The need for better capture, the drive for surveillance of broader populations and the need to...
In a recent conversation around the US enforcement actions on message channel capture, 1LoD was told in no uncertain terms by a senior Global Markets Compliance Surveillance professional at a major German bank that, according to its lawyers, ‘in Germany we are not allowed to do e-Comms surveillance’. This bank surveils the e-comms of all of its global operations except Germany. It is by no means alone.
It’s worrying that in 2022 this blanket statement is viewed as a reasonable excuse for what would appear to be non-compliance with core European anti-market abuse and anti-financial crime legislation, not least because it is not true..png?width=371&height=209&name=StoryKit%20Content%20(4).png)
Now it is certainly the case that German law makes e-comms surveillance more complicated, particularly if employees are allowed to use BYOD or work-supplied devices for both work and private communications.
But the answer to that is to mandate the use of corporate devices for all business communications and to ban any private communications from those devices. This is in fact what some banks outside Germany believe they may also have to do to deal with the recent enforcement actions around messaging in the US.
Banks in Germany have also successfully negotiated with their works councils (Betriebsräten) to ensure they are able to carry out their duties under MiFID II and MAR and German law permits surveillance if it has been negotiated into a works agreement or a collective bargaining agreement.
It is also possible for an employee to give their consent to specific data processing requirements contractually though there are legal wrinkles to this.
All of this illustrates a wider question. Are banks deliberately favouring legal interpretations that let them avoid certain surveillance activities? For example, some bank lawyers argue that in Europe the audio from Zoom and Teams meetings does not have to be because those tools replace face-to-face meetings (whose audio does not need to be recorded). There is a logic to that, sure, but equally it implies that regulated employees could simply replace their phone calls (which do have to be recorded) with video conferencing and avoid voice scrutiny altogether.
So, is it a technology issue? Is it that the regulations are a mess and do not specify sufficiently stringent rules around e-comms and voice capture and surveillance for large enough populations of bank employees? Or are banks deliberately reducing their surveillance footprints to the legally defensible minimum while claiming to want to move beyond the regulatory basics to risk-based, integrated surveillance?
To give the banks their due, two European regulators spoken to by 1LoD recently were quite clear that neither e-comms channel capture/surveillance nor voice surveillance were priorities and there were no plans to change that. Hiding behind your lawyers looks like the smart move, at least in Europe.
.png?height=200&name=What%20to%20do%20about%20data%20completeness%20(1).png)