As technology and the exponential growth of the Internet change the complexion of money and commerce, business ethics and corporate conduct must correspondingly be recalibrated.
For financial institutions, these changes will require a reassessment of the likely business risks and temptations that it and its employees will face. In addition, reevaluation of an institution's capability to prevent, detect, and contain both internal and external electronic data information breaches must be included within that endeavor.
In short, each institution should adapt its code of conduct to establish the principles that the company and its employees should adhere to in the virtual commercial world.
A corporate code of conduct serves several functions. In a highly regulated environment, it is a guide for executives and employees on the standards that should govern their day-to-day business activities. It sets the ethical tone for the organization.
Beyond law, rules, and regulations, a code simply defines how the company will conduct its business.
At the other end of the spectrum, however, the existence of an effective, closely monitored code of conduct is a key mitigating factor when the inevitable happens - an employee breaks the law or engages in unethical conduct. It can underscore that the lapse was the product of one employee's misconduct, and not organizational malaise.
Technology puts a new gloss on the risks and exposures that companies can now face. The Internet, a world where no human can exist and where identities can be masked, changes both the risks and the methods of prevention corporations must consider. In that regard, financial institutions should consider updating their codes of conduct to address new technological risks.
Indeed, the proliferation of electronic money systems that will come to be the principal means of payment on the Internet raise a new set of counterfeiting, "spawning," and other digital replication possibilities that require a new sense of internal and external security.
No institution can anticipate every form of chicanery this new medium will foster. Each organization, however, can set parameters for every employee with access to a computer terminal. These should address at least four points.
First, each institution should develop a clear statement regarding cyberspace access. The leap into cyberspace dramatically changes the language, relationships, time, space, and rules to which people are accustomed. Security takes on a new dimension.
As a preliminary step, each institution must set "ground rules" for access to electronic communications - access rules that are tailored to its unique situation. Some of the measures that might be considered include:
Access to and communications on the Internet should be determined by a given type of employee on behalf of the bank and the type of information being transmitted.
External access to the company's electronic data systems should be controlled.
Breaches of firewalls and security protocols must be prohibited and reported.
Limitations should be set on the various Internet areas that employees are authorized to access.
The publication of identities, security protocols, or other confidential architectures and information must be protected.
Second, contacts between employees and other parties in cyberspace, whether business-related or personal, must be consistent with the tone of professionalism set by the bank. All communications and behavior reflected in internal e-mail or over the Internet must be as prudent, respectable, and courteous as they would be if they were before the board of directors, regulators, criminal prosecutors, or a civil jury.
In the final analysis, those are the bodies that may judge such communications and behavior. In addition, document creation and retention policies must be adapted to an environment in which many "documents" never leave a fiber-optic wire.
Third, each institution must take steps to ensure the security of electronic value.
For financial institutions and other diversified financial companies that create, deal in, or transmit electronic currency, the financial stakes have changed immeasurably. The movement of electronic currency, particularly if it is anonymous and nontraceable, creates internal and external risks of embezzlement, counterfeiting and "spawning" that will require new levels of diligence and "conduct supervision" that can literally mean the difference between a company's success and failure.
Employees will have the capacity to counterfeit electronic currency. They also will have the ability to pass electronic information and encryption keys to others, thus creating the risk of counterfeit electronic currency indistinguishable from the real thing.
Once such currency is in circulation, the originators, issuers, transmitters, and processors may face three options: (1) recognize the value of all outstanding electronic value and incur the attendant loss; (2) dishonor all or a substantial portion of outstanding electronic currency and expose itself to a loss of consumer confidence; or (3) engage in a cumbersome, time-consuming, and likely litigious process of distinguishing real from counterfeit currency.
From the perspective of an internal code of conduct, financial institutions should consider taking these additional measures:
Regular self-policing and self-certification of the ethical and legal record of employees occupying sensitive positions.
Applying stringent authentication, identification, and verification procedures to those who may create and transmit electronic data and currency.
Monitoring and reporting requirements regarding transmissions and communications beyond regular and authorized patterns and protocols.
Employee cooperation with and submission to company monitoring and review.
Fourth, each institution must adapt age-old confidentiality principles to the information era. The most perfect code of conduct and procedures can be thwarted by intentionally illegal or unethical behavior of an employee. Similarly, the risks posed by the departure of employees from technologically sensitive positions must be carefully controlled.
In that regard, the employment of individuals in technically sensitive positions requires close attention to the responsibilities, obligations and rights of the parties upon termination of the relationship - as much as at the start of the relationship. Particularly where patents, trademarks, and copyrights form the basis of a business product or market, such information is money.
To protect these interests, a code of conduct should incorporate three principles:
Employees who have access to confidential and proprietary technological secrets should assume the responsibility of beating hackers, crackers, snifters and electronic thugs to the punch. If each employee plays the sentry, the institution will have that much better defenses in dealing with the potential liabilities of virtual financial services.
Employees must agree that confidential and proprietary company information will remain secret in perpetuity (or for a negotiated period of time) and that they may be subject to prosecution and/or liability for breaches.
The identity and ownership of customers and customer information, whether residing in the institution's files or in cyberspace, must be religiously protected according to rules established by the institution.
Technology will require that companies rethink many aspects of their business. Companies have, and will continue to create, "imagination" divisions and appoint technology officers to engineer and strategize in cyberspace. As this trend continues it will be critical for companies to continually reset their employees' ethical compasses.
