Track 3: Hacking your compliance to facilitate growth

Compliance continues to be a top priority on wealth management's tech agenda. But considering the highly-regulated nature of the industry, compliance can create bottlenecks that impact growth without the right approach. The good news is that it doesn't have to be that way. This session will help wealth managers make the most of their future compliance investments, and leverage those decisions to deliver ROI long-term.

Transcript :

Justin Mack (00:07):

All right, we are going to get rolling. This is our crew. Everyone else is just scared of compliance and I understand it because they are not ready for it. So I want to thank you all for joining me. My name is Justin Mack, Wealth Tech Reporter for Financial Planning and Host and Lead Editorial Producer of the Financial Planning Podcast. And this session part of track three is hacking your compliance to facilitate growth. And often we know compliance a topic that not everybody wants to talk about all the time. Sometimes it comes up only in negative connotations, but it does not have to be that way. Just because you are making sure that you are doing what you are supposed to do does not mean you can't do it in a way that can really provide some long-term ROI to your firm. So I have a wonderful crew that's going to break down this conversation with me today. So joining me now, I have Kiran Somashekara Partner of Reed Smith, Therese Craparo, Partner at Reed Smith, and Tiffany Magri Regulatory Compliance Advisor of Smarsh. Please make a quick round of applause for our wonderful panel.

(01:04)

And we kind of set up the stakes of this topic. It is like we know we have to stay compliant. We know that Technology is helping in ways to do that, and we also know that there is a lot of investments going on in wealth tech in general. A lot of folks may be looking for the perfect solution to take care of all their compliance needs, but we know it is not as simple as that. We also know that there is a lot of folks pursuing a very aggressive tech strategy. So how do you chase that innovation, chase the bleeding edge, but make sure you are not moving at a pace that outpaces the regulators and might up in a little bit of hot water. So a lot to unpack. I want to jump right into it with my first question, and I am actually going to kick things off with Tiffany because well, she's right here to my immediate, so she does not have a choice. So first question I really have is how early is too early to start thinking about compliance as firms look into two new technology, when you start seeing that new shiny toy that's really appealing. Do you think about compliance after the fact or should you check before you even think about maybe signing that contract or putting down those dollars?

Tiffany Magri (02:02):

Yeah, it is definitely not a ask for forgiveness later type of situation here. Always start with using, utilizing your compliance people early on within your decision making process. I spent a lot of time, particularly with marketing departments over the years, do we want to get on social? Do we want to use text for marketing? Do we want to use this cool new tool? We are going to build it in house, but if you don't start by talking to compliance first, you are setting yourself up for roadblocks and bottlenecks down the line. If you can get them in there, they are trained to identify those risks ahead of time. They know what to look for, they know how to ask those meaningful questions, and it can help prevent you from having a situation where, hey, maybe you can't even use this tool. I spent a lot of time looking at vendors over the years and my number one question was to them, anyone we would engage with was, do you work with financial services companies? Because if you didn't, I knew I was going to have a much heavier lift for compliance. Do they understand that? Can they speak the language? Can they take in some of these different risks assessment and stuff that you are going to have to do along the way as you are setting up these new vendors? So always start with getting your compliance involved At the very beginning, best case scenario, they say, Hey, this looks good. Come back and see me when you get further down the line. Or they can tell you where your landmines might lie.

Justin Mack (03:13):

Wonderful. And Therese, I want to kind of extend that question to you and add an additional element to it. It is really, I want to know how should firms set up their game plan then as they are thinking about, all right, we are going to chase this tech, we are going to chase this tool. As Tiffany mentioned, getting people in at the start. So talk to me a little bit about game plan. I know that the important thing too is that compliance has to be an all in thing. Everyone has to understand their importance in it and kind of create that culture of compliance so that everyone's keeping their firm extremely safe. So talk to me your thoughts about getting folks involved early and creating that game plan from the jump.

