In Our Guide You’ll Learn:
See what Smarsh can do for you today.
In Our Guide You’ll Learn:
See what Smarsh can do for you today.
Texting is simple, concise and compatible with virtually every mobile device, operating system and wireless carrier – making it extremely accessible when a client or a prospect wants to reach out in a time-crunched world. But even though text is easy, reliable and intuitive—if it’s used for business communications, it can create enormous risk.
In Our Guide You’ll Learn:
See what Smarsh can do for you today.
Regulators continue to examine and penalize firms for inadequate electronic communication policies, supervision, and records. In November, FINRA penalized four firms for electronic communication retention and supervision deficiencies.
The Recent Enforcement Cases
A firm was censured and fined $175,000 for failure to establish, maintain and enforce Written Supervisory Procedures (“WSPs”) reasonably designed to achieve compliance with the record retention requirements under Exchange Act Rule 17a-4. The firm failed to maintain electronic brokerage records related to approximately 46 million market-making transactions in write one, read many (WORM) format. The findings stated that the firm did not have an audit system for those records it failed to maintain in WORM format.
A second firm was fined $35,000 for failure to supervise websites and social media accounts. The firm failed to establish a policy or system for approval, supervision, or retention of registered representatives’ business social media accounts, and did not review, approve, supervise, or retain any of the social media accounts maintained by registered representatives for securities-related business purposes.
Another firm was censured and fined $30,000 because the firm allowed certain representatives to use their personal emails to send and/or receive business-related communications. The firm’s former CCO allowed the use of personal emails so long as such emails were copied to a firm email address for review and retention purposes. The firm’s written procedures were not updated to reflect this modification. In addition, not all representatives complied with the condition that they copy emails to a firm email address. At least three representatives used personal email addresses to send and/or receive business-related emails that were not always copied to the firm. Most of these emails were internal firm communications sent from a firm email address to the representatives’ personal email addresses and were thus captured by the firm. Additionally, the firm failed to enforce its WSPs pertaining to email review. Those procedures required that, on an ongoing basis, 10 percent of all retail registered representatives’ emails and five percent of other department emails would be reviewed for appropriateness of communications using a random sampling basis. The firm’s email review system flagged a random sample of approximately 350,000 emails for review during a period of time, but the firm reviewed less than one percent of the flagged emails.
Lastly, a firm was censured and fined $5,000 for failure to properly communicate the email-review responsibilities to all of the principals that the firm had designated in its WSPs as responsible for email review. The firm’s automated email-surveillance system flagged 135,855 emails for review by one of four principals to which it had assigned that responsibility; however, only 73 of those emails were actually reviewed. The firm subsequently reviewed the flagged emails after the failure was identified. A lower fine was imposed after considering, among other things, the firm’s revenue and financial resources.
The Regulatory Requirements
Firms need to demonstrate to regulators that they are supervising the activities of their associated persons. FINRA Rule 3110 “requires a firm to establish and maintain a system to supervise the activities of its associated persons that is reasonably designed to achieve compliance with the applicable laws and regulations and FINRA rules.” FINRA Rule 3130 also requires broker-dealers test and report on the firm’s written supervisory procedures effectiveness annually, and to store those policies and procedures in accordance with 17(a)-4 requirements.
The Bottom Line
As you can see in the above enforcement cases, having a set of WSPs is not enough. It’s important to enforce the policies and document the reviews. Not following the firm’s policies and procedures is just as bad as not having any in first place.
Your firms WSPs should be tailored to your firm and reflect all the activity in which your firm engages. At a minimum, the firm’s WSPs should identify the designated responsible supervisor, describe the process the supervisor will follow to conduct each review, when (i.e., how frequently) such actions will be taken and how the supervisor will evidence that the required supervisory steps were taken. WSPs should not be updated only to reflect changes to regulations, but also when changes are made to the supervisory process. Ensure the policies are properly enforced and followed by the designated reviewers. And finally, make sure employees are aware of all policy guidelines and permitted communication channels.
Review the adequacy of your electronic communications policy and supervisory systems. If your firm permits various electronic communication channels, establish a system for approval, supervision, and retention. As for supervision, there is no prescribed formula for determining how many messages to review. However, enough should be reviewed for an advisor to be able to defend it as reasonable. The objective is to review as many messages as are required in the firm’s WSPs. If the WSPs call for a review of 10 percent of all registered representatives’ emails, don’t review only 1 percent.
Technology solutions are available that can help firms automate much of the electronic communications supervision process. The Archiving Platform from Smarsh has monitoring features that assist with electronic communication surveillance and automatically log the reviews. This is incredibly effective to find potential violations of advisors using their personal email to communicate with clients. You can create keywords and key-phrases to flag the risk of advisors using unauthorized communication channels. Examples include: “send to my personal email,” “respond to my gmail,” “text me,” and “let’s take this offline.”
