In-Depth
How New Technologies Improve E-Mail Control
Lexicon-based and random reviews address only part of the need to internally monitor e-mail. We explain how, to be complete, a message's context must be examined.
by Shaun Wolfe
E-mail has permeated every aspect of business life over the past decade. It’s quickly grown to the de facto communication method for everything from personal communication to corporate collaboration. This proliferation changes the stakes for IT departments that need to manage electronic communication.
The broad acceptance of e-mail is undeniable. In fact, it is now considered an official business record. Enterprise Strategy Group recently found that e-mail is the most common form of electronic evidence requested during litigation. E-mail also increases security risks. Its casual nature often sparks unintentional data leaks on top of malicious security breaches.
With increased scrutiny and security risk comes the need for tight control. The securities industry poses several unique requirements to meet government regulations and mandates. A National Association of Securities Dealers (NASD) and New York Stock Exchange (NYSE) joint committee recently issued guidance in June for the review and supervision of e-mail and other forms of electronic communication. Their report recommends lexicon-based and/or random reviews as a means to supervise e-mail correspondence.
Lexicon-based reviews evaluate e-mail from a content perspective. For example, sensitive words or phrases are monitored to protect against internal abuse. If these sensitive words or phrases exist within the system, administrators are notified.
Random e-mail reviews encompass a sampling technique that pushes administrators to review a percentage of e-mails to safeguard against violations. The random sample is most often reviewed based on content parameters such as key words or phrases.
Lexicon-based and random reviews address only half the issue—content monitoring. To be complete, the context of the content must also be reviewed. Addressing only the content and ignoring context can lead to more problems when supervising e-mail patterns. We'll focus on four of them. 1. False Positives
The binary nature of the monitoring rules limits lexicon-based reviews. The word “park,” for example, could be used to identify a discussion about parking a financial asset or an address on Park Avenue. The word on its own satisfies the lexicon-based recommendations but leads to a large number of false positives.
Issues related to patterns and expressions also exist. A Social Security number contains nine digits as does a CUSIP number. Looking only for the presence of a nine-digit number will lead to a significant number of false positives.
2. Duplicate Messages
A single message can be sent to multiple recipients, either through a distribution list or simply entering multiple addresses manually. This generates multiple copies of the same e-mail within the review queue, which presents a significant challenge for IT departments that supervise bulk e-mail communications. Productivity and performance suffers as the volume of duplicates held within the review queue increases.
3. Burdensome Review of Internal Messages
Internal e-mail traffic accounts for up to 80 percent of a company’s total messaging volume. Employees often use internal e-mail beyond business communication. In addition, automated notices from fax machines, printers, and other office equipment are often distributed in bulk via internal e-mail. Adding internal e-mail to the review queue burdens the systems under lexicon and random-review methods.
4. Significant Cost of Staff and Infrastructure
Human review of e-mail is expensive and time-consuming. Without better tools to focus efforts, companies must continually add personnel as e-mail volume increases. As it stands, e-mail traffic grows at an average of 30 percent per year.
How New Technologies Fill the Void
Limitations and challenges exist with lexicon-based and random reviews that could potentially cripple supervision efforts. During the evaluation process, companies must seek technologies that ease the burdensome review process while improving overall levels of oversight. This means a comprehensive process that includes reviewing both content and context.
Technologies and solutions are currently available that take five important actions.
- 1. Segment Electronic Communication Flows
Defining and sorting e-mail as inbound, outbound, and internal traffic simplifies the archiving and monitoring process. Taking it a step further, e-mails can be classified as low or high value. This focuses review efforts and enhances oversight efforts.
Opt-in newsletters and news alerts perfectly illustrate the need for segmentation. Each is a repackaging of existing, publicly available information and can generally be classified as low value. Segmentation eliminates these low value messages from the review queue. Low-value e-mail accounts for as much as 25 percent of inbound e-mail traffic.
- 2. Identify “Of Interest” or “Suspect” Communications
Identifying and tagging “suspect” e-mails provides an improved approach to e-mail review. This includes the creation and enforcement of policies and controls to simplify the supervision process. For example, a control can be used to prohibit company mentions during SEC quiet periods. Validation algorithms can also be implemented to differentiate between Social Security numbers and other nine-digit identifiers such as a CUSIP. Movement of suspect files (such as attachment-laden e-mails without text) can also be monitored.
- 3. Suppress Duplicate Messages
Tagging each e-mail with a unique identifier enables the detection of duplicate messages. This presents an opportunity to suppress duplicate messages before they enter the reviews queue. It also provides reviewers with a “select all” capability that can review/release all duplicate messages instead of examining a single message multiple times.
- 4. Enforce Departmental/Business Unit Controls and Exceptions
Companies often require usage permissions that control who can send what information where. Departmental or user-based control methods can identify these messages when a breach occurs and can remove the messages from the review process and/or stop the messages from being released. To accurately identify and enforce these controls, both content and context must be reviewed.
Companies can automate the information boundaries required by many regulations (e.g., NYSE Rule 472(b)(3) and NASD(b)(3)(A)) through a contextual analysis of both the sender and receiver. This removes the dependency on the sender to copy those responsible for legal and compliance efforts. In addition, departments can be removed from the review queue when they don’t qualify for review requirements.
- 5. Provide Selective Pre-Send Review
Companies can enhance e-mail monitoring by moving from a reactive process to a proactive strategy. For example, Deutsche Bank recently lost its role in the Hertz Global Holding initial public offering when someone sent unauthorized e-mails to institutional accounts. The bank could have initiated proactive controls to ensure that Hertz Global Holding was not discussed before a specific time. These messages would have been intercepted and stopped as part of the e-mail supervision process.
More importantly, companies should initiate pre-send reviews to allow users to self-review e-mails that violate current messaging policies and controls. This approach increases overall compliance awareness within the enterprise and can change behavior in the long run.
Summary
Response to the NYSE and NASD joint guidance is clear: Hold tight on recommending only lexicon-based and random reviews. Context must also be considered to increase e-mail and electronic communication supervision. Only then will the proper systems be in place to effectively monitor and supervise electronic communications.
Shaun Wolfe is president and CEO of MessageGate. You can reach the author at shaunw@messagegate.com.