Is your digital record keeping good enough for the regulators?
In a year where digital adoption in financial services has accelerated beyond anyone’s expectations, firms need to make sure they are on top of their house-keeping when it comes to their digital transformation. Whilst records management may not be top of the agenda from a customer perspective, paying attention to digital record keeping is a key regulatory requirement and one that applies no matter what format the customer data is stored in—telephone calls, physical documents, emails or online banking sessions.
But when it comes to digital, there are a whole range of new questions to answer about what you should record. I spoke to records management expert, Emily Overton, to understand the importance of digital record keeping and how firms can ensure they have this fundamental building block of compliance in place.
Can you give us an overview of what record keeping is and why it is so important?
EO: If we look at the dictionary definition of record keeping it is “the activity or occupation of keeping records or accounts.” But record keeping is so much more than that. I much prefer to call it records management, because you manage records across their whole lifecycle, from creation to disposal.
From the very start of a business transaction, such as opening a bank account, you start managing the record. You cannot wait until records have gathered before you start managing as you will never find what you need, when you need it. Leaving records unmanaged would risk sanctions by regulatory bodies such as the Financial Conduct Authority (FCA), who have specific rules around record keeping.
Most people think of record keeping as some sort of sophisticated filing system. But it is so much more than this—it is the golden thread of information that leads through your entire organisation and concerns the effective control, governance and use of information and records. Good records management assists business delivery and decision making at all levels of an organisation as well as facilitating compliance and cost and efficiency gains.
Good records management also organizes the information it creates and transforms it into a corporate asset by ensuring that its value is recognized, its information processes are automated and that all relevant risks are identified, mitigated and managed.
What are some of the key record keeping requirements for financial firms?
EO: Clearly, GDPR is a common baseline of regulatory requirements for all businesses, but in the financial services sector, there are many more additional and specific regulations you need to be thinking about when it comes to maintaining records. In the UK, the FCA has a plethora of different rules regarding record keeping spread across the Sourcebook. Here are just some key parts of the FCA Handbook that contain rules around record keeping* for customer interactions and communications:
Senior Management Arrangements, Systems and Controls Sourcebook (SYSC)
Chapter 9: Record Keeping
Chapter 10A: Recording Telephone Conversations and Electronic Communications
Conduct of Business Sourcebook (COBS)
Chapter 4.11.1 Record Keeping for Financial Promotions
Chapter 9.5 Record keeping and retention periods for suitability records
* This list is not exhaustive and firms should conduct their own analysis.
These rules generally focus on the types of firms and regulated activities to which they apply, how the records should be stored, for how long, who should have access to that information and what rights customers have in relation to that information. For example, COBS 4.11 explains that records must be kept “of any financial promotion it communicates or approves” and then goes on to specify in COBS 4.11.3 the length of time that these records should be kept depending on the type of financial product:
“(3) A firm must retain the record in relation to a financial promotion relating to:
(a) a pension transfer, pension conversion, pension opt-out or FSAVC, indefinitely;
(b) a life policy, occupational pension scheme, SSAS, personal pension scheme or stakeholder pension scheme, for six years;
(c) MiFID or equivalent third country business, for five years; and
(d) any other case, for three years.”
What about regulations which are specific to digital records?
EO: With the exception of Chapter 10A of SYSC, most of the FCA record keeping rules are agnostic to the format of the information. Indeed, the FCA defines itself as a ‘technology neutral’ regulator—meaning that the regulatory rules apply irrespective of the type of software systems, infrastructure or communication mechanisms employed by the firm. And generally, from a records management perspective, this makes sense as good records management should be applicable to all types of information.
However, assuming that our current records management processes are adequate for digital records would be a mistake. Just to take one example to illustrate the point, we can consider the Markets In Financial Instruments Directive (MiFID II) rules around suitability, which specify that firms must obtain information about a customer’s investment objectives, risk appetite, financial position and level of financial knowledge and experience in order to make appropriate product recommendations. If customers are interacting in a purely digital manner, either via a website or mobile application, in order to receive this advice and purchase products off the back of the recommendations, how will that firm be able to prove the advice given to that customer unless every step of that customer journey is recorded in a way that can be stored and replayed at a later date? And what exactly should you record?
Should it just be the final tick box that says, “I have a medium risk appetite,” or should you know about the digital journey that explained the different levels of risk to that customer? Should you be able to see how they interacted with the website, did they change their mind several times, do they appear to understand the information or are they confused? Face-to-face or on the phone an adviser can explain and clarify the information and check understanding and record the details, but what do you do about a digital journey.
Should digital records be treated differently to other types of information?
EO: Whilst in principle digital records should be managed like any other type of data, there are a couple of specific issues you should think about.
First, you need to ensure the integrity of the records so that they have evidential weight should they be called upon for dispute resolution, for example. Integrity relates to the potential loss of physical or intellectual elements after a record has been created. For digital records, integrity can be compromised and unlike physical records, it is much harder to tell whether this has occurred. Firms should be keeping a record of each digital journey, in a format which is tamperproof to ensure the integrity is assured for legal or regulatory investigations in the future.
Secondly, in a digital world, most interactions such as buying insurance online or opening an app-based bank account are now completely disintermediated to ensure a speedy and efficient process for the customer. In addition, the use of artificial intelligence to personalize digital journeys or provide robo-advice adds further complexity. COBS 4.11.2 requires firms to keep records of the scripts they use in telemarketing, scripts which are the same for each customer.
Calls are recorded so that a selection of interactions can be monitored. However, if digital interactions with each customer are different and personalized, how can this be captured adequately to provide a complete and accurate record?
What would your advice be to a firm wanting to ensure its digital records are up to scratch?
EO: The sheer volume of digital transactions are such that organisations need digital tools to record and monitor what is happening for the protection of the customer and the protection of the organization. We need records to prove the business transactions that have taken place. If you are providing personalised digital journeys or using robo-advisors, you really need to be focused on digital record keeping. If something goes wrong or if there is a dispute, or a complaint, or if you have to undertake a past business review (remember PPI!), the last place you want to be is without evidence. You will need to be able to prove what happened and why specific decisions were made.
You also need to make sure that the governance around your digital records is adequate. Access to these records must be controlled in line with data privacy and protection requirements. You should also think about finding, retrieving and replaying specific records if you need to and how to make this process quick and easy.
Want to learn more about digital record keeping? Download our overview, Record Keeping and Digital Channels.
About Emily Overton
With 15 years in the industry, Emily Overton’s fundamental philosophy that compliance cannot be achieved if records management is not stable. In 2015, Records Management Girl was born, through which she has advised freelancers and SME’s to large international corporations. Her specialities include Information Asset Registers, Offsite Storage Contracts & Contents, BS10008:2014 & Scanning, Retention Schedules & Policies, GDPR, EDRMS, Systems Implementation, Contract Management, Information Risk and Data Audits.