Therese Craparo (03:46):

Yeah, look, I mean I think the most important thing is education. When we come in, the number one problem that we find happens when there is a problem is no one told the people who were looking at the technology or building the technology, what the rules should be or what they should be considering when they were buying it. So you could get 10 steps down the road and suddenly now we have a roadblock or we have a problem. We literally just had a situation, two totally different teams, one team looking into building a new technology, didn't ask anyone, no one gave them any guidance. they are out there, it is really cool, new tool. They spent a year investigating it and implementing it and building it. And then someone raised their hands and said, don't we need to do these three things? And they came to the committee who looks at that.

(04:37)

It put a whole stop on everything they were doing. It was fundamentally pieces that probably if they had come to them a year ago, they could have built right in. It affected their timelines, it made the business upset, it created a huge amount of problem, different team coming in, building a whole new technology. They are at the build stage. They raised their hands first and said, what do you need for us to do? We said, okay, here are the four things you need to build in. They are like, okay, no problem. We can build that in. Most of the time if the people who are building or implementing the technology know what the requirements are, you can figure out a way to implement them as part of the build, as part of the implementation, as part of the contracting process that isn't necessarily a whole lot more expensive and will not slow things down.

(05:23)

There is always the time where we can't make this thing compliant, but it is not, most of the time, it is pretty rare when that happens. And frankly, with the exception of the very few vendors, vendors that are coming into this space want, they are willing to do what it takes. They want the business. There are very few that'll be like, nah, not even if they haven't worked with financial services before. There is very few that will say, absolutely not. We are not going to bother. There are some, they do exist, but for the most part, even if it is a third party vendor willing to work with you. But I think when a game planning thing, half the half of what is required is making sure that the folks that are out there making the decisions and looking for the technology and doing the builds, actually know what they need to do from a compliance perspective so they can take it into consideration.

Justin Mack (06:15):

Absolutely. And then well said about almost not working in that isolation and having that conversation first because the willingness to and the mutual benefit of making sure that they are working, that compliance focus into their technology, it drives business. It hopefully will also foster a stronger competition. I mean, excuse me, a stronger connection between firm and vendor because you've had that kind of collaboration. So who knows what the next thing could be like Kiran, your thoughts on kicking things off in that game plan and starting early.

Kiran Somashekara (06:42):

Yeah, so I think mean, Justin mentioned what some people may view as a cliche, this culture of compliance, which you hear the SS e c enforcement director and the FINRA enforcement director and people who get on the news and make pronouncements about big cases, encourage firms in the financial services sector, foster culture of compliance. Well, it can be a cliche, but it really does not have to be right. And the idea here is that if you are our friend in the back there who's in compliance, you don't want to take advantage of people like that in your organization from the beginning to make them an integrated part of your business process. So if you are developing a new product or you are developing a new service or a new platform, having having people who know the rules and know kind of the parameters and the boundaries into which you can and can't go from the beginning could actually lead to efficiencies.

(07:33)

I think efficiencies and create some synergies, who knows Business side might think, Hey, we need to allocate this much to deal with the compliance aspects of rolling this new product out. You have someone in from the beginning, they may say, well, no, you don't really need to spend that much. You could do it a little bit differently and a little bit more efficiently. So I mean, we are all saying very similar things. I think the idea is to involve and assess compliance risk from the beginning, from the beginning of the rollout, a rollout of a new product or a new technology that your firm's thinking of, and it is also never too late, it is never too early, but it is also never too late in your own firms and your own businesses. Having compliance come in at the end of one of these projects and be a roadblock.

(08:20)

Sometimes that creates a culture where compliance is viewed as an obstruction to progress or an obstruction to growth, and that you really want to avoid that in your organization. These are, as everyone in this room knows, financial services sector is one of the high, most highly regulated sectors in the economy, and that's not going away. And your obligations are what your obligations are, and it is better to have compliance and risk integrated from the beginning as early on as possible into the business process of the firm as possible. I think that that can pay off in the long run.

Justin Mack (08:52):

Definitely. Tiffany, do you have anything to add?

Tiffany Magri (08:54):

I Do. I have something to add. So I think I just want to, because compliance people right there and having a tone from the top and having this culture for compliance. I am going to flip this back a little bit on compliance people, because you can't just be a no person. If you become the no person the next time projects come up or whatever, it is going to be a lot harder to get involved in that or for people to bring you in early. So as a compliance person, you really have to make sure that when you are brought in early, you have a very collaborative nature that you are going through with people. How can I do this? Don't just come in and say No, right? Let's look at it together. Let's go through the res. Usually if I start spouting res at people and it is a problem, they will, they will agree with me pretty quickly, but how can we solve this?

