Compliance officers have multiple quandaries and constraints when it comes to handling mobile communication.
Apart from complying with the volumes of recordkeeping and retention period requirements from regulators, they have to ensure that work-related communication doesn’t cause employee disharmony, lawsuits, or the loss of sensitive information.
The challenge lies in guaranteeing that employee communication is compliant with industry regulations and internal standards across all devices, networks, and employee locations.
Consequently, the need of the hour is a comprehensive mobile communication policy.
The Rationale Behind a Comprehensive Mobile Communication Policy
Employees’ use of their own devices and apps, like instant messengers, could be incredibly convenient, but it comes with substantial compliance risk.
The risk includes the potential of sensitive information being shared about clients or company operations, the deletion of messages that regulators have demanded a record of, etc., which could all cause the company millions of dollars in fines depending on the industry.
Financial firms especially have to contend with severe penalties, given the strict recordkeeping requirements of agencies, including the U.S. Securities and Exchange Commission and Commodity Futures Trading Commission. For instance, banks engaging in WhatsApp CFTC violations, which in this case included not monitoring employees’ off-channel communication, got handed fines worth $266 million. Other than the fines, the firms in question also suffered untold reputational damage.
Regarding other CFTC and SEC text message archiving violations, at least 29 firms have been fined since 2019. It is worth mentioning that the regulators together have levied at least 45 fines in the period amounting to over $2 billion.
The fines and other regulator crackdowns all point to the same need—a compliant mobile communication policy issued organization-wide for carrying out necessary actions, including WeChat recording, WhatsApp call recording, SMS recordkeeping, etc., This is because the various instant messenger backup capabilities don’t suffice, and organizations can’t rely on employees or departments to retain communication with a clear audit trail and the required context to handle legal liabilities, e-discovery requirements, and internal investigations.
Navigating Compliance: Best Practices for an Approved Mobile Communication Policy
As a regulated company, it is in your best interest to come up with a policy that allows you to identify non-compliance in your communication in real time and address it transparently.
Notably, these policies must cover the technologies and processes that make up your communication infrastructure, including personal devices used for work-related communication by remote or hybrid employees. Every aspect of the communication, from the time it was sent out to the time it was deleted by the organization after meeting the retention guidelines from regulators, has to be covered by the communication policy.
Here are the best practices to keep in mind while crafting a communication policy that is compliant.
Ensure that the mobile communication policy covers the necessary recordkeeping requirements
One of the most important things the mobile communication policy has to cover is the extent of the recordkeeping that has to be undertaken. Regulators usually expect to see all the conversations that led to a transaction to understand a decision’s full context, which includes everything from the marketing outreach or introductory text sent to the customer to the last known interaction.
It is not just the text interaction across all the devices that need to be covered, but it is also details metadata, like timestamps, subject, sender/ receiver information, etc., that need to be maintained, so ensure your communication policy calls for it to be recorded in real-time. The metadata and contextual information are vital for establishing the authenticity of the communication and retrieving it conveniently.
The communication policy, along with mentioning what information will be archived, also needs to provide insight on how the data will be used, such as when it will be deleted, how it will be processed to analyze employee/ customer behavior, etc., Mentioning this information will go a long way in bolstering accountability and transparency when it comes to work-related texting and calling.
Clearly define the approved communication channels and devices
Compliance officers have to be constantly updated on what applications are secure, so they can implement policy about approved communication channels. You need to ensure that the communication policy mentions which apps are off-limit and which are to be used for what purpose. It is advantageous to find apps for communication that encrypt both sides of the conversation. Even safe apps may not be appropriate for work-related communication due to limitations in archiving capabilities. So, compliance teams have to find the sweet spot between data security and communication monitoring.
Nowadays with trends like remote and hybrid working, Bring Your Own Device has also become quite common. Consequently, the regulated companies have to ensure that the communication flowing through these devices is also being recorded as a matter of policy. In these instances, the company needs to have in place clear instructions for the employee to follow, such as the use of mobile device management software to use their device for company communication. However, supervision of these personal devices has to be in alignment with WhatsApp GDPR and other similar regulations, which mandate that the employee is informed of the monitoring.
Cover what falls under compliant communication
Companies have to make it clear in the mobile communication policy what can be said as part of their work-related communication and what is off-limits. The type of information that can be sent, who it can be shared with, the words that can be used, what information is reserved for call, text, or email, etc., are all to be specified. Your employees will appreciate the clarity in policy, as it is easy to slip into informal and relaxed conversational patterns on instant messengers in the absence of clear guidelines, which poses a severe regulatory risk.
In addition to mentioning what can’t be conveyed through the approved communication channels, the company’s compliance team has to also make it clear what penalties the violators will face.
Embrace communication policy compliance at the management level
Senior level management has a crucial responsibility when it comes to ensuring there is adherence to the communication policy at all levels and there is adequate training to do so. Prioritizing compliance at the level of leadership means that a culture of compliance is fostered throughout the organization.
Conclusion
Companies can avoid a lot of fallout from regulatory violations by implementing a mobile communication policy. But for the effort to be successful, it needs to have support at the executive level and cover in detail the approved channels and industry-specific communication guidelines. Even more importantly, it needs to be backed by a network archiver that can be used to verify that all the employees are following the mobile communication policy. A network-based archiver can retain all the necessary communication along with context across devices, operating systems, IMs, and networks, ensuring there is a reliable record for the regulators. The archiver further boosts compliance efforts by allowing organizations to get alerts based on keywords in real-time when non-compliant communication occurs. To get started with the archiver, reach out to the team for a demo.
About TeleMessage
TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls WhatsApp, and WeChat conversations from corporate or BYOD mobile phones to ensure compliance with various data protection regulations. The messages are securely and reliably retained within TeleMessage servers or forwarded to your choice of archiving data storage vendor.
Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:
