Record keeping and digital channels
How can you meet digital regulatory requirements if you are not recording everything?
Introduction
"If it isn't written down, it didn't happen." This is at the heart of records management, and why keeping a record of everything that happens in your business is important. However, when it comes to digital, we often find that record keeping is seen as less important than other more business critical activities, such as customer acquisition, customer service and improving the bottom line. And in reality, that is understandable, because it's only when something goes wrong that the real value of having robust records is realised.
These are the types of issues that have resulted in firms facing enormous compensation and redress costs.
In this white paper, we take a deep dive into digital record keeping in financial services. In our view, with the enormous shift to digital channels for numerous types of financial services, keeping accurate and complete digital records is fundamentally important. However, there is a lag between when new technologies start to be used to deliver new products and services, and when the regulations about how these new technologies should be deployed catch up with the technology. That's our current reality-there are no existing rules specific to record keeping for digital channels.
That is not to say that there are no rules, but firms have to interpret what has been published for other formats and decide what is the digital equivalent. For example, there are regulations around the recording of phone calls which firms may apply to digital channels-but there's no clear-cut guidance. Do you need to capture the equivalent of tone, pace, hesitation, or the questions raised by the customer? And what is the digital equivalent? As a result, there is a lack of clarity and consistency from one firm to another, and recent polls have identified that there is a strong desire from the industry for the regulator to clarify the requirements.
In this white paper, we offer you some pointers about some of the pitfalls associated with digital records and how technology solutions such as Glassbox can help you to overcome them.
What is record keeping, and why is it important?
Let's start with the basics. Record keeping is a function devoted to the management of records and information in an organisation throughout its lifecycle-from the time of creation or inscription to its eventual disposition. This process includes identifying, classifying, storing, securing, retrieving, tracking and destroying or permanently preserving records.
The ISO 15489-1: 2016 standard defines records management as:
"[The] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records."
Historically firms have kept records based on paper-based processes (e.g. application forms, etc.), face-to-face meetings (e.g. file notes, minutes, etc.) and phone calls (e.g. recordings, scripts, etc.). But increasingly, customers are turning to digital channels like web and mobile apps, and firms are using the power of technology to deliver more and more personalised content as part of an interactive customer journey. The products and services delivered via digital are becoming more complex and higher risk. This trend has accelerated as a result of Covid-19 restrictions, but in reality this is a trend which started pre-pandemic. Firms must recognise the growth of digital channels and ensure that their record keeping scope and processes are as effective for digital as they are for other media.
Record keeping is the foundation for the success of an organisation. Without information that can be retained, verified, maintained and retrieved, it is very hard for the organisation to operate effectively. According to the ICO's new accountability framework, good records management is fundamental because it:
"...supports good data governance and data protection. Wider benefits include supporting information access, making sure that you can find information about past activities, and enabling the more effective use of resources. Some of the consequences of poor records management include poor decisions, failure to handle information securely and inefficiencies."
As well as complying with regulatory requirements about record keeping, good records management also ensures:
- Access and availability of information
- Integrity of information
- Legal, regulatory and business retention of information
- Defensible disposition
- Protection and security of information
Records serve as evidence of an event; records provide the necessary documentation for audits, past business reviews, court cases, or other official uses. And of course they come in handy for marketing, customer service and beyond, but we are focussing here on the regulatory and compliance requirements. Because of this, authenticity, reliability, integrity and usability are fundamental principles of good records management, along with a lesser known requirement called non-repudiation. The latter is absolutely critical in the financial sector and means having appropriate records to ensure both parties follow their obligations to a contract such as a loan, overdraft or credit card provision.
Whilst it may be tempting to think of records only as tangible, physical documents, the truth is that there are many types of media and formats used to keep records-from microfiches to PowerPoint. In record keeping terms, the type of format does not change the retention or the requirements to maintain records, but different formats have different handling requirements. For example, financial institutions embraced microfiche in the early 1980s as a means of automating and compressing their physical records. Now, this technology is largely obsolete, with microfiche readers becoming rarer than hen's teeth, making it very hard for firms to retrieve these records today, if required.
Fast forward to 2020 and records are being kept in formats that were unimaginable in the 1980s, and firms need to be equally forward-thinking now when it comes to managing digital records in order to remain compliant.
The way business has handled the need for proof in the past was to write down the basis of the contract (terms and conditions, brochures, key features, etc.) and to keep copies to ensure that there was an accurate record.
As the phone became an additional channel, calls have been recorded for the same purpose..