(09:33)

I have spent a lot of time talking to other compliance people or my team or the marketing team that we have gone through things and we have looked through things. We have decided to build stuff in-house because it didn't fit exactly what we needed. There is all these different avenues that you can go down and you can look at. And another great resource, and I know no one wants to do this probably. I mean, outside counsel's always fabulous. I use them a lot too, of course. But your regulators, if you are a BD or wherever you are, you have a dedicated resource. A lot of the times you can go to them and kick ideas off them and I would send things and hey, well I think it was Google ads or something years ago. I want to do these Google ads. How do I get these through to you?

(10:09)

These are my approaches. What do you think, remember to use these resources and remember to not just be that? No, because the number one thing I have seen surveyed time and time again, roadblocks to innovation start because of compliance. Compliance is the number one reason that people don't want to innovate and we don't have to can do hard things. I have done a lot of weird things that I never thought I was going to get through to be frank with you, but that it will can work. So just make sure you are doing your risk assessments and doing your evaluation.

Therese Craparo (10:35):

And I pick up on that. This happens to us a lot when we get brought in as outside counsel is nine times out of 10, I am talking to the IT folks, right? I am coming in and talking. I am not, there is compliance and there is legal, but I am talking to the IT folks and they are looking at me. They brought in the lawyers. We have to listen to the lawyers, but that what we find so often is that no one has sat down and said they spout the regulations of them, but no one has sat down and said, look, I need to accomplish these things from a compliance perspective. How do I do it? They they feel like is they get talked at like, do I have to do this? Or you can't do this. But when we sit down and say, you do weird things that you didn't think that you could do and say, okay, I this is have a problem that I think that you can help me solve because they are the ones who are going to figure it out, they are going to build it.

(11:25)

I am not going to tell them what technology to use to do X, Y, or Z. They will come up with all kinds of solutions, oh, we could do this, we could do this. I didn't know you wanted to do that. That makes sense to me now. Oh, well if you need to do this, I can do it this way. But a lot of times it is talking about being collaborative, but also making them your partner, that you are not just spouting at them, this is what you have to do or these are the rules, or I am saying, no, you can't do it. It is build this for me. How do I do it? These things, it is amazing when they feel like they are part of the process and they are actually being treated like a partner in the process, which they should be because responsible for some of the most important things within the organization, how many solutions will come about just by opening that door to them.

Justin Mack (12:08):

Very, very cool. And I talked about opening the door. We talked a lot about bringing in the folks who are providing those solutions from the jump, making sure that they have the understanding of what they need and building that in from day one. Let's talk a little bit about vendor management, which is also very, very important. And Kiran, I want to start things off with you. How important is it to have a sound vendor management program in place at your organization and what are the pitfalls if you skip that step or don't pay enough attention to that step?

Kiran Somashekara (12:35):

Yeah, this is critical for broker dealer friends. There is a lot of guidance out there from FINRA that's very explicit. FINRA treats vendors who are performing tasks that are delegated that need to be done by registered firms as associated persons of your firm. That's how they view them. And so almost all and coming zooming out from the broker dealer arena, almost all financial services firms and providers use some type of third party service provider in some function, sometimes very often to actually execute their compliance and risk functions on some level and their compliance programs. And the important but not always obvious takeaways that your firm and your supervisory personnel are ultimately responsible for the functions performed by these third party vendors. So it is really, really important to wait from the beginning. And Tiffany, the first question might be the one Tiffany offered earlier is like, do you work with financial services providers? But it is very important to wait the vendor that you are engaging and not just in the beginning, not just pre-engagement and confirm that they can and will accomplish and they are capable of accomplishing whatever it is that you are asking them to accomplish in a way that's going to be compliant with whatever regulatory obligations you have.

