Computerized Compliance: Savior or Intruder?

Several top executives of UBS, one of the world’s biggest banks, resigned in disgrace this fall following the announcement that a very junior rogue trader in the London office had managed to lose the astounding sum of $2 billion.

Government regulators had already been pushing banks to make sure they knew their risks and commitments at all times. Clearly, UBS didn’t have the automated systems in place that would have alerted higher-ups to the exposure. Some critics asked how an individual ETF trader could have authorization to take such a huge risk. Presumably UBS had set limits for each level of trader, but a flaw in the system let the man keep increasing his exposure.

Automating compliance in the world banking systems should be a no brainer. With the velocity and volume of transactions, only computers can make the trades, and only computers can monitor them. Some regulators buy real-time market surveillance monitoring from Progress Software, the same company that provides real-time trading software to investors (and the sponsor of this blog).

But computerized compliance can be a two-edged sword. It can be so restrictive that traders can’t do their jobs of creatively managing risk.

And when corporate managers start pushing their CIOs to monitor compliance in other areas they can get into difficult areas of employee privacy. MIT research fellow Michael Shrage, recently wrote in Harvard Business Review that, “very few CIOs want to become the ‘Chief Interrogation Officer’ or ‘Chief Invasiveness Officer.’ But those are roughly the roles they're being asked to assume as the enterprise dependence on their technologies expands.”  He points to requirements to monitor e-mails and text messages for disclosure of secrets or terms of harassment.

Most companies make it clear to employees that they should have no expectation of privacy for anything they do on a corporate computer or corporate network. And workers are coming to understand that anything bad that they say about their companies on their private Facebook pages or Twitter feeds could get them fired.

The issues of compliance and privacy are becoming more difficult as companies increasingly allow employees to use their own technology, such as iPads and iPhones, on the corporate network. It’s very easy to accidentally write an intemperate e-mail or forward an inappropriate picture with your corporate account rather than your private HotMail.

The ability to monitor all kinds of electronic activity by employees makes it tempting for companies to do so. But they need to carefully consider exactly what they want to monitor. And they should let employees know the boundaries.

Some companies have adopted loose guidelines. Microsoft’s unofficial policy on employee blogging is “don’t be stupid.” But with Millennials entering the workforce, understanding of what is “stupid” may be lacking. Someone has to warn them that lines that were clever on their semester-abroad blog might be offensive in a work Wiki.

Computerized compliance is a necessity in many functions. But companies need to consider carefully what they monitor and what they do with the information they gather.