Policy Migration

Schedule a 15 minute discovery call today with Technically Creative Experts

Communication surveillance policy migration is one of the most complex, time consuming, and critical pieces of any system migration. Without well-defined and developed policies in place, you leave yourself exposed to a tremendous amount of risk, even while leveraging the best surveillance system on the market. When it comes to policy/rule migration, success is in the details!  Watch Technically Creative discuss the importance of properly migrating your policies rules in this webinar replay available here.


Each firm has different stakeholders when it comes to policy, but two main categories that are common are those responsible for communication surveillance policy definitions and those responsible for sign off on acceptance criteria.

Not all firms have just these two categories. In some firms, IT, compliance, control room, legal and other groups have a stake in policy. Ensure you accurately define the signoffs and process for testing and releasing policies.

If you currently have a process in place and have your policies or rules properly defined, the migration process is simplified. In some cases, the destination vendor may be able to pick up that documentation and greatly improve the migration success.


Who is being excluded from the policy or rule (if anyone)? The people, the person, the organization group – identifying these people is critical, as missing the person and not applying the proper policy can be a huge gap.

What is the overall objective of this policy or rule? Always think about the content you need to cover. Are you looking for insider trading? People discussing a reward on the side for work, or even the new rules around incentives, be sure to write out what you are targeting.

Email subject, body, or attachment, in web activity, in a file on a share, sent to a printer, instant messaging, different channels – options vary among vendors.

When sent externally, one individual sends to another individual in a different department, when only internal, when containing a person in the research group? Is there an attachment is present? When the mail is sent out of normal business hours. Each vendor has different options to handle this and, in some cases, they don’t have an option, so be sure to review your supervision requirements with the next vendors options.

Is there an internal risk?  Is there a regulatory concern this communication surveillance policy is associated with?  Did something happen at the firm? All of these questions and the documentation of your policy or rules are essential for making sure your policy is well covered going forward.


Do you have adequate policy or rule coverage to cover your supervision requirements?

When examining a new solution, this is the perfect opportunity to review your current coverage and examine any gaps.

Policy development process:

The communication surveillance policy lifecycle is probably the most critical piece to the health of your supervision system. Having an effective policy or rule lifecycle where you evidence changes and validate no loss of your true positives is critical to staying out of sight of the regulators.

  • Do you have one ?
  • Do you think you have one ?
  • Do you need help creating one ?

Analysis 01

More than just looking at what you have but also looking at what you are supposed to have. During the analysis phase, the stake holder must be involved; this includes anyone that holds a weight into what policy or rule needs to cover or what the firm’s concerns are in communications. Remember that these do not need to be regulatory items but can also be risks related items.

For example, having a communication surveillance policy that covers customer complaints but doesn’t include terms like “you messed up” or like monitoring for gifts and entertainment without the word gift in the policy or rule. This was actually something several firms were cited for in recent years. We know the word hits a lot, but with any good supervision solution, you should be able to reduce the hits based on when the use of the word is not an issue.

Design 02

When it comes down to the actual design of a policy/rule, each vendor has different capabilities and thus a different design process. The key points in every system related to design are still the same – what do you need to find? – and document it well enough to build it. Keep in mind design can be based off your original policies or starting from scratch with constructing new ones that came out of the analysis phase.

Construction 03

Regardless of the system, the difficult part is actually building what we just documented.

Once we dive into construction, this is where the resources are really being utilized – from setting up the system, establishing data sets, actually constructing the communication surveillance policy and running data through the system – to test and validate the results before even stepping into the refinement cycle.

Refinement 04

Technically Creative will work with the client to review the results of the constructed policy/rule potentially running through multiple cycles of ingestion and review of the captures content.

Release 05

Probably the highest stress point of this entire cycle is actually putting all those changes into production. It is always strongly advised that you have test users and test events for the policy – potentially also incorporating your changes to run through the system, to confirm proper capture.

Validation & Reporting 06

It is always smart to be proactive and run an analysis and trend across all of your changes – from things like your capture rates to frequent violators and frequent language results in hits. Technically Creative frequently sees cases where after a week, communication surveillance policy or rule violations have sky rocketed due to a simple phrase in common documents which causes violations. The faster you jump back to the refinement phase to fix something like that, the more your reviewers will appreciate you.

Technically Creative can do a quick evaluation to ensure your policy’s coverage is as complete as it should be and you have all the necessary documentation. Technically Creative offers a free assessment on the core components related to supervision.

Technically Creative is an industry leader providing cutting-edge Technology Solutions for Compliance.  Our extensive experience combined with a unique approach to building contextual-based linguistic rules ensures that each policy we build captures the most relevant content effectively and efficiently, while reducing any extraneous noise. Our reputation is backed by the quality of our work, collective knowledge, and experience with compliance and policy advancement.

Policy Development Strategies


Some firms have gone the route of extracting the lexicons and phrases from the policy and try to have the destination system interpret it. Technically Creative has seen various levels of success in going this route, but overall it resulted in extensive testing and validation.


Usually through a migration, you end up with something better in the end due to the volume of testing you have to do on the policies. In the process you can also target issues in your current policies to make them better in the destination system. It’s even possible the new system has a function/feature.

Build New

Some vendors have what they call “out of the box” policies. Even Technically Creative with our Policy Catalog containing 200+ policies, still feel they are only a great start, but you still need to add or modify them to make them effective for your firm.

Validate and Test

It’s critical to confirm your new systems policy effectiveness. Specifically testing the results of policy “conversions” from Orchestria into new vendors. Technically Creative highly recommends that you have your policies – at least the initial policies – professionally developed. There is a sharp learning curve to becoming proficient in the new policy languages and if you don’t fully understand the differences in functionality, it can lead to some critical oversights.
Plan for maintenance and refinement, it’s critical to maintain policy, the regulators are not accepting the out of the box answers or policy anymore.

The key points you must have are:

Signoff and acceptance Signoff and acceptance process, ensuring any change has names tied to it for approval. Using a ticketing system, which also must be archived to maintain that record is important
Policy Refinement report Showing a refinement report, this is a report detailing out what line waschanged/added/removed and why
Policy Compare document Compare document, which is a literal release document showing the "before and after" policy, which must align with the refinement report
Evidencing the policy change. This involves maintaining an output of items that triggered the policy before vs after

To learn more about Policy or Rule Migration, schedule a 15 minute discovery call today with Technically Creative Experts.