But with the advent of digital channels, many organisations appear to have adopted a different standard of proof. Notwithstanding that the regulators state that their rules and regulations are intended to be media neutral, many firms are relying upon a lower threshold of evidence about the details of the process, information provided and product disclosure for a digital journey than they would have done for a paper journey. For example, in the paper world organisations would typically keep a copy of the brochure, the terms and conditions, the application form, key features, fact find and other correspondence in relation to the sale. Additionally, organisations would retrospectively monitor the process to ensure that all the necessary information had been provided, that the correct process had been followed and all the necessary warnings, caveats and authorities had been recorded. In this scenario, in the event of a complaint or dispute, the organisation could produce the original documentation (or images of it) to prove what happened at the time.
But in the digital world, many organisations rely upon retrospectively collating data from a myriad of sources to try to recreate the digital journey that a particular customer should have experienced. At best, this solution is likely to give a partial view of what happened with an element of doubt as to exactly what did happen online at the time. In addition, organisations may not be able to monitor the process effectively so cannot be confident that there is no customer detriment.
What is the link between compliance and record? keeping in financial services?
There are two really important ways to think about record keeping in financial services.
The first is that regulatory standards in many jurisdictions have specific record keeping requirements. Examples include:
- FCA Handbook (Conduct of Business
Standards [COBS], Senior Management Arrangements, Systems and Controls) - US Securities and Exchange Commission
(SEC Rules 17-a-3 and 17-a-4) - US Financial Industry Regulatory Authority
(FINRA Rule 4511) - European Union (MIFID I| Article 16(7)).
The second is that in a situation where the financial supervisor is conducting an investigation or considering bringing an enforcement action against a firm, having full and accurate records can provide the evidence that there has not been a breach in compliance or conduct.
Using the UK as an example, the FCA handbook has record keeping requirements located throughout the handbook. These rules generally focus on the types of firms and regulated activities to which they apply, how the records should be stored, for how long, who should have access to that information and what rights customers have in relation to that information.
There are too many requirements to go into detail here, but one example is COBS4 which focuses on the rules around financial promotions. Amongst other requirements such as how firms should communicate with their clients, chapter 4.11 lays out the record keeping retention rules with respect to financial promotions.
COBS 4.11 |
|
(3) A firm must retain the record in relation to a tinancial promotion relating to: |
|
1. (a) a pension transfer, pension conversion, pension opt-out or FSAVC, indefinitely; |
|
2. (b) a life policy, occupational pension scheme, SSAS, personal pension scheme or stakeholder pension scheme, for six years; |
|
3. (c) MiFID or equivalent third country business, for five years; and |
|
4. (d) any other case, for three years. |
|
COBS does not contain any rules specific to the digital environment, but it is specific, for example, about the need to retain telemarketing scripts (COBS 4.11.1(2)). The rules read as if they are largely based on physical record keeping which do not map easily onto the financial industry's move to digital over the last few years.
We can also look at the example of SYSC Chapter 9 which sets out more general record keeping requirements, based on the type of financial firm.
SYSC Chapter 9
- (1) A common platform firm must arrange for records to be kept of all services, activities and transactions undertaken by it.
- (2) The records in (1) must be sufficient to enable the FCA to fulfil its supervisory tasks and to perform the enforcement actions under the regulatory system including MiFID, MiFIR and the Market Abuse Regulation, and in particular to ascertain that the common platform firm has complied with all obligations including those with respect to clients or potential clients and to the integrity of the market.
From a regulatory perspective, keeping and retaining accurate records is critical for supervisors to monitor firms. Supervisors in the UK do not monitor the activities of financial firms in real time and, therefore, have to rely on reviewing records in order to ensure firms are in compliance.
In the event of a regulatory investigation (or even a legal case), a firm's records are likely to become evidence-and if records are to be of evidentiary quality, they must have complete integrity. For records to have integrity, they must be complete, giving you the ability to tell the full story without leaving any gaps.
If you are faced with a situation such as being a witness in a court of law under cross-examination, any holes in your story will be exploited by lawyers, especially if there are gaps in the records being used to back up your testimony. The analogous situation for financial firms is a regulatory investigation.
Whilst there may not have been a breach in compliance (e.g. failing to treat a customer fairly), if you can't prove this by having evidential documentation and integrity of your records, it is impossible to prove. Firms cannot rely on their institutional memories of what happened some time ago, records with full integrity need to be kept.
So what about digital records in financial services?
In early 2020, PwC predicted that this year would see "digital become mainstream" in financial services(2), playing into the ongoing debate about whether FinTech is set to displace incumbent financial firms. There is no doubt that challenger banks such as Starling and Monzo continue to gain market share forcing incumbent banks to digitally transform to keep up. And the coronavirus pandemic has had the impact of accelerating this switch to digital adoption-drivers that make ensuring compliance with requirements such as COBS for digital records an increasingly pressing concern.
