say, investment banks collaborating with their analyst divisions. All this data is subject to e-discovery.
• The Enron fiasco put discovery under the microscope, and extensive legislation was passed. There are strict compliance guidelines for all communications (and digital data is most actionable, as it’s easiest to analyze and use).
• As all three speakers are providers of communications and e-discovery solutions, they then turned to client service. From a compliance perspective, the challenge stems from the fact that firms are complex, and compliance in general is only as strong as its weakest link. Providers struggle to understand firms’ technology and communications ecosystems, which are constantly changing. What devices does the firm have? How are they used? How are they connecting to the network? Connecting from a hotel room in Singapore is not necessarily as secure as connecting from a trading floor, even if the device is the same.
• Gen Y employees use social networking sites, especially Facebook, to collaborate on their work. As Facebook continues to enable the developer community to introduce widgets, Facebook is rapidly evolving as a full-fledged, user-configurable portal, complete with IM, email, twitter and other capabilities. What a potential compliance nightmare.
• Small firms are typically more free-wheeling than the majors, which are typically very restricted with respect to technology policies. (They also have deeper pockets and therefore are be bigger legal targets ,^(
• As with any type of security, human error is usually the Achilles heel. Therefore, employee (and contractor, partner) education is crucial. When there are lapses, employees usually mean well but are unaware that they are doing something that puts the firm at risk. Education and impressing the importance of compliance on employees is key: because the technology and concomitant processes evolve constantly—and regulations and compliance solutions are also moving targets, the firm, employees and related parties must be constantly vigilant. They must appreciate the ramifications of failure.
• Enterprise 2.0 staples like wikis and blogs pose special challenges because they are designed for openness and idea exchange. Moreover, the 2.0 culture is open and collaborative, and the tools have terrific leverage. If a wiki member invites someone who shouldn’t have access (and the reasons for access can be quite esoteric), it can compromise key information quickly. They same holds true for blogs, podcasts that may contain a key nugget of inappropriate information, or video shot from someone’s Blackberry of someone commenting on something. From a compliance point of view, these tools’ leverage, speed and openness present special problems. This is an access issue.
• Then there’s the content challenge. Firms can run afoul of compliance by introducing inappropriate content to employees. For example, if someone IMs some inappropriate content, or posts on a wiki, that gets exposed to an entire division or project team, that can compromise a large number of people. Firms are bound to document the information to which employees are exposed.
• Digitization is creeping into all modes of communication. “Unified messaging” solutions transport all modes of communication over the same network, and courts have tended to decide that, when voicemail is digitized (as when included in unified messaging solutions), it must be archived according to the same rules as email. That imposes a huge storage cost on the firm or its proxies.
• Most firms do not archive properly, thereby exposing themselves to risk. They need to appoint a champion who constantly manages the firm’s efforts.
• By definition, information can be a “smoking gun” or a secret weapon when firms find themselves in litigation. Panelists discussed some nuances of archiving. Various types of information have their own rules for how long they must be saved. Theoretically, information should be destroyed after it is no longer required to be kept, legally.
• However, firms are incented to keep it because it is often imminently usable in court even when no longer required by compliance. Panelists said that, if one side in a dispute has the chats/emails/IMs, the side that destroyed its data may be significantly disadvantaged: they no longer know what they said. Panelists admonished, “Remember, there are two sides (at least 😉 to all communications.” For example,

Quite often, discovery evidence is either delayed or never produced, many times because of the inaccessibility of the data. Backup tapes cannot be found, or are erased and reused. This kind of situation reached its apex during the Zubulake v. UBS Warburg LLC lawsuit. Throughout the case, the plaintiff claimed that the evidence needed to prove the case existed in emails stored on UBS’ own computer systems. Because the emails requested were either never found or destroyed the court found that it was more likely that they existed than not. The court found that while the corporation’s counsel directed that all potential discovery evidence, including emails, be preserved, the staff that the directive applied to did not follow through. This resulted in serious sanctions against UBS. (from Electronic Discovery, wikipedia)

• Technologies are often introduced by end users, and this is a special area of risk if they haven’t been vetted properly. Due diligence is not easy; even if you get 99% right, that 1% can be very unforgiving. Consumer technologies are usually not appropriate for capital markets firms.

Analysis and Conclusions

• This panel would have been strengthened by the addition of some users with revenue bogeys. All of these points are extremely important because they open firms to significant risk if not managed appropriately. But risk boils down to reputation and, ultimately, to money. As the enterprise 2.0 value proposition is proven, users will push to be more open because those who collaborate more efficiently and with more leverage will outperform others. That will built up extensive pressure in the system.
• The compliance vs. profit pressure will be relieved in several ways, many unsavory for capital markets firms: star employees will continue to leach out into private equity firms, which currently have a much smaller compliance burden. Or, firms will list in London, where Sarbox is not such a factor. Or, firms will go private, where their compliance burden and visibility are far lower.
• Firms should choose their compliance champion very carefully. If s/he is too much a curmudgeon, s/he will be far less effective. Firms will have to optimize compliance with profitability, and enterprise 2.0 and the new collaboration will increasingly drive profit. Look for this issue to emerge in the years ahead. The compliance champ should actively collaborate with business unit executives and appreciate (although not too much) the pressure to drive profit through innovation.