One of the most frequently cited violations is failure to follow the firm’s Written Supervisory Procedures. The solution is simple — spend time supervising your employees to help affirm compliance with regulations to avoid fines and to protect your firm’s reputation.
On September 14, 2017 the SEC’s Office of Compliance Inspections and Examinations (OCIE) identified several compliance issues relating to Rule 206(4)-1 (the “Advertising Rule”) under the Investment Advisers Act of 1940. OCIE identified these issues primarily through deficiency letters submitted to SEC-registered investment advisers as part of the SEC’s Touting Initiative.¹ The Advertising Rule prohibits investment advisers from publishing, circulating, or distributing any advertisement containing untrue or misleading statements of material fact.² The term “Advertisements” under the Advertising Rule encompasses a range of statements, including notices, circulars, letters, television and radio announcements, and statements made through electronic media so long as the announcement addresses more than one person and offers information contained in Section 206(4)-1(b) of the Advertising Rule.
OCIE identified six main Advertising Rule compliance issues in its risk alert:
- presenting misleading performance results, such as presenting results without deducting advisory fees or comparing performance results to a benchmark without disclosing the inherent limitations of the comparison;
- containing misleading one-on-one presentations, for example providing performance results in one-on-one presentations without disclosing potentially relevant information or not indicating that the results presented do not reflect the client’s return after fee deductions;
- claiming the adviser is compliant with voluntary performance standards when it is not clear whether the adviser is actually adhering to them;
- “cherry picking” profitable stock selections for inclusion in materials without meeting Subsection (a)(2) of the Advertising Rule’s conditions;
- referencing past investment recommendations that only contain certain, not all, recommendations for purposes of illustrating a specific strategy; and
- not having, or not implementing, policies and procedures designed to prevent advertising practices violating the Advertising Rule.
Based on OCIE’s Touting Initiative in 2016, which examined the adequacy of accolades disclosures in marketing materials advisers provided to their clients, OCIE identified three additional adviser compliance issues. These include:
- advisers disclosing third-party rankings or awards without disclosing material facts about the award or ranking;
- references to misleading or potentially false employee professional designations in both advertisements and Form ADV Part 2B Brochure Supplements; and
- including client statements and endorsements regarding the adviser’s services that may be considered prohibited testimonials, for example reprinting third-party articles and client endorsements published on social media pages, pitch books, on firm websites.
OCIE’s complete risk alert is available at: https://www.sec.gov/ocie/Article/risk-alert-advertising.pdf
¹ The SEC’s Touting Initiative was an examination initiative that focused on advisers’ use of accolades, such as awards, ranking lists, and/or professional designations, in their marketing materials and consisted of the OCIE conducting almost 70 examinations in 2016. The Securities and Exchange Commission, Office of Compliance Inspections and Examinations, The Most Frequent Advertising Rule Compliance Issues Identified in OCIE Examinations of Investment Advisers, at 1, 5 (Sept. 14, 2017).
² Advisers Act Rule 206(4)-1(a)(5).
The regulators continue to penalize firms and individuals for failing to comply with supervisory and retention obligations. Failure to meet FINRA and SEC retention requirements results in serious consequences for firms and their associated persons, including fines and other disciplinary actions. In October, the regulators focused on advisors using personal email accounts to send business-related communication to customers and penalized firms for failing to archive the emails.
Firms Penalized for Recordkeeping and Supervision Violations
The SEC fined a dually-registered firm $25,000 for failure to preserve emails transmitted by a senior registered rep via her personal email address. The firm’s policy prohibited employees from using personal forms of electronic communication for business-related correspondence. The firm also relied on annual compliance attestations to monitor its employees’ adherence to its policies, including the firm’s policy prohibiting the use of unauthorized methods of electronic communication. However, the firm was aware that the advisor was not complying with the firm’s policy prohibiting use of personal email for work purposes. Even though the advisor had access to the firm’s email account, she deliberately used her personal account to transmit emails in order to avoid review and surveillance by the firm. The advisor also did not provide copies of the emails to the firm to preserve such communications. It was only after the firm was unable to produce the requested records did the SEC learn about the existence of additional emails transmitted through the advisors personal email account.
