Electronic communications surveillance: another challenge for financial institutions

Financial institutions have been dealing with an increased incidence of criminal conduct relating to money, financial services and markets, rattling regulators’ trust in financial institutions and their compliance processes. To protect investors and prevent criminal conduct, a series of regulations came into force across and beyond the European Union (EU) to guarantee the transparency of markets and transactions such as the Market Abuse Regulation (MAR) and the Markets in Financial Instruments Directive (MiFID II). In line with these regulations, firms are required to record and retain all electronic communications that relate in any way to transactions. Among these electronic communications related to transactions, key emphasis is placed on communications related to clients and counterparties in order to ensure that no private information is leaked. In order to ensure regulatory compliance and the protection of sensitive data, employees’ communications have to be monitored. This supervision is often referred to as electronic communications “eComms” surveillance.

eComms surveillance is the monitoring and supervision of all electronically produced communications (e.g. text messages, emails, chats) sent by employees of a firm using a professional computer or phone. As financial regulators aim to strengthen the framework for preventing unethical behaviours, eComms is becoming an area with significant legislative and regulatory impact. In the EU, Article 16(7) of MiFID II and Articles (8) and (10) of MAR are broadening the scope of employees, communications channels and devices that need to be recorded and monitored.

Article 16(7) of MiFID II requires the recording and storage of “telephone conversations or electronic communications relating to transactions concluded when dealing on own account and the provision of client order services that relate to the reception, transmission and execution of orders […] even if those conversations or communications do not result in the conclusion of such transactions.” Outside the EU, other regulations like the USA’s Dodd-Frank Act obliges employees’ communications in relation to trading and investments are subjected to some level of monitoring.

eComms surveillance can be performed manually, using automated solutions or with a combination of both. When primarily performed manually, compliance officers typically monitor and control employees’ written electronic communications based on pre-defined keyword alerts. Nonetheless, given the ever-increasing volume of communications, manual monitoring can be time-consuming and low-quality, particularly due to human errors and high levels of false-positive alerts that may be difficult to interpret. As a result, some companies are migrating to automated solutions. Automated software can be programmed to search for keywords and phrases in a random sample of content from multiple communication channels, including emails, phone calls, text message, chats/video instant messaging apps. Artificial Intelligence (AI), particularly Natural Language Processing (NLP), is a key enabling technology in this area, teaching computer programmes to understand human language. NLP can significantly reduce operational costs, without reducing effectiveness in the ability to automatically detect suspicious behaviours.

However, eComms surveillance raises issues regarding employees’ privacy, with the push for greater transparency in financial regulations going head-to-head with data privacy laws. In the EU, personal data is safeguarded by the General Data Protection Regulation (GDPR). The GDPR is a broad-based privacy regulation intended to create a consistent framework for handling personal information throughout the EU. It also reaches across international borders to regulate the usage of that information worldwide. GDPR permits the surveillance of work communications within the limits of a strict framework on how and when a firm can do it. First, the company must let its employees know about the monitoring, the reason for doing so, the extent of the surveillance and how the data will be used. The purpose must be specified, explicit and legitimate. While an employer usually cannot look at private emails sent from a private account using a work computer, employees are advised not to send personal communications at work with their equipment.

Data security – and more specifically how data is stored and processed – is a central topic in both GDPR and MiFID II. All data must be managed in such a way that they meet the requirements of MiFID II, while at the same time safeguarding the security of privacy of individuals in accordance with GDPR. Thus, ensuring compliance with both regulations can prove to be a challenge for firms. Indeed as mentioned above, article 16(7) of MiFID II in relation to the retention of records could seen to be at odds with Article 17(1) of GDPR, where individuals have the “right to be forgotten” if their personal data are no longer needed, no longer processed, or if consent has been withdrawn. For instance, a client can’t request the deletion of information related to communication(s) with an employee, despite having such a right under GDPR. Indeed, MiFID II requires that recordings of communications must be kept for a minimum of five years in order to meet the complete audit trail requirements. At the same time, if an employee specifies that an email is private or personal, even through a professional email address, it is legally prohibited for the employer to open it, in a principle referred to as “secrecy of correspondance”. Thus, it is challenging for firms to comply with both regulations.

For example, MiFID II specifies that records must be retained for five years, while Article 5(1) of GDPR requires firms to consider purpose limitation (i.e. when does holding data become incompatible with the purpose for which it was obtained?). Firms can retain data when they have legitimate reason (such as trade-related conversations), but must inform the customer or employee that the conversation will be recorded and archived. To be able to prove MiFID and GDPR compliance, firms must ensure that their internal policies and systems meet the requirements relating to transparency and data collection, and in particular for recording and retention. The biggest challenge for firms will be to implement systems capable of keeping data secure, and ensuring that only the data that needs to be retained is retained. Another aspect is about who can access, and therefore listen or retrieve any data throughout the retention period. To achieve this goal, a comprehensive audit trail is key to ensure all data and recordings are deleted in line with the regulations. Firms must not consider MiFID II and GDPR incompatible, but rather as complementary pieces of regulation, and develop or adopt solutions that can fulfill both requirements.

Beyond the regulatory perspective, how far can eComms surveillance go? Companies can now monitor any activity on all professional communications channels and even anything typed on a professional device through screen capture and keylogging software. Keylogging is a type of surveillance technology used to monitor and record each keystroke typed on a specific keyboard, regardless of the application it is typed in. The software stores everything typed on a computer or mobile keyboard in memory: email addresses, passwords, private messages, and even bank information. Despite being an efficient way to identify fraudulent behaviour, in most cases, it is seen as a violation of privacy. Indeed, the limit between recording communications and espionage is blurry. Some companies might take advantage of the situation and use it as an opportunity to monitor their employees’ productivity.

For example, in April 2020, a European bank received a 725,000 EUR fine for illegally using employees’ fingerprints to keep records of their attendance and timekeeping. Even though monitoring can be legitimate, questions remain on how to balance compliance with regulations and employees’ privacy. Firms must strike a balance between what can and should be monitored in line with the regulatory framework, and what is in the remit of employees’ rights to privacy and the safeguarding thereof.