Over the years we've sought guidance on financial email compliance repeatedly. We've scrutinised the NCCP Act (2009), NCCP Regulations (2010), Privacy Act (1988), Corporations Act (2001), ASIC Act (2001), and other pieces of legislation numerous times in order to find a definitive answer on how email is best structured, maintained, and archived but we've never received or found a definitive answer. Our futile and failed attempts to find legislation or case law that resolved our queries to satisfaction led us to contact friends in various finance alphabet organisations, but their responses to our questions provided no resolution whatsoever with answers that were often (and in principal) diametrically opposed. The nature of legislation leaves the entire issue open to interpretations so broad that the regulators seemingly won't condemn what is often clear misconduct.
We're trying to encourage the industry lift its own standard and apply best-practice (or at least a better-practice) methods that'll withstand the scrutiny of audits, customers, and upline banks. What we come across on a daily basis from new brokers is often a mess of non-compliant email practices that absolutely has to come to an end. So, this article was necessary as a precursor to an article that introduces Yabber's Email Marketing Module (and SMS Module) because it describes why certain decisions were made in the Platform's unique and powerful design.
There are some very clear requirements with your obligation to retain email, such as Section 4H of the Consumer Credit Administration Act (1995), which requires brokers preserve records for a period of 7 years. Certainly, the only real-world and reliable means of maintaining a fully-compliant presence is to have a full and complete record of all email via a single email archive (fully indexed and searchable via an API). If you're one of those brokers that is using a Gmail or Hotmail address (yes, they still exist), or you're led into non-compliant marketing conduct via email marketing services such as MailChimp (or any other third-party product), you are objectively failing to satisfy the most basic of privacy and record-keeping obligations.
ASIC's Regulatory Guide 235 makes mention of a 'Monitoring and Supervision Framework' as part of their internal systems guidelines for authorised credit representatives. This is an interesting section of their document because ASIC makes mention of the "unacceptable risk that you may not comply with all of your obligations as a credit licensee". What oversight does an aggregator or ACL holder have over an individual that operates autonomously and without direct supervision... and what email/document access should they have to ensure their downline broker compliance? Certainly, usage of MailChimp and other third-party products (Kartra, for example) as previously mentioned, and other platforms like it, are fractionalising business operations, sending marketing emails in a manner that is objectively in violation of best practice, and it provides no quality-controlled audit trail. Needless to say, usage of these generic email platforms completely negates your ability for funnel escalation and conditional features; it's just a bad solution.
The BeliefMedia Approach
In failing to receive an answer on how compliance should be managed, a number of years ago we essentially created our own standard based on the mandated requirements of legislation and those conditions implied by the Privacy and other Acts,. Because email is at the heart of your business, and since it facilitates the sensitive conversation between you and your client, it is one of the first records called for during an audit. What many brokers are failing to consider as part of their audit trail is that the conversations they have with clients includes all marketing emails that might be sent before a real-life relationship begins (including communications such as autoresponder programs, RBA emails and company newsletters). The only way that this email correspondence can be efficiently managed (as we've implemented with all of our systems) is to utilise a cloud-based Microsoft Office 365 service where email is protected and archived in a secure environment. Additionally, this method ensure we only ever have a single source of email - your personal (or assigned 'support') email account. This isn't about just removing the nonsensical email branding associated with paid third-party systems, it's about utilising a single-source and fully integrated email system for sending and receiving all your email. In fact, the default option employed by Yabber means every email you send - regardless of source - will make its way into your 'Sent Items' folder, although you may turn off this feature (since all email is available as a single archive, and may be downloaded in any format for audit purposes).
To access a full and complete record of all client emails often proves problematic if there's no retrieval system in place, but the Microsoft Graph API makes accessing, filtering, and selecting searching all emails in your communication history a simple process. The need to access emails in an audit-friendly format is the reason we recently built a tool that generates of a single PDF report of all email communication with a defined client. From an upline ACL or aggregator perspective, this approach provides email supervisory and audit capability at the click of a button.
Another advantage that comes from fully-branded email originating from a dedicated support email account is that of trust. Touched on in ASIC's Regulator Guide 235, ownership and branding is seriously important from a trust point-of-view - you absolutely don't want your brand represented by a nonsensical email address that isn't attached to your brand (it's the email equivalent of using dodgy third-party landing pages). While others have taken notice of what we've done and tried to emulate our methodology and incorporate our experience into their own product, they've missed the compliance aspects completely and are continuing to provide their brokers with a far inferior (and potentially non-compliant) experience.
Not unlike email compliance, we use the Telstra Messaging API for all our SMS communications because of the quality assurance that comes with dealing with Australia's most trusted Telco (as best any Telco can be 'trusted'). For a couple of dollars a month the knowledge that your messages aren't finding their way offshore is well worth the small investment. Our systems are designed on top of the Telstra API; that is, we provide a range of graphical user interfaces to send manual and automated messages (supporting 'STOP' messages, voicedrops, SMS, MMS, delivery receipts, and so on, and all fully compliant with Australian law).
There are a number of 'free' SMS gateways that are designed to harvest phone numbers, personal information, and other data by way of very common middle-man attacks. Apart from the fact many of these services are notoriously unreliable with less-than-stellar deliverability, they simply shouldn't be trusted in the finance game. Their use in the finance industry should be banned.
Email compliance is complicated. Seriously complicated. The bottom line is this: rather than accept mediocrity as your standard, build or use future-proof and integrated systems that actually add value to your marketing funnel experience.
The proliferation of the 'Facebook Marketer' has introduced a wild-west and somewhat clueless component to the way mortgage broking is represented through their marketing, and brokers' online conduct has gone largely unchecked. Nearly all finance marketing is non-compliant in some respect, and this is absolutely unacceptable; a third-party marketing company should never introduce systems into your business that is anything other than best-practice, and should never provide a product or service that is anything other than fully compliant.
Our email systems, autoresponder follow-up emails, newsletters and so on, are the highest performing in the industry for a number of reasons, but we obviously provide assurances in the manner in which information is sent, maintained, and recorded for later auditing purposes... and we're the only company to do so.