FINRA censured and fined a firm $35,000 for failure to preserve records in a non-rewritable, non-erasable (also referred to as “Write-Once, Read-Many” or “WORM”) format. The firm used electronic storage media to retain its firm-domain emails. During this time, the firm’s servers became disconnected from its email retention vendor, preventing regular journaling of its firm-domain emails to the firm’s retention system. The emails of any firm employees who double-deleted or otherwise altered firm-domain emails were not maintained in WORM format. The findings also stated the firm failed to maintain evidence of any principal review of its electronic correspondence. Additionally, the firm failed to maintain evidence of any principal review of Bloomberg emails and Bloomberg instant messages.
Individuals Penalized for Recordkeeping and Supervision Violations
FINRA fined and suspended an owner of a firm $20,000 for failing to establish and maintain a system reasonably designed to comply with its email review and retention obligations. The findings stated that this individual also served as the firm’s vice president, chief compliance officer (CCO), financial and operations principal (FINOP), and was the sole registered principal responsible for all areas of the firm’s supervision, including its WSPs and maintenance of the firm’s books and records. The firm’s procedures prohibited registered representatives from using email for business-related communications. Despite that prohibition, the owner used and allowed registered representatives to use personal email accounts to conduct firm business. The owner failed to review or retain all business-related emails sent from or received by the registered representatives’ personal email accounts, failed to supervise the use of these accounts, and failed to enforce the firm’s procedures prohibiting the use of email to conduct firm business.
Similarly, another broker was fined $10,000 and suspended for knowingly using his personal email address to communicate with customers. The broker prevented the firm from discharging its supervisory and recordkeeping obligations. The broker signed annual certifications agreeing to use only the firm’s domain email for communications with customers and concerning firm business. Nevertheless, the broker knowingly used a personal email account to communicate with the customer concerning a sales practice complaint that the customer made regarding the broker handling his accounts. Because the broker used a non-firm-approved email address, the customer’s complaint did not immediately come to the firm’s attention.
Firms need to capture, archive and supervise all written business communications. This includes retention of electronic communications such as email, text messages, instant messages, social media and more. This is a good time to review your Written Supervisory Procedures (WSP’s) to ensure the policies properly address the firm’s business activities and comply with the provisions of the recordkeeping rule.
The WSP’s should provide for adequate electronic communication reviews, the methods of review, the frequency, and documentation procedures. Outline whether employees have the ability to communicate via email through means other than their firm email address and through third-party communication systems such as Bloomberg and Reuters. If the firm permits employees to communicate with customers through these systems or through other non-firm email addresses, the firm is required to supervise and retain those communications. If the firm elects to prohibit its use altogether, keeping employees from accessing non-member email platforms for business purposes, then there is a need to require employees to certify that they are acting in accordance with such policies and procedures, on an annual or more frequent basis. Where possible, firms should block access to these email platforms through their networks. Thus, an employee would be able to access the Internet but not the email functionality. Members utilizing this blocking functionality should periodically conduct tests to ensure that it is functioning as designed or intended. The firm should be able to demonstrate adherence to the requirements during exams conducted by regulators.
Because firms can’t rely on social networks for recordkeeping, this means that firms need to work with third party vendors. For example, The Archiving Platform from Smarsh has the ability to automatically flag emails that contain certain words or phrases likely to warrant review. These keywords or key phrases can be customized which allows the firm to control which words or phrases are flagged and to adjust them as the business changes or new risks emerge. You can create keywords and key-phrases to flag the risk of advisors using unauthorized communication channels. Examples include: “send to my personal email”, “respond to my gmail account”, “text me”, “let’s take this offline.” These common phrases are indicative of the risk of using unauthorized communication channels. Firms cannot assume advisors aren’t using their personal emails to communicate with clients.
Supervision is critical for retention and oversight of electronic communications. Firms need to demonstrate to regulators that they are supervising the activities of their associated persons. Monitoring electronic communications can be incredibly effective to find potential violations beyond advisors using their personal email to communicate with clients such as: client complaints; guarantor performance language; breaches of non-public personal information; or failure to follow privacy policies. There is no prescribed formula for determining how many emails to review, but enough should be reviewed for an advisor to be able to defend it as reasonable. FINRA recommends that firms adopt a combination of lexicon and random review of electronic correspondence. Policies and procedures are not required to specify exact percentages or quantities to review. The most important takeaway here is to review as many messages as are required in the firms WSP’s. If the policies and procedures call for a review of 4% of all emails each month, reviewing only 2% every quarter is missing the mark.
Lastly, make sure to document your review process. It’s also a powerful tool to evidence your supervision process. Smarsh provides a means by which to electronically document the review and create an audit trail. If the email is spam, note the document is “not material, junk message”. You want the email to evidence the review.
