In the wake of Bank of America preparing to receive an enforcement action, US regulators around the country are cracking down on organizations, specifically financial institutions, over their failure to monitor how employees use personal devices for work-related purposes. In fact, regulators can expect to receive close to $1 billion in fines from five of the biggest US investment banks over this transgression.
In the last year alone, here are some examples of financial institutions in the United States who are in talks with regulators:
- JPMorgan Chase has agreed to pay a $125 million penalty to the Securities and Exchange Commission (SEC) and another $75 million to the Commodity Futures Trading Commission (CFTC) over failures to maintain and preserve written communications
- Morgan Stanley expects to pay a $200 million fine over failure to monitor employees using unauthorized messaging apps
- Citigroup and Goldman Sachs are currently being investigated over its employees’ communication practices
With the pandemic forcing many businesses to operate remotely, this has opened a huge gap for confidential information to be passed through unauthorized channels that are harder to surveil. So how can financial institutions and other highly regulated industries keep track and monitor employees' work-related activity on their personal devices? It first starts with implementing robust improvements to your BYOD policy.
We outlined 3 best practices below to ensure your organization has a well-drafted BYOD policy that employees can easily follow:
1. Make sure your policy is to the point and clearly outlines how employees can use their personal devices for work-related matters
Avoid a verbose and lengthy policy document that employees might simply ignore. Get to the point early, and ensure your policy specifically outlines what employees can and cannot do when it relates to their personal devices. For example:
- Can they take employee training on their phones?
- Are there any websites that are banned while a device is connected to the company’s network?
- Can they open up attachments that may have confidential information in their own devices?
- What specific applications are permitted or prohibited? For example, can they use messaging apps like WhatsApp to communicate and share information with employees and external stakeholders?
2. Make sure employees are aware that there is a BYOD policy in place
Having policies that are not followed can actually be worse than not having them at all. To address this concern, ensure you store all relevant information in a single repository, provide adequate training to employees and communicate any changes across multiple channels, so they understand what to do and the consequences of not complying with the policy.
- Announce the new policy on a company-wide call and record it for anyone who is unable to attend
- Provide a banner on your company’s intranet to bring awareness to the new policy
- Make sure that you have a streamlined process and platform to help you easily disseminate the new or updated policy across your organization and easily track adherence
- Review the changes to the policy with Managers and ensure they disseminate this information to their teams - thus providing an outlet for employees to ask any questions or address any concerns.
3. Invest in good technology
In addition to creating a BYOD policy, investing in the right technology to monitor employee behavior, like Mobile Device Management Software, can save your compliance team time and help them focus on higher value projects. As Stephanie Feldt, Chief Compliance Officer & General Counsel at Trading.com, mentioned in a recent webinar with Clausematch, “The use of technology is very helpful. It allows you to generate reports remotely, monitor interactions with customers, customer training activity, or what traders are doing on the trading floor. Technology helps enable surveillance of email and social media, establish clear procedures as to what emails can and cannot be accessed, and guide the use of social media websites.”
For more information, check out these resources to help you build a mature policy management program for your organization:
