The regulators continue to penalize firms and individuals for failing to comply with supervisory and retention obligations. Failure to meet FINRA and SEC retention requirements results in serious consequences for firms and their associated persons, including fines and other disciplinary actions. In October, the regulators focused on advisors using personal email accounts to send business-related communication to customers and penalized firms for failing to archive the emails.

Firms Penalized for Recordkeeping and Supervision Violations

The SEC fined a dually-registered firm $25,000 for failure to preserve emails transmitted by a senior registered rep via her personal email address. The firm’s policy prohibited employees from using personal forms of electronic communication for business-related correspondence. The firm also relied on annual compliance attestations to monitor its employees’ adherence to its policies, including the firm’s policy prohibiting the use of unauthorized methods of electronic communication. However, the firm was aware that the advisor was not complying with the firm’s policy prohibiting use of personal email for work purposes. Even though the advisor had access to the firm’s email account, she deliberately used her personal account to transmit emails in order to avoid review and surveillance by the firm. The advisor also did not provide copies of the emails to the firm to preserve such communications. It was only after the firm was unable to produce the requested records did the SEC learn about the existence of additional emails transmitted through the advisors personal email account.

FINRA censured and fined a firm $35,000 for failure to preserve records in a non-rewritable, non-erasable (also referred to as “Write-Once, Read-Many” or “WORM”) format. The firm used electronic storage media to retain its firm-domain emails. During this time, the firm’s servers became disconnected from its email retention vendor, preventing regular journaling of its firm-domain emails to the firm’s retention system. The emails of any firm employees who double-deleted or otherwise altered firm-domain emails were not maintained in WORM format. The findings also stated the firm failed to maintain evidence of any principal review of its electronic correspondence. Additionally, the firm failed to maintain evidence of any principal review of Bloomberg emails and Bloomberg instant messages.

Individuals Penalized for Recordkeeping and Supervision Violations

FINRA fined and suspended an owner of a firm $20,000 for failing to establish and maintain a system reasonably designed to comply with its email review and retention obligations. The findings stated that this individual also served as the firm’s vice president, chief compliance officer (CCO), financial and operations principal (FINOP), and was the sole registered principal responsible for all areas of the firm’s supervision, including its WSPs and maintenance of the firm’s books and records. The firm’s procedures prohibited registered representatives from using email for business-related communications. Despite that prohibition, the owner used and allowed registered representatives to use personal email accounts to conduct firm business. The owner failed to review or retain all business-related emails sent from or received by the registered representatives’ personal email accounts, failed to supervise the use of these accounts, and failed to enforce the firm’s procedures prohibiting the use of email to conduct firm business.

Similarly, another broker was fined $10,000 and suspended for knowingly using his personal email address to communicate with customers. The broker prevented the firm from discharging its supervisory and recordkeeping obligations. The broker signed annual certifications agreeing to use only the firm’s domain email for communications with customers and concerning firm business. Nevertheless, the broker knowingly used a personal email account to communicate with the customer concerning a sales practice complaint that the customer made regarding the broker handling his accounts. Because the broker used a non-firm-approved email address, the customer’s complaint did not immediately come to the firm’s attention.

TAKEAWAY:

Firms need to capture, archive and supervise all written business communications. This includes retention of electronic communications such as email, text messages, instant messages, social media and more. This is a good time to review your Written Supervisory Procedures (WSP’s) to ensure the policies properly address the firm’s business activities and comply with the provisions of the recordkeeping rule.

The WSP’s should provide for adequate electronic communication reviews, the methods of review, the frequency, and documentation procedures. Outline whether employees have the ability to communicate via email through means other than their firm email address and through third-party communication systems such as Bloomberg and Reuters. If the firm permits employees to communicate with customers through these systems or through other non-firm email addresses, the firm is required to supervise and retain those communications. If the firm elects to prohibit its use altogether, keeping employees from accessing non-member email platforms for business purposes, then there is a need to require employees to certify that they are acting in accordance with such policies and procedures, on an annual or more frequent basis. Where possible, firms should block access to these email platforms through their networks. Thus, an employee would be able to access the Internet but not the email functionality. Members utilizing this blocking functionality should periodically conduct tests to ensure that it is functioning as designed or intended. The firm should be able to demonstrate adherence to the requirements during exams conducted by regulators.

Because firms can’t rely on social networks for recordkeeping, this means that firms need to work with third party vendors. For example, The Archiving Platform from Smarsh has the ability to automatically flag emails that contain certain words or phrases likely to warrant review. These keywords or key phrases can be customized which allows the firm to control which words or phrases are flagged and to adjust them as the business changes or new risks emerge. You can create keywords and key-phrases to flag the risk of advisors using unauthorized communication channels. Examples include: “send to my personal email”, “respond to my gmail account”, “text me”, “let’s take this offline.” These common phrases are indicative of the risk of using unauthorized communication channels. Firms cannot assume advisors aren’t using their personal emails to communicate with clients.

Supervision is critical for retention and oversight of electronic communications. Firms need to demonstrate to regulators that they are supervising the activities of their associated persons. Monitoring electronic communications can be incredibly effective to find potential violations beyond advisors using their personal email to communicate with clients such as: client complaints; guarantor performance language; breaches of non-public personal information; or failure to follow privacy policies. There is no prescribed formula for determining how many emails to review, but enough should be reviewed for an advisor to be able to defend it as reasonable. FINRA recommends that firms adopt a combination of lexicon and random review of electronic correspondence. Policies and procedures are not required to specify exact percentages or quantities to review. The most important takeaway here is to review as many messages as are required in the firms WSP’s.  If the policies and procedures call for a review of 4% of all emails each month, reviewing only 2% every quarter is missing the mark.

Lastly, make sure to document your review process. It’s also a powerful tool to evidence your supervision process. Smarsh provides a means by which to electronically document the review and create an audit trail. If the email is spam, note the document is “not material, junk message”. You want the email to evidence the review.

Firms should periodically test the integrity of their electronic archive systems to ensure all communications are actually being captured and messages are being archived for the defined period of time. It is not ideal to find out about technical issues from the regulators during an audit. An effective surveillance system can not only meet regulatory requirements, but successfully prevent potential violations and oversee the firm’s activities. Get ahead of the game!