The review focused on three institutions, namely Danske Bank, Jyske Bank and Nykredit Bank, and had as its objective an evaluation of whether recordkeeping rules were being followed by the firms.
Specifically the Danish regulator was interested in the capture and retention of voice communications and electronic messages as well as the use, by employees, of BYOD devices and unauthorized communication channels.
Under EU regulations adopted by way of an executive order in Denmark, all phone conversations and electronic messages that may lead to either a transaction or the provision of services connected to a client order must be captured and retained for a minimum of five years. These recordkeeping obligations are still mandatory even in instances where no transaction actually takes place or no services are provided by the firm.
Firms must also have in place written policies detailing their recordkeeping systems and processes. These must be aligned to and appropriate for the size and organizational make-up of the firm.
While all three firms were found to have both systems and policies to tackle both recordkeeping obligations as well as use of unauthorized communications channels, some potentially serious compliance issues were also uncovered by the regulator. We have summarized these in the table below.
| Issue | FSA expectations | |
| Business procedures | Procedures are difficult to navigate and read. The prevalence of manual systems for the capture and retention of communications means that too much responsibility for complying with the rules devolves to individual employees. | The responsibility for compliance sits with the firm rather than with the individual employee. Systems with a lower degree of automation carry a much higher risk of error and so automated systems for communications capture should be introduced instead, wherever this is practicable. |
| Employee training | Employee training and education is required by regulation, but only one of the three firms participating in the review was able to demonstrate that it had annual training in place. | In order for a firm to be able to comply with its recordkeeping requirements it is crucial that employees are fully aware of the requirements and the importance of complying with the operational processes in place at the firm. The training should be ongoing and aligned with the specific needs of employees as well as with the size and structure of the firm. Delivering adequate training is even more important for any firm employing semi-automated or manual systems where compliance is dependent on the actions of individual employees. |
| Private devices/use of work devices for private purposes | The use of private devices or the ability of users to use work devices for purposes other than those connected with their work increases the risk of the: – use of unauthorized means of communication; and – the failure to capture relevant records. It also limits the control exercised by the firm over employees’ communications. The regulator is especially concerned about two practical scenarios: 1. conversations that straddle both private and business matters where the latter are not captured as a result; and 2. the installation and use of ephemeral messaging apps on work devices leading to entire communication channels not being captured. | Although not an explicit recommendation the regulator seems to be advocating against a BYOD policy at firms. The FSA also suggests that access to comms channels that are not authorized by the firm should be blocked on work devices with WhatsApp, Facetime and iMessage specifically named as apps that cannot store records. |
| Recordkeeping compliance controls | Qualitative controls ensuring that communications are captured, stored and can be found when necessary are lacking. Human error was the primary cause of an error margin rate of between 30-40% with only one dealer able to find records connected with all the trades the regulator requested. | Dedicated controls should be implemented and carried out on a regular basis with their frequency and scope risk-based and proportionate to the size and complexity of the firm. Control results and any internal risk assessments should be taken into account when deciding on the frequency and scope of the control. A high level of automation in recordkeeping systems is recommended with robust record policies in place to help identify instances of unauthorized communications channel usage. Where errors stem from technical problems a review of the firm’s technology should be the starting point in determining what mitigating measures are required. |
In addition to WhatsApp, Facetime and iMessage, Signal and Telegram were identified by the regulator as “unapproved channels” of communication that lead to failures by firm’s to comply with their recordkeeping obligations.
Following its investigation work the Danish FSA has issued three orders against the three firms whose systems and processes were reviewed.
Danske Bank and Nykredit Bank have been ordered to establish dedicated qualitative controls to monitor their compliance with key recordkeeping requirements.
These controls must ensure that conversations and electronic communications connected with transactions and client orders and subject to recordkeeping requirements are actually stored and can be found, and also to confirm the quality, accuracy and completeness of the records that are captured. This control must be risk-based and proportionate and reflect the size and complexity of each firm.
In the order against Nykredit the regulator has noted that the bank has already implemented the necessary controls following the receipt of a draft order.
The number and nature of problems at Jyske Bank led to the regulator concluding that the bank’s recordkeeping systems and processes, particularly those connected with employees who utilized manual systems, were inadequate.
Jyske Bank has been ordered to review and improve both its systems as well as its processes and to consider whether a system with a higher degree of automation might not be appropriate. This demand for the potential implementation of an automated system has been made despite the regulator acknowledging the legitimacy of concerns about the unnecessarily intrusive recording of employee communications.
The regulator suggested that if the bank determines that a manual system is still appropriate other areas of its compliance operations must be improved in order to reduce the incidence of recordkeeping gaps and issues. And the order included a warning that if improvements in terms of compliance outcomes could not be ensured the bank would be required to implement a system with a higher degree of automation.
According to Ander Balling, Danish FSA deputy director general: “Records offer, among other things, proof that the transaction that the securities dealer has executed corresponds to the customer’s order. They are also important for being able to reveal and prove any market abuse.”
He emphasized that the responsibility for ensuring that recordkeeping requirements are met ultimately lies with the firm and not with the individual employee. And that that this ultimately means that is the firm’s responsibility to ensure that employees have the prerequisite knowledge and training as well as the tools needed to ensure that records are captured – for example by providing training and a higher degree of automation in the systems used.
Important note: The thematic review, announcement, as well as orders were published by the Danish FSA in Danish and have been translated into English by the GRIP team. Any errors introduced in the translation are our own.
