Regulatory Update

Brokers Penalized for Using Personal Email and Violating Social Media Policies

December 09, 2019by Marianna Shafir Esq.

Subscribe to the Smarsh Blog Digest

Subscribe to receive a weekly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

In recent months, regulators penalized firms for failing to monitor for compliance with their social media policies. Also, regulators fined brokers for using personal email accounts to send business-related communication to customers. Failure to meet FINRA and SEC retention requirements results in serious consequences for firms and brokers, including fines and other disciplinary actions.

The SEC fined a broker-dealer firm $700,000, and the Chief Executive Officer (CEO) was barred from association with any FINRA member in any principal or supervisory capacity and fined $100,000.

FINRA also found that the firm failed to establish and maintain a reasonable supervisory system for the review of electronic correspondence. The firm’s written supervisory procedures (WSPs) did not address how supervisors were to select electronic correspondence for review, how they were to review it, the frequency of such reviews and the manner in which to document reviews, nor did the firm maintain records of its supervisory review of electronic correspondence. In addition, FINRA found that the firm failed to establish and maintain a reasonable system of supervisory controls. The sanctions were also based on findings that the firm and the CEO used unbalanced and misleading communications with the public. The findings stated that the CEO used his firm email address to send emails concerning a biotechnology company he co-founded to persons identified as being involved with, or having invested in, biotechnology companies.

The firm and CEO collectively owned more than 60 percent of the company’s common stock. The emails did not provide a sound basis for evaluating the claims made therein, contained false or misleading claims, were not fair and balanced, included baseless performance predictions and misleading forecasts, and did not disclose the name of the firm and its relationship with the company. In these emails, the domain name of the CEO’s email address was the only indication of his association with the firm. The emails did not disclose the firm and the CEO’s ownership interest in the company or that the firm had raised approximately $13 million in capital for the company and earned more than $1 million in compensation since the company’s inception. The findings also found that the firm failed to report to FINRA statistical and summary information regarding written customer complaints it received, and reported statistical and summary information for other written complaints it received more than a year late.

FINRA fined a brokerage firm $90,000 for failing to establish, maintain and enforce a reasonable supervisory system, including WSPs, for the review of email and hard copy customer correspondence. Because the firm did not conduct correspondence review close in time to receipt, any sales practice concerns or red flags raised through such correspondence could go undetected for long periods of time. FINRA found that contrary to its WSPs, the firm failed to conduct a weekly review of representatives’ social media sites that the representatives disclosed to the firm 22 times out of a sample of 26 weeks reviewed. In addition, because the firm did not have a reasonable system to monitor for compliance with its social media policies, representatives were able to maintain business-related pages on a social media site that had not been preapproved by a qualified registered principal. As a result of the firm not reasonably monitoring for usage of undisclosed websites, it failed to preapprove websites operated by representatives as required by its WSPs.

INDIVIDUALS:
A broker was fined $5,000 for causing his member firm to fail to preserve books and records. The findings stated that the broker and his assistant, who acted at his authorization, utilized unapproved email addresses to send and receive business related communications. The email addresses were not disclosed to the broker’s member firm, and the emails sent and received were not captured by the firm.

A broker was fined $7,500 and consented to the sanctions, and to the entry of findings, that in anticipation of leaving his member firm he improperly removed nonpublic personal customer information from the firm, without the firm or the customers’ knowledge or consent. The findings stated that the broker sent emails containing customers’ nonpublic personal information, including social security numbers, account numbers and account details from his firm email account to his personal email account. In addition, the broker downloaded customers’ nonpublic information from a firm computer to a portable hard drive and removed the information from the firm. As a result, the broker caused his firm to violate the SEC’s Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information.

A broker was fined $5,000 for causing his member firm to fail to retain and review emails concerning business-related matters among its books and records by using a personal email address to communicate with securities customers. The findings stated that the broker used the personal email account even though the firm’s written procedures required him to use its email system when sending or receiving business related emails. The broker also signed annual attestations stating that he was aware of, and abided by, the firm’s policies and procedures, including specifically its policies governing email communications. Furthermore, the broker used the personal email address to send correspondence to customers that required firm compliance review and pre-approval, and thereby circumvented its compliance procedures.

A broker was fined $10,000 because he omitted material information from an email communication to a customer regarding the status of funds held in escrow, in connection with the customer’s investment in a private placement of notes for which the broker’s member firm had been the placement agent. The findings stated that the broker told the representative of the customer that the investment had been in a film production escrow account since the beginning of the investment, because the film production company had not completed its financing or obtained the completion bond. The broker further stated that a tax credit lender was working with the film production company to obtain the funds from the escrow agent in order to pay the remaining principal of the notes as soon as possible. Though the broker had obtained information from a bank teller that the escrow account had been closed at the financial institution, he omitted that information from the email to the representative of the customer. The broker caused his email communication with the customer to be misleading by failing to disclose all the information regarding the escrow.

TAKEAWAY:
Regulators will continue to penalize firms and brokers for failing to review and retain electronic records. Firms need to capture, archive and supervise all written business communications. This includes retention of all electronic communication types such as email, text messages, instant messages, social media and collaboration content. This is a good time to review your WSPs to ensure policies properly address your firm’s business activities and comply with the provisions of the recordkeeping rule.

WSPs should provide for adequate electronic communication reviews, the methods and frequency of review, and documentation procedures. Outline whether employees are allowed to communicate via email through means other than their firm email address and third-party communication systems such as Bloomberg and Reuters. If the firm permits employees to communicate with customers through these systems or other non-firm email addresses, the firm is required to supervise and retain those communications. If the firm elects to prohibit its use altogether—preventing employees from accessing non-member email platforms for business purposes—then there is a need to require employees to certify that they are acting in accordance with such policies and procedures on an annual or more frequent basis. Where possible, firms should block access to unauthorized email platforms through their networks. Thus, an employee would be able to access the internet but not the email functionality. Members utilizing blocking functionality should periodically conduct tests to ensure that it is functioning as designed or intended. Firms should be able to demonstrate adherence to requirements during exams conducted by regulators.

Supervision is critical for retention and oversight of electronic communications. Firms need to demonstrate to regulators that they are supervising the activities of their representatives. It’s important to establish a reasonable supervisory system that flags, escalates, and enables actions to address potential fraud and violations. Firms should have a reasonable system to monitor for compliance with its social media policies, and reasonably monitor and preapprove the representatives business-related social media sites. There is no prescribed rule for when to review the messages, but it must be timely to find and escalate red flags.

Lastly, make sure to document your review process. Smarsh provides a means by which to electronically document the review and create an audit trail. If the email is spam, note the message as “not material,” or “junk message.” You want the email to evidence the review. It’s also a powerful tool to evidence your supervision process.

The most important takeaway here is ensure WSPs are properly enforced and followed by your firm. As you can see in the above enforcement cases, having a set of WSPs is not enough. Not following your firm’s policies and procedures is just as bad as not having any to begin with.

Share this post!

Marianna Shafir Esq.
Archiving and Compliance Blog

Our Blog explores the news, trends and best practices in electronic recordkeeping. It’s about managing and getting value from your electronic communications data. It’s about satisfying legal and regulatory obligations. It’s all about turning compliance liability into business insight.

Recent Posts

connected network featured img 600x320
How to Build a Strong Compliance and E-Discovery Program During COVID
Read more
concept journey arrows up right strong blue featured img
It’s Time to Turn Compliance into a Strategic Asset
Read more
compliance arrow supervision review featured img
Compliance and Technology: 4 Key Takeaways From a Supervision Survey of Industry Professionals
Read more

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.