(14:02)

And not only at, like I said at the inception of the relationship, but then throughout the relationship vendor management includes testing and monitoring and keeping track of what your vendors are doing and making sure that the people within your own firms who are responsible for supervising those vendors know what they are doing as well and know how to ask the right questions and make sure and they are documenting their work. If the vendors, if you are using a vendor to, for example, if you are using an outside vendor to do your email surveillance or electronic communication surveillance, whoever internally at the firm that's responsible for supervising that function needs to know exactly what this vendor is doing and needs to know that the vendor is their reviews and their surveillance as is required. And the way to think about it really is in terms of documentation is if at some point in time, if a regulator FINRA comes to me as a broker dealer and says, Hey, give me all of your exception reports and what you did with them coming out of your email review, and you use a third party vendor to do that as the firm, you should know exactly what's going to be in those exception reports before you get that type of a request.

(15:21)

You should be comfortable with the documentation that they are creating is going to be satisfactory to the regulator and that it is going to have the information. And that's not only going to satisfy the regulator's request, but also enable you as the firm to audit and kind of supervise what your vendors are doing. Because ultimately the responsibility will come down to your firm and the licensed professionals and supervisors within the firm. It is never a good answer. I mean, I do a lot of investigations and enforcement cases and for clients, and a lot of times I have gotten the answer from a client, Hey, we hired X to do that. It is like, okay, well what did you do after that? What did you confirm that they were doing what they were doing? And unfortunately, I have run into instances where the vendor who was supposed to be doing X was not doing X in some cases, was representing that they were doing X and nobody caught it because weren't asking the right questions.

(16:19)

So this is a really, really key area, especially for smaller shops that do rely on outside vendors and don't have really deep infrastructure within their four walls. It is really critical that you develop a program to not only vet the vendors at the beginning, but then monitor what they are doing and confirm what they are doing throughout the process. And I don't have time, we don't today to go into the specifics of this guidance, but for those of you on the broker dealer side, or even not, if you just want to do some reading on this, there is NASD notice to members oh five dash 48 and then finra, regulatory notices 1114 1831. And the most recent is, I think the most recent one I saw was 2129 to get a regulator's perspective on this issue.

Justin Mack (17:07):

Absolutely. Yeah. So good required reading and what you said too, when you start working and developing that relationship with a vendor, they are essentially part of the family. I get tons of, in my work as wealth tech reporter, a lot of press releases about so-and-so's partnered with this person and this group is integrating with that group. So they are now part of the family and you have to take on to use that cliche, that culture of compliance. You are then taking on their culture of compliance or non-compliance should they be doing things that they aren't and you are not following up. So I want to kick it back to Tiffany. What are some other questions that you should be asking that great, when you started, do you work with financial services? That's a great way to start. What other good questions should firms be asking before they even start that relationship?

Tiffany Magri (17:48):

Yeah, I think the number one thing, I started a program years ago and it was just taking an inventory, starting an inventory of where your vendors are, where you are in your relationship. If you haven't gone back and looked at them in the last year, two years, three years, five years, it is probably time. Can they still perform the functions that you need them to perform? Do you need them to perform more functions? Can they meet those requirements? Has what? What's changed in your business that you might need to think outside the box and be like, you know what? I need a new vendor for this. Additionally, I think it is so important to size your vendor management program. If you have someone who's dealing with your client's information, has all your email in their system, obviously we take that very responsibilities, very, very, they are very important, right.

(18:34)

Cybersecurity is a hot new, and if we are going to talk about required reading, so we have several rules coming out around cybersecurity and call, I call it cyber compliance because everyone here should have cybersecurity. Alright, if you don't please get it quick. But if you have not read the I am, like I said, cyber compliance, well, there is a whole bunch of proposed rules right now for the BD side. Rule 10, the RIA, and I think it is a couple other people obviously have another rule pending. And additionally we have an outsourcing rule for RAs. So go take a look at those, figure out what your obligations are in your compliance department will have to do with cybersecurity and vendor management. you are going to want to have a handle on these things. When these girls drop, trust me, they are pretty hefty there. There is a lot. But you are going to have reporting requirements. These things are going to be put into your documents. you are going to have to notify clients if you have a cybersecurity breach. So if you are working with vendors and you haven't thought about, hey, who are they talking to? Where are they storing my data at? We store a lot of our data with AWS, well, obviously AWS pretty secure from a cybersecurity standpoint, but do you know where everything is being kept? So really think through some of those relationships as you are asking those questions and doing those vendor management risk reviews.

