Recordkeeping & Supervision
Last month, FINRA fined a firm $50,000 for failing to ensure that a non-registered, affiliated individual involved in the management of the firm’s business was properly registered as a principal. The findings stated that the firm was required to review or retain all business-related emails sent from or received through the email accounts at the parent company, but failed to do so. Meanwhile, registered persons periodically used email accounts of its parent company to conduct firm business.
Another brokerage firm was fined $25,000 and required within 90 days of the issuance of the Letter of Acceptance, Waiver and Consent (“AWC”), or such additional period as agreed to by FINRA, to submit a written certification that the firm’s systems, policies and procedures are reasonably designed to achieve compliance with FINRA Rule 3110(b)(6)(C); and required to file with FINRA’s Advertising Regulation Department, for the period of six months from the effective date of the AWC, all new retail communications, as defined in FINRA Rule 2210(a)(5), concerning any variable annuity product, at least 10 business days prior to their first use. Without admitting to or denying wrongdoing, the firm consented to the sanctions and to the entry of findings that it failed to supervise the variable annuity recommendations and related retail communications of one of its registered representatives. The findings stated that the registered representative sent to prospective customers numerous retail communications concerning a variable annuity-based investment strategy that the registered representative had developed. These communications failed to comply with the content standards of FINRA’s advertising rules in multiple respects. Because the firm allowed the registered representative to self-supervise his variable annuity-related activities, the firm failed to identify or prevent these violative communications.
Additionally, a firm was fined $7,500 for maintaining inaccurate financial books and records, filing inaccurate Financial and Operational Combined Uniform Single (FOCUS™) filings, and failing to file timely notifications pursuant to Rule 17a-11 of the Securities Exchange Act of 1934 (Exchange Act). A lower fine was imposed after considering, among other things, the firm’s revenue and financial resources. The findings stated that these violations were the result of the firm’s incorrect classification of assets as “allowable,” the inaccurate treatment of liabilities and revenues resulting from an inadequate expense sharing agreement, and the firm’s failure to enforce its WSPs. The findings also stated that the firm failed to maintain and review certain financial and operations principal’s (FINOP) business-related emails sent to and received from a third-party email account. Consequently, those emails were not maintained in non-rewriteable, non-erasable format. The firm did not have in place an audit system to ensure that the emails were properly maintained, and it did not enforce its WSPs.
If your firm does not archive all business-related electronic communications, conduct risk-based reviews of those communications, and document the review process (or use an automated tool to document the review process), then your firm is at risk for fines.
SEC Rule 17a-4 requires broker-dealers to store electronic records in a format that cannot be erased or rewritten and in an archive with the same properties. To comply with this rule, establish firm policies and procedures to capture, retain and supervise all emails, text messages, social media posts, and instant messages – as well as address communications on emerging platforms that have not been approved for business use, such as encrypted text messaging and chat applications. This also includes popular sites such as Facebook, LinkedIn, Twitter, Bloomberg, and Slack. Because firms can’t rely on social networks for recordkeeping, firms need to work with third-party vendors to ensure they are capturing communications made over these channels. And don’t forget to test the firm’s electronic communication channels! This is important to ensure that all content is being captured and is in compliance with recordkeeping rules.
FINRA Rule 3110 provides the Supervisory Framework for broker-dealers. The rule requires broker-dealers to have supervisory procedures in place that are “reasonably designed” to comply with applicable securities laws and regulations. The rule mandates that all broker-dealers establish and maintain supervisory procedures appropriate for the member’s business, size, structure and customers. Rule 3110(b)(6)(C) prohibits supervisory personnel from overseeing their own activities, and reporting to, or having their compensation or continued employment determined by, a person or persons that they are supervising.
Firms should review their supervisory designations to determine if they have any supervisors reviewing their own activities, or situations in which a supervisor’s compensation or employment situation is determined by someone he/she is responsible for supervising. If any such situations are identified, the firm will need to revise its supervisory designations to comply with the above regulations.
If your firm hopes to avoid unexpected regulatory fines, you must test, remediate, and enhance any suspected deficiencies related to recordkeeping and supervision. It’s crucial that you undertake all actions necessary before becoming the subject of a regulatory examination.