Firms should periodically test the integrity of their electronic archive systems to ensure all communications are actually being captured and messages are being archived for the defined period of time. It is not ideal to find out about technical issues from the regulators during an audit. An effective surveillance system can not only meet regulatory requirements, but successfully prevent potential violations and oversee the firm’s activities. Get ahead of the game!
I had a very interesting customer conversation last week that helps lend some perspective on the recent news. This compliance officer was detailing the difficult position she was in as her firm looked at implementing a text message archiving strategy and technology solution.
She knew that texting is everywhere. Enabling her advisors to use text messaging to communicate with customers was a no-brainer. We all know that prohibiting texting is futile and likely presents more risk for the organization. Beyond that, this strategic shift was important for the business — it would give her advisors more tools to work with to communicate with customers and potential customers, through the means of their choice. In simple terms, it represented a major avenue to greater productivity.
At the same time, her number one priority is to protect her organization and its customers from risk. Regulatory scrutiny from FINRA and the SEC is growing more sophisticated and prescriptive. She was concerned about MiFID II. Would text content translate into a massive increase in workload for her team, just to manage the subsequent recordkeeping and oversight challenges? Would the cost of compliance outweigh the benefits?
Even beyond the financial services industry – in the public sector, where more and more local, state and Federal agencies are trying to find ways to meet their open records obligations with new and changing technology – we’re seeing these two competing realities. What wins out – productivity or compliance? For too long, one side has benefited at the expense of the other.
The days of “productivity OR compliance” are behind us. Smarsh, now together with Actiance, is better positioned than ever to offer customers productivity AND compliance.
Together, our combined company provides capture, archiving and supervision support for the most content types (100+) in the industry, across a broad range of electronic communications including email, social media, mobile text messaging, instant messaging/collaboration, encrypted chat and voice communications. Having these solutions to help satisfy their legal and regulatory obligations enables our customers to use Slack, text messaging, LinkedIn or whichever channel they need to grow their businesses.
We’re also seeing organizations struggling with the maintenance and performance of their legacy archiving and supervision technologies. Together, Smarsh and Actiance provide flexible deployment (cloud, dedicated, hybrid, on-premise) and data migration options, along with the industry’s top tools for efficient supervision.
We are incredibly excited about this combination with Actiance, a team that we have partnered with, respected and competed against for more than 15 years. Together, we are taking two complementary market leaders in the Enterprise Information Archiving space and creating one global market leader.
For Smarsh, the wind is at our backs. We have seen aggressive, sustained growth, enhanced by and driven through huge strides with recent acquisitions (MobileGuard and Cognia), traction in the public sector, market demand for our mobile text archiving offerings and support for new communication/collaboration platforms (i.e. Slack). In addition, we were recently named a Leader in the 2017 Gartner Magic Quadrant for Enterprise Information Archiving for the third consecutive year, and are positioned furthest to the right for its completeness of vision.
Together, we can double-down on our 2016–2017 accomplishments. We will increase our investment in product development, grow and nurture our partner ecosystem and accelerate our global expansion. The integration will take time and needs to be done strategically, and we’ll organize in a way that provides the best of our combined capabilities to the benefit of our customers and partners.
Together, we are offering productivity AND compliance, and I am incredibly excited about what’s to come.
In today’s business environment where consumer trust means everything to a company’s success, it’s not enough for your organization to manage risk after the fact. You must spot it as soon it happens to prevent it from spiraling out of control and damaging your brand.
While some companies now actively measure and try to manage risk, many still lack best practices and technology solutions to deal with potentially damaging electronic communications shared with colleagues, clients, prospects, business partners, and more.
As new communication technologies are launched and preferences are built for applications and tools like text messaging that foster quick and easy conversations, businesses struggle to keep on top of approved business practices with employee communications. Today, the many complexities surrounding smart phones and text communications for business present an enormous challenge for organizations.
These can only be solved with clear policies and a technology foundation that allows for capture and supervision. Supervising your company’s electronic communications data can help you realize more effective risk detection, mitigation, and management in the long run.
In fact, if you follow the five principles below, you can dramatically decrease the number of times your company faces serious risks resulting from the ungoverned use of electronic communications.
For electronic communications, it’s best to have the following in place:
1. A Sound Data Governance Framework
A key marker of a company that manages risk well is one that has a smart data-governance foundation in place, including control over electronic communications data.
A governance structure addresses the objectives, guiding principles, and action plans that demonstrate how your company will manage risk. It also identifies the key decision-makers within the organization who will meet regularly to discuss risk-related challenges and carry out action steps. A governance framework should state who supervises and manages electronic communications risk for regulatory, legal, and marketing purposes. It should also address the following questions:
- Who are the key decision-makers in your organization regarding response to potential problems found in your company’s email, social media, text messages, and website?