Justin Mack (19:39):

Indeed. And then it is question to you, what other questions, things to keep in mind before folks end up in a courtroom? What good questions should they be asking from the start?

Therese Craparo (19:48):

The one thing I wanted to pick up on is that we often get from folks this feeling that, well, if it is technology that it must do what they say it does, nevermind the service part of it. If it is technology and then well, they wouldn't tell us it does that if it does not do it right. Of course they wouldn't do that, will tell you anything to get you to buy their product, right? I mean, that's what they do. They will tell you they can give you the moon always. You cannot rely on the representations of whoever is whatever vendor it is. They may have the best intentions and they may think it actually does the thing that they are telling you that it does. You have to test it. You, like Karen said, you are responsible for whatever it is that they are doing. So you can never take at face value. If somebody says that it does, and I am sure it is fine, of course they wouldn't tell us that it meets that regulation. If it does not meet that regulation, yes, they would. So you have trust but verify trust. You have to test it, you have to verify it yourself there. It does not fly for to look at the SEC and be like, but the vendor said they fine. Right? Well, the vendor had a certification. So says it didn't work. It didn't work. It does not matter what the vendors said. Yeah.

Justin Mack (21:07):

So it sounds like in court, trust me, bro, isn't really a big offense that's not going to get it done.

Kiran Somashekara (21:13):

Just to add one note to that, right? And it sounds like an easy concept to understand, but it is not. It is more challenging in implementation than it sounds, especially for smaller shops because a lot of times the reason you are, you have a vendor in the first place and you've engaged a vendor is because you don't have internally the infrastructure, the resources to carry out that function. So it is not an easy thing to make sure that you are supervising and understanding what your vendors are doing and testing what they are doing. But you have to do it. And you have to have people, your licensed principals within the firm have to have the capacity to at least vet what they are doing. And then the documentation is critical. It is not just monitoring. And I had a client that once a year sat down with a vendor that was responsible for a couple of functions. They went through a half an hour meeting, checked a couple of boxes, moved on, and guess what? They missed a lot of stuff. And four years later, now it is an issue. And so it is not an easy thing. It certainly has its challenges, but it is a requirement. It is necessary certainly on the broker dealer side, but I would say for anybody in this space.

Tiffany Magri (22:27):

Absolutely. And I think the new out, sorry to interrupt. I think the new outsourcing rule is going to require you to redo certain activities that you are outsourcing at least annually. At least annually. So that's a lot of updating of those vendors, risk manage. So just keep that in mind when you are going through there because you need to make sure you are asking the right questions, you are documenting that process, and then you can show, hey, here, because I have this rule that says now I have to do this annually. Here's what I did. I can prove it. Here's my paperwork, here's my email, whatever it is that you want to use for documentation.

Justin Mack (22:55):

Oh, fantastic. And then kind of the last question I wanted to ask is this concept of compliance as a potential vehicle for growth, is there a way to really champion your firm's compliance acumen and their strength as a way to appeal to or attract customers in some way? I don't know how you would do that. I don't know if it is a big sign over your firm that says, no SEC fines in this many days. I don't know if that's a way to do it, but how do you really make it clear that we take compliance seriously? We are doing it well. We are doing all the things that our panel has explained today. Is there a way to capture the attention of clients and prospects with your compliance strength? And actually, I'll kick things off, Tiffany first. Any ideas on that?

Tiffany Magri (23:38):

I think the first thing that comes to mind, I have been reading a lot about is there is been a lot of people who just haven't had as much faith in the integrity of a lot of the big firms these days. We have seen it time and time again where people are moving to different platforms. There is been a massive shift of people going from the age old. I have my investor, they have all my money to now I have Robinhood, I have this here. Just the wealth is being spread out. So it is just a very changing different change in the dynamics. And we see a ton of people going and using social media in new ways for this. You want to invest with someone, and I would want to work with someone that I know and that I see and that I talk to. So a lot of advisors are now out there using social media, using education, and I, I'll fully admit that I use Fidelity, but they do a great job of doing tiny little educational videos on TikTok.