What is the difference between a digital record and a digitised record?
We can distinguish between records that are truly digital (known as born-digital) and records that are digitised i.e. created in a physical format such as a passport and then made digital by scanning it and making an image file. Examples of born-digital records include:
|
|
||
|
|
|
You could argue that this is as it should be-the requirements for keeping immutable records, retaining them and being able to retrieve them should apply no matter what the format. However, there are specific considerations when thinking about digital record keeping, due to their unique nature.
The first key to maintaining the integrity of records is the concept of 'write once, read many' (WORM) which is usually associated with technologies for storing data. The principle behind WORM is that once something has been recorded-whether physically written on a piece of paper, written in a digital format such as an email or recorded like a telephone conversation-it must then be completely unalterable. Several regulators specify the use of WORM data storage technology, particularly the SEC and FINRA. And the regulators take this requirement seriously. In 2016, FINRA fined 12 firms a total of $144.4m for "significant deficiencies relating to the preservation of broker-dealer and customer records in a format that prevents alteration."
The second feature of digital records that needs careful attention is the need to balance the regulatory requirements for record keeping with the provisions of other regulations such as the data protection rules under GDPR. Firms must consider how to store digital records containing personally identifiable data (PII) in a way that does not allow people without permission to access those records.
A final consideration is the vulnerability of digital records to cybercrime. Digital records must be kept securely to mitigate this risk.
Are there any specific digital financial services where digital record keeping is especially important?
Clearly, the regulatory requirements for digital record keeping are applicable in the same way and to the same types of firms and products as other media formats. For all types of digital channels and products, firms need to record customer interactions in a way that is secure, can be stored in line with the regulatory retention requirements, retrieved when necessary and ultimately deleted or forgotten. Technology solutions such as Glassbox are available to help them do this. But, there are two specific cases that clearly demonstrate the need for exceptional digital record keeping.
Personalisation of customer journeys
In the era of 'customer is king' and the customer-centricity of the more disruptive FinTech players, banks and other financial firms are increasingly making use of personalisation in their online and mobile customer journeys. A 2019 KPMG report reveals " a company's ability to deliver a personalized experience is directly related to their brand loyalty. Customers consistently ranked banks with great personalization capabilities as best in class." This same report predicted that in the competition for market share, personalisation will become an increasingly important point of differentiation and one that incumbent banks will take even more seriously.
Personalisation can range from recognising a customer and calling them by name as soon as they log in to offering them products and services tailored to their preferences, risk appetite, etc. Of course, this is good news for customers who increasingly want more personal engagement, even on digital channels.
However, personalisation also adds an additional layer of complexity when it comes to keeping digital records. Unlike telemarketing, where scripts can be followed, with personalised journeys, each customer has a different experience based on the data about them that is being fed into the algorithms. Unless firms are recording the digital journey exactly as the customer sees it, there will be no record of what happened during each separate customer session.
Robo-Advice
Another recent trend is the rise of automated investment advice called 'robo-advisors. These digital platforms offer investment advice or financial planning services which are driven by automated algorithms with little to no human intervention. Estimates indicate that the global market for robo advice in terms of assets under management is projected to reach over $980m in 2020. New platforms such as Nutmeg, Wealthify and Wealthsimple are gaining traction, particularly for younger, millennial investors. Incumbents are also getting in on the act, with Barclays recently announcing a digital advice service for its existing customers.
4 https://home.kpmg/xx/en/home/i...
5 https://www.statista.com/outlo...
Robo-advisors work by matching the customer's risk profile and preferences with investment products and then executing transactions to build an optimised portfolio in line with the customer's investment goals. Decisions regarding which investments to target are made using artificial intelligence, based on data the platform has collected about the customer and a whole range of investments and funds. From a regulatory perspective, robo-advisors have attracted a lot of attention, particularly as it is unclear how the usual fiduciary duties of investment advisors acting in their clients' best interests can be applied to algorithms.
Regulators in both the U.S. and Europe have clarified this position, and it largely hinges on being able to prove the suitability of the advice offered based on the customer's profile. This means amongst other things, understanding the risk appetite of the customer, the customers investment objectives and being able to demonstrate the firm's reasoning behind suggesting products in line with the customer's requirements. In the FCA Handbook, we can see the application of this to automated advice:
"Where investment advice or portfolio management services are provided in whole or in part through an automated or semi-automated system, the responsibility to undertake the suitability assessment shall lie with the investment firm providing the service and shall not be reduced by the use of an electronic system in making the personal recommendation or decision to trade."