- Does your company have working groups or committees that can address ongoing areas of concern in electronic communications?
- Which behaviors and statements require escalation to key decision makers? How quickly should issues be escalated?
- When you identify an area of risk, are your key decision-makers aware of the causes of the problem? How are those causes addressed in the long term?
- Is there a system to help continually improve risk identification and escalation in different communications channels, including social media and text messaging?
2. A Culture of Risk Awareness and Compliance
While your company likely has key decision-makers who are responsible for risk management, your governance structure should allow other employees to speak up when they notice unusual, worrisome, or unexpected activities and events related to your business. Everyone is on the front line of risk prevention in the digital age.
This type of culture is influenced strongly by decision-makers, including the CEO and Chief Risk Officer (CRO). Senior decision-makers who spend time educating their legal, compliance, HR, marketing, and other departments about risk will positively affect this process.
Companies that handle governance and supervision of electronic communications well don’t view supervision as obligation where they need to check the box to stay out of trouble. Instead, they see an opportunity to foster better business insights and decision-making. The rule of thumb is: Use every opportunity available to obtain value from key data, to evaluate business risks and opportunities.
3. A Constant Drive for Efficiency
Risk departments and CROs face the task of performing effective risk management with limited resources and staff. A constantly changing regulatory, technology, and business environment makes these restrictions seem especially challenging.
Companies that handle uncertainty in stride tend to manage their risk, regulatory, and legal requirements effectively over the long term. If the risk department has a tight budget, collaboration and sharing of risk-detection resources with other departments can be a big help. For instance, the compliance team might extend the archiving platform it uses for regulatory purposes to the legal team, for use with early case assessment or eDiscovery in the event of an investigation or litigation.
For your light reading list: The Chief Risk Officer and the Dreadful, Horrid, Inefficient Very Bad Day.
4. Innovative Technology that Supports Risk Detection
While a risk department may use various technology tools to analyze data for risk detection, much of the root cause of operational, financial, compliance, and legal risk starts with people. Whether an individual or group takes malicious or unintentional action that results in risk to the company, the trail of error is often found in communications shared via email, social media, text messaging, instant messaging, corporate website content, and so on.
Many companies now look to comprehensive archiving and monitoring of their employees’ electronic communications to spot risk and mitigate it before it becomes a big problem. Since your compliance department may already have a requirement to retain and supervise electronic communications, it makes sense to broaden the use of archiving and monitoring for other business requirements such as developing use policies, staff training and support of legal and HR litigation.
5. A Commitment to Constant Improvement
The final key element is a commitment to undergo continual analysis of systems and processes. This is a long-term undertaking, but it’s one that’s vital to long-term improvement and success. Evaluate your answers to the following questions on a regular basis:
- Where has your company fallen short of its goals for risk management?
- How many high-profile risk problems or crises has your company encountered within the past year? In the past six months? Where and when do they occur?
- When risk affects the business, how quickly does the company react? Was the response quick, or not quick enough? Was the action plan well thought out? Do you have systems and technology in place to effectively handle risk?
With these key principles in place, your company will be on the path to managing risk.
For more information about how a comprehensive archiving platform can help your company manage risk, visit our content security and risk mitigation section online.
Read now to see:
- What is keeping record managers/legal/IT up at night
- How other government orgs are managing records and responding to FOIA requests
- Where most government orgs are finding risk
Smarsh is proud to have been named a winner of the Social Media Thought Leadership 2017 Wealth Management Industry Award during a formal gala dinner ceremony held at The Plaza Hotel in New York City on Oct. 11.
WealthManagement.com is the digital resource of “all things wealth management” for financial advisors and estate planning professionals. WealthManagement.com launched the industry awards program in 2015 to recognize industry innovation and leadership for wealth managers, broker/dealers, asset managers and financial technology providers.
Smarsh was recognized for its ongoing excellence in the category of Social Media Thought Leadership, beating out the other category Finalist, Broadridge Financial Solutions, Inc.
Smarsh was also named a Finalist in the category for Technology Providers Thought Leadership, along with Accenture, Envestnet, Freewheel Marketing, and the category winner, PIETech, Inc.
The WealthManagement judging panel recognized Smarsh for its centralized archiving platform that provides a unified compliance and e-discovery workflow across the entire range of digital communications, including social media, text messaging, email, websites and instant messaging.
Smarsh helps more than 20,000 organizations meet their regulatory compliance, e-discovery and record retention requirements. Smarsh continues to add connectors for new types of channels of content. Most recently, Smarsh announced archiving support for Workplace by Facebook, Slack Enterprise Grid, and Symphony Secure Collaboration and Workflow.