Changes In The Market
Mobile devices are no longer the future of business, they are its present. The last 30 years have seen mobile devices grow from a bulky, ostentatious luxury reserved exclusively for the wealthy to a ubiquitous tool carried daily by a majority of the population. At the same time, they’ve evolved from simple portable phones that don’t require a landline connection to multi-faceted computing devices capable of replicating almost all the functions of a telephone, home PC, high-definition video camera, and more in a pocket-sized form factor.
Driven by the explosion in popularity of mobile devices, organizations of all shapes and sizes have discovered the myriad benefits of allowing employees to utilize their own personal devices for work. Bring Your Own Device programs empower employees to work where, when, and how they choose, which enhances morale, increases productivity, and ultimately saves time and money. However, these policies also present unique compliance challenges. To reap the significant benefits offered by personal mobile devices, you must first assess how industry compliance requirements intersect with a BYOD program and outline the steps your organization will take to meet them.
A recent webinar featuring Smarsh Vice President of Mobility Strategy Brian Panicko and Smarsh Chief Evangelist Mike Pagani explores why BYOD is gaining popularity at such a rapid rate, and then provides a closer look at the components that make BYOD adoption viable and compliant. Finally, the webinar offers insights into how you can institute your own BYOD program, and the concerns that you must address before allowing employees to use their personal devices for work.
The first part of the webinar focuses on the reasons behind the surge in personal mobile devices used for work, namely potential productivity benefits and the shifting demographics of the professional world.
As mentioned previously, the ability to use personal devices for work offers employees freedom; the freedom to use a device of their choosing, the freedom to communicate in the fashion most comfortable to them, and the freedom to work when, how, and where they want. Not only does that save time and improve productivity — a recent Cisco study found that employees using their own devices saved an average of 81 minutes per week — it’s also an attractive selling point for any business hoping to attract members of the burgeoning millennial generation to their employ. More than any prior generation, millennials have come of age in a portable, digital world, which relies on wholly new communications channels, and they want to work for employers who recognize and leverage the benefits of these communications tools. If you’re an employer that does not allow the use of personal devices, your employees will seek out an employer that does.
While a wide swath of employers have been quick to recognize this, instituting a BYOD program is not as simple as just allowing employees to use their own devices for work, especially in regulated industries. Without a thoughtful BYOD plan in place, you can quickly run into compliance issues.
While nearly all organizations have compliance plans in place for email, more modern communications methods lag behind. The 2017 Smarsh Electronic Communications Compliance Survey Report found that while 98 percent of organizations surveyed had an archiving/supervision solution in place for email, that number drops to a mere 52 percent when it comes to text messages. If you look solely at work-related text messages sent through employee-owned personal devices, that compliance figure drops even further, to 32 percent — a sobering figure given that 90 percent of employees use their own mobile devices for work. Even worse, a worrying number of those organizations lacking a solution for supervising text messages were assuming they didn’t need to create a compliance solution because they could simply request the communications from mobile carriers or ask employees to pull conversations from a device’s archives. This is not a viable solution. Mobile carriers only maintain messages for a limited time, and device archives are unreliable at best with search functionality that is inconsistent (and grows more inconsistent as additional data is added to the device). Plus, putting the onus on employees to retain and retrieve their communications creates a conflict of interest where an employee may choose to suppress evidence of any fraud they might be involved in. Regardless of the communications platform you’re using, if your organization isn’t capturing and archiving communications, finding the data may not be possible.
The seemingly simple answer to closing this compliance gap is prohibiting personal devices, but that’s been repeatedly shown to be unsustainable. Whether you like it or not, your employees will use their mobile devices for business communications. If you’re prohibiting mobile devices in lieu of making proper preparations for archival and supervision of mobile communications, you will be stuck playing the risk mitigation game when an employee inevitably goes against your wishes.
Financial Services Adoption
Text messaging is increasingly seen as the lowest common denominator when it comes to communications in the United States. Almost everyone uses it, and most people text often enough that it comes as second nature. Recognizing this, major financial institutions are beginning to adopt BYOD programs to appeal to both employees and clients. Not only do mobile devices allow employees to collaborate with colleagues and internal resources more efficiently, it also gives them the ability to interact with clients faster, more easily, and in the communications