For firms with robo-advisor platforms, to satisfy these sorts of requirements, they must be able to prove that the advice offered to their customers was suitable. This brings us back to the issue of digital records and having the ability to replay customer interactions with the digital platform to prove the advice was suitable and not misleading.
Firms should not underestimate the seriousness of regulatory supervisors when it comes to enforcement in this area either. In December 2018 in the U.S., the SEC took enforcement actions against two robo-advice companies. Amongst the compliance failings were violations against the books and records provisions of the Investment Advisers Act of 1940, which dictates that every registered investment advisor shall keep current and accurate books and records relating to its investment advisor business.
In both these cases, regulatory risks can be significantly reduced by adopting technology which can record every detail from the customer's perspective. Firms must be able to provide immutable digital records that can be securely stored and retrieved to prove compliance with regulatory requirements, whether it is FINRA, the SEC or the FCA.
6 https://home.barclays/news/press-releases/2020/07/barclays-helps-close-the-advice-gap-with-launch-of-plan--invest/
7 FCA Handbook COBS 9A 2.23
What to look for in a digital record keeping solution?
There are three key elements to the digital record keeping process-recording, storage and retrieval.
Recording
As we have seen, with the increasing personalisation of digital journeys and the numerous channels through which customers can access financial services (mobile apps, websites, etc.), no two journeys are the same. Content on websites is dynamic-personalised to that specific user and their circumstances. Features and content change, not just depending on the type of device used, but also based on past user actions and behaviours.
An accurate digital record must therefore be able to capture both what the customer saw and interacted with and also the technical events that occurred to make the experience happen in that moment. Glassbox provides this capability, recording every web or mobile session exactly how the customer sees it, irrespective of the device, as well as all of the server-side events.
Storage / retention
Security and integrity of digital records is of paramount importance. Using Glassbox, once captured, the records cannot be tampered with, fulfilling compliance with the WORM principle.
Data is encrypted and time-stamped, so it can be used forensically when required. Using patented technology, data is compressed to less than 5% of the original data footprint, allowing retention of the data for the long term at lower cost.
It is also critical that only those with the correct permissions have access to the data, and Glassbox provides an extensive set of controls around access to the data. Access is configured at the role-level and individual user-level so that permissions can be granted based on the need to know or see the data. Data can also be masked or omitted depending on access configuration. For instance, IT may need to view a session replay to understand a technical issue on a certain webpage, but they do not need to see the data the customer entered on the page. But an underwriter would need to see the customer data. With Glassbox, the data can be masked for some but visible for others who need to see it to complete their job tasks. There is also a full access log of who has viewed the data. There are extensive controls to comply with GDPR, and Glassbox is the only session replay provider to hold an ISO 27701 certification.
Retrieval
When the regulator comes calling, firms must retrieve their records in a timely manner. Glassbox automatically indexes every aspect of a digital session, including both the information provided by the customer and by the firm. Sophisticated "Google-like" search capabilities help you find any and every session where specific events occurred. For example, you could search for all sessions where terms and conditions or an error code 404 appeared, or within a specific date/time range, or based on an IP address, etc. All sessions can be exported, analysed and replayed in near real time (just a three second delay).
Are there benefits in having good digital record keeping beyond regulatory compliance? keeping in financial services?
As mentioned above, good records management in general is good for business. Having complete records of all your customer interactions over digital channels can have a positive impact on customer service. For example, because Glassbox is capturing digital journeys in real time, if a customer appears to be struggling, an alert can flag the call centre that extra support is required. Customer service agents can view exactly what the customer is seeing to help them resolve their difficulties.
Glassbox's replay technology can also help with customer complaints or disputes. If a customer does claim that they were not shown the right information when they were making a purchase, Glassbox can prove what was presented to them, how it looked on screen (regardless of device) and how long they spent reading or interacting with each section of the screen. By providing a single version of the truth, issues can be resolved quickly and disputes settled without resorting to 'he said / she said' conflict.
In short, by having access to an immutable record of an entire digital journey, financial services customers can continuously improve their customer service, enhancing customer loyalty and ultimately, their share of an increasingly competitive market.
Conclusion
Robust and effective record keeping is vital for both regulatory and commercial purposes. However, in an environment where there are no specific rules around your digital records, it can be tempting to disregard record keeping in favour of seemingly more important issues. Hopefully, the message of this white paper is clear - that digital records should be given the same priority (if not higher) as all other formats, using the existing regulations as a basis for action. That means that you need to be able to record, store, retrieve and replay all digital journeys that your customers undertake with you in a manner that is analogous to keeping a full paper trail or phone recording. By doing this, firms will ready themselves for any potential regulatory investigations, be able to better service their customers, have a secure and immutable evidence base and be in a position to mitigate the risk of regulatory sanctions.
