Success is in the details

Policy is a fully customizable feature that defines parameters based on language content, through which an electronic communication is captured. Using the concept of context in language, policies can control email, file, and Web activities in your environment. By editing the parameters of a policy, clients have total flexibility to control and capture user behavior, whether for regulatory supervision or data loss prevention. To operate an effective supervision process, you must maintain and progress your supervision policies and scope based on current firm activity and regulatory changes. Under the Technically Creative Policy Program we work with you to define and create targeted policies on current or past matters. Emphasis is placed on policy accuracy that results in a low volume of hits to minimize reviewer impact.
The Financial Industry Regulatory Authority (FINRA) rule 3010(a) states: “Each member shall establish and maintain a system to supervise the activities of each registered representative, registered principal, and other associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable NASD Rules. Final responsibility for proper supervision shall rest with the member.” FINRA Rule 3010(a) essentially requires firms to maintain a system to supervise transactions and correspondence with their users. Companies should establish and maintain a supervisory system with written procedures, reviewing incoming and outgoing electronic communications on a regular basis.
The International Traffic in Arms Regulations (ITAR) outlines in § 120.27 (8) U.S. criminal statutes, Part 126 General Policies and Provisions, and Part 127 Violation and Penalties, the actions to be taken should such sensitive information be sent to unauthorized individuals or entities. This can include other non-registered firms, non-associated individuals, or individuals with potential ties to terrorist organizations. Communication surveillance is an integral tool that provides a secure defense to ensure minimal risk in terms of data loss prevention.


When a client determines that there is an assessed risk that can be mitigated by the creation of a policy, we work with the client to determine the focus of the policy.

TC needs to know the
who, what, where, and when:


is the policy being applied to (globally, only to certain groups)? Who is being excluded from the policy (if anyone)?


content are we looking to capture? What is the overall objective of this policy?


are we looking for this content? (Email subject, body, or attachment, in web activity, in a file on a share, or sent to a printer?)


do we want this policy to apply? (When sent externally, one individual sends to another individual in a different department, or when at least 1 external recipient is on the communication and an attachment is present?)

These requirements are gathered from the client at which point a policy architect will determine the final piece:



Once the client has conveyed what they would like in a policy, the policy architect will determine the best course of action, in terms of what is the best way to build the policy, in order to achieve the requirements.

This plan is reviewed with the client to ensure that they agree with the approach.

Once the client approves of the plan that has been laid out, the policy architect begins to build the policy in an in-house development environment.

Once this has been completed, TC performs in-house testing in an environment that has been created to replicate that of the client.

Once in-house testing has been completed, the policy parameters are documented and distributed to the client for release into their environment.

From the in-house development environment, the changes are then moved into the client’s test environment. This is done by copying and pasting the changes from the documentation provided by the policy architect.

Specific processes relating to UAT testing are unique to the client.

Once client testing is completed, the final version of the policy is documented by the policy architect and distributed to the client. Specific client documentation is also created at this time.

Once the client has signed off on the functionality of the policy, the parameters of the policy are provided in the New Policy Release document. All aspects of the policy have been tested in a development environment.

The New Policy Release document outlines the granular details in an easy to read format for reference, release, and compliance purposes.

Since this is a technical document, a “plain English” catalog version is also written and distributed which outlines the purpose of the policy, how the policy achieves this purpose, and a simple explanation of the technical way the policy works, in order to achieve its purpose.

Once the client’s review of the documentation is complete, the documents are then sent to the requesting bodies, at the client, for approval to release to production.

Change Request: Each client varies; however, we work with the client through the approvals that need to be attained before a release to production.

Release: The changes are released to production by a designated individual. After all changes are released, the designated individual verifies that there are no errors reported in the activity log.

Our policy architects possess years of experience in keeping up with changing regulations and industry trends and are prepared to build your company a custom policy. We offer services professionals which can, on an ongoing basis, maintain and refine your policies to eliminate the risks of false positives. Technically Creative has the experience, expertise, and dedication to the refinement process to maintain, refine, and build custom policies to fit your business’s needs.

To learn more about the TC Policy Program, schedule a 15-minute discovery call today with Technically Creative Experts.