(24:24)

They are my favorite one was they were explaining mutual funds to, obviously they were very young girls doing this on a TikTok video for a very younger audience, explaining a mutual fund by using a Burrito and showing all the different things that go into a Burrito and how it makes it mutual funds. And I am like, this is fabulous. First, it is not going to be a compliance nightmare because educational only, but it is going on TikTok, so you still have to capture it, but they are just cutesy little things that are reaching their audience and speaking to them in a way that they want to be spoken to. So having those little tidbits that where your people are and how to talk to them, whether that's younger generations on TikTok or talking to people on LinkedIn, how, put some thought into that. Where are your people out? How do they want to communicate? And I'll say the number one red flag to me, anytime I talk to people and they are like, you know what? We don't use text messaging. We prohibit it. I am like, have you read any of the fines? If someone's telling me that you are not allowed to use text messaging and you are sure that they are not, I would say, go back and double check that. Because these type of communications and how people want to talk, I don't make phone calls anymore. I text. So be very cognizant of the way people are communicating.

Therese Craparo (25:32):

From my perspective, the number one thing that people are looking for, including big investors to down to individual people, is the security of their information. This is everywhere. You can use compliance from the perspective of a compliant, our technology protects your data. We are compliant, we know where your data is. We know, I mean, you have to actually be able to do this in order to say it, but from a marketing standpoint, from a growth standpoint, big investors care a whole lot about you protecting their information and you keeping it confidential. That is a selling point for them. If you can say, we know that we are compliant, we know that we have your data protected. It is a combination of cybersecurity, but it is also the technology. So part of it is that, but the other part of it is when you we are all, everyone's trying to sell, right?

(26:27)

We are cutting edge on technology, we are ahead of the pack. But when you can say, look, we are not taking a risk with your information. We have strategies in place for implementing new technologies, for staying cutting edge, but not taking a risk with the security and the quality of your data, we are ahead of the pack because we have already invested in this. So we are not just investing in the technology, we are not just out there trying any new things so we can get it out there and be the first ones we we are investing in. Getting to that point, being cutting edge, but also being compliant and making sure your data is protected, that is a competitive edge. If you can say that and you can prove that that's what you are doing, that's a big selling point for a lot of customers.

Tiffany Magri (27:13):

Yeah, reputation so important I think, is when we are talking about risk from a compliance perspective, we forget about reputation sometimes, but your reputational risk if you are going through enforcement action, I mean, these things are now plastered all over your client disclosure documents, and some of us read them. So it is there. And that's going to be part of the cybersecurity role. Just if you don't go back and read those rules, you will have to disclose these things. And if I went back and I saw in some of my documents that my firm had repeated cybersecurity instance, I probably would consider if I was going to keep my personal information with them.

Kiran Somashekara (27:44):

Yeah, I think I am mean as a guy who defends, again, investigations and enforcement actions, the traditional loss mitigation can also be a vehicle for growth. The idea that you want to protect your firm, protect your client's assets against, you, want to protect your firm against regulatory enforcement. I mean, just listen, the cryptocurrency industry has been driven by almost nothing but technology and technological change over the past however many years. You can see we, have seen the dramatic rise and equally or even more dramatic fall of various entities and individuals in that space. And in the most infamous of these FTX, a lot of what I have read, at least I am not involved in that case, but a lot of what I have read about it is the allure of technology and innovation created this 23 billion operation without really the controls to support even a hundredth of that size of an operation.

(28:50)

No compliance controls, no risk controls. I don't know who was what other issues that operation had, but there you have an example of chasing innovation and growth without really thinking about the other side of it, or at least thinking about how to complement that with an adequate compliance infrastructure. And the whole thing blew up in three years, three or four years, and you know, can just open the newspaper. Now you find a new article and a new lawsuit every day in that space. And a lot of that growth was driven by technology without an eye towards compliance and risk. And here we are in 2023.

Justin Mack (29:30):

And here we are indeed. So thank you guys all again. Any questions for our panel as we wrap up today's discussion? All right.

Tiffany Magri (29:42):

you are allowed three.

Justin Mack (29:47):

Alright, I'll facilitate. I am a one man show. What do you got?

Janet Santuccio (29:51):

So Janet Santuccio from TIAA. So we are an RIA, we are a BD and we are an insurance company. And so I just recently last week was anointed a new role to be the Advice Liaison with LRC, no legal risk compliance and oversight. And so I am dealing with Erisa, FINRA insurance, sun America exemption, computer model exemption, Reg BI, duty of care, 45, 30 committees. And I am just wondering, it is a lot, two, one at a time. So all that at a time, two questions. A lot of why this role was formed is because we have so many different partners that we have to interface with. And so I am wondering if you have any guidance on how is it best effective to work across multiple regulatory bodies or internal partners. And then the second question is more around, I keep hearing the business can accept the risk, the business can accept the, we are here to provide guidance and counsel, but the business can accept the risk. And that Tiffany is the reaction that at least my team has is so how much risk appetite do we have to accept? And so I don't know if either of those two questions are fair, but if you have any insights on either of those, I'd be interested.

Therese Craparo (31:13):

On the risk question. And I think this is what is always really important. There is a difference between accepting risk and a regulatory violation. And I think that's the hard line to balance, right? Because I think the truth is it is the business who accepts the risk, right? That's true everywhere. But risk does not mean we are going to violate this law and then hope we don't get caught. That's not accepting risk.

Kiran Somashekara (31:42):

And it is not what that.

Therese Craparo (31:44):

There are lines we draw, right? Risk is, but risk is about you educating. So this is the rule, this is what we can do to comply. It is not going to be perfect. It happens 99% of the time. We get as close as we can. Where are we willing? How far are we willing to go? But there is a line that has to be drawn, we have to comply. And then the question is how do we comply? And there will be risks in that. And sometimes we have controls that are manual, which might be hard. Sometimes we do controls that are technical that might be more expensive and take longer. So I think part of it, when we always hear people who talk about that, and that is every organization everywhere is about educating where is there a line? We have to do this, but the risk is in how are we doing it and where the gaps may be and how we manage those gaps.

(32:39)

And it is for the business to accept that right mean, and that's perfectly acceptable. There is nothing wrong with that. I think the hardest part always is in making the line clear that here, this is what we have, this is the rule, whatever that rule may be, here's our options for combined and that business can accept within that boundary where they are willing to fall. But I think that's what always what I talk about. It is giving them the options and educating the business on what it means to accept the risk. And then they can make their choices from there. But it is still the hardest part is drawing the line to say, I am not saying you don't have to do this. I am saying there is different ways to do it. Some of them are easier, harder, more expensive, and way.

Justin Mack (33:19):

Absolutely. All right. And then just in the sake of time, we'll go to our last question here. What do you got sir?

Audience Member 1 (33:24):

It is question in the comment, I have run technology, several broker dealers. So I would say it is more than just, is my data secure? You have to say, is my data encrypted is what? You have to go down another layer because secure is relative and people can say whatever you want. You also need to understand, especially in this group, if you are running a set of technology already, are you integrated to what I have? Can the things talk? So you almost have to have an understanding of the inventory of what's in your current technology portfolio and then figure out how to work within that context. The other comment that I was going to make was, especially around you say texting, it is just more than texting. Now, WhatsApp, WeChat telegraph, slack, there is 16 different channels and you can't just tell people, don't do it. And I do that with my kids, good luck.

Tiffany Magri (34:15):

You have to prove that they are not doing it. You can't just say you are not doing it anymore. You have to prove that you are actually not doing that. And that becomes a series of very manual processes. So if you can pick one or two, like WhatsApp or WeChat that people really want to be on, and you can bring those into compliance, you are going to save yourself so much. It is going to be so much more efficient for you.

Audience Member 1 (34:32):

Actually, there are technologies now that will enable all the channels. Yep. If anybody, yeah.

Justin Mack (34:39):

Alright, well I want to thank you all for the questions and again, a round of applause for our wonderful panel in today's discussion. Thank you so much. Thank you Justin.