This week, news broke that both LPL Financial and Ameriprise Financial were slapped with $50 million fines by the U.S. Securities and Exchange Commission (SEC). The enforcement actions centered on the firms’ failures to maintain and preserve electronic messaging records across channels like text messaging, WhatsApp, and personal email. 

The cases against LPL and Ameriprise shed light on significant gaps in data compliance that just can’t fly in today’s regulatory environment. With the SEC turning up the heat on electronic recordkeeping practices, the risks of lax monitoring and data governance are crystal clear. 

And as firms gear up for the rollout of Microsoft 365 Copilot, seamlessly integrated into productivity and compliance workflows, ensuring top-notch data compliance has never been more critical.  

It’s essential for all SEC-registered firms to take note of the hard lessons learned from the LPL and Ameriprise incidents to avoid falling into the same costly traps. That’s why, in this article, we will explore vital lessons firms can learn from these examples, especially firms considering implementing AI productivity tools like Microsoft 365 Copilot.  

microsoft 365 copilot expert guidance for seamless implementation

When Unauthorized Messaging Apps Blow Up Your Data Governance 

At the crux of the SEC’s enforcement actions against LPL and Ameriprise was their inability to properly archive and supervise communications across digital channels like text messages, WhatsApp, and personal email/apps.  

The SEC has been quite clear on the need to capture electronic business communications. Their OCIE Risk Alert on Electronic Messaging highlighted this as a key focus area for examinations of investment advisers and broker-dealers. 

Rules associated with this come from Section 17(a)(1) of the Securities Exchange Act, which authorizes the SEC to mandate recordkeeping requirements “necessary for investor protection.” Specific rules like 17a-4 and 18a-6 specify that electronic records must be kept in an immutable, non-rewritable format (WORM) or using audit-trail systems that permit data reconstruction. 

Vital Lessons Learned from LPL and Ameriprise Cases 

A few unmistakable themes emerge from examining the LPL and Ameriprise cases side-by-side: 

  1. Firms cannot turn a blind eye to electronic communications happening outside approved channels and systems. The SEC expects complete records regardless of messaging platform. 
  2. Having policies prohibiting the use of unauthorized apps is not enough. Effective technical controls and monitoring processes must be implemented to actually enforce those policies. 
  3. Recordkeeping is about more than just archiving data – it enables proper supervision of employee activities, securities transactions, investment recommendations and protection of clients. 
  4. Compliance management, at its core, hinges on capturing and governing all electronic data flows within the organization. Gaps or lapses fundamentally compromise the entire compliance framework. 
See also  7 Questions to Ask Your Provider to Sniff Out If They’re a Microsoft 365 Copilot Bullsh*tter

For SEC-regulated entities, these recent cases are a bracing wake-up call. Data governance, electronic communications capture, and proactive monitoring must become embedded into the DNA of compliance programs going forward. The penalties and reputational damage are simply too severe to ignore these risks any longer. 

cyber governance be confidently sec audit ready today

Considerations for Firms Planning to Implement Microsoft 365 Copilot 

As firms consider adopting Microsoft 365 Copilot across productivity workflows, rigorous data governance is crucial. While Copilot has built-in ethical AI principles, firms must create secure, monitored environments for all communications and content generated by the powerful language model. 

Without robust data compliance controls from the start, the torrent of AI-generated information could quickly spiral into the same recordkeeping chaos that burned LPL and Ameriprise. Firms should view Copilot’s rollout as an opportunity to modernize outdated governance frameworks. 

Luckily, Microsoft has tightly integrated Copilot with its Purview eDiscovery compliance tooling. Purview provides end-to-end data lifecycle management – preserving, collecting, analyzing, reviewing and exporting content across Microsoft 365. With Copilot outputs flowing through this monitored system, firms can bridge AI’s productivity upside with essential compliance guardrails. 

To help firms maintain compliance as they adopt Microsoft Copilot, key Purview features like labeling and auditing have been updated to work seamlessly with the AI assistant. Customers with Office 365 E3/E5, Microsoft 365 E3/E5, or Business Premium subscriptions will be able to audit and discover prompts fed into Copilot through Purview’s integrated capabilities.   

microsoft 365 boost your productivity while reducing risk

Safeguard Your Firm with Agio’s SEC Cybersecurity & Copilot Expertise 

The penalties against LPL and Ameriprise Financial serve as a wake-up call that the costs of noncompliance with data regulations are unacceptably high. Firms cannot afford similar missteps, especially as paradigm-shifting technologies like Microsoft 365 Copilot become commonplace.  

That’s why expert guidance is essential for navigating evolving data compliance mandates.  

Our team provides comprehensive advisory services to help firms develop holistic strategies for responsible AI adoption: 

  • Data governance roadmap development aligning with current and future regulations 
  • Design and implementation of Purview eDiscovery solutions integrated with Copilot 
  • Copilot policy setup, security configuration, and change management planning 
  • Technology deployment services, and technical adoption support 
See also  Turning Challenges into Change: Financial Services CTOs IT and Cyber Perspective for 2024

Additionally, Agio’s partnership with Global Relay provides archiving solutions to capture communications across unmonitored channels like WhatsApp, personal email, and text messaging. This comprehensive approach ensures all Copilot inputs and outputs exist within a governed, auditable environment aligned with evolving data compliance standards. 

With extensive knowledge of the SEC’s expectations around electronic data compliance, Agio ensures firms have the processes and technology solutions to mitigate risks – enabling secure adoption of AI while avoiding the pitfalls of LPL and Ameriprise. 

The threat of multi-million-dollar enforcement actions certainly gives firms motivation to get data governance right. But the imperative extends beyond just financial penalties to protecting professional reputations, client trust, and the fundamental obligation to safeguard investors’ best interests.  

Contact us today to make your AI adoption SEC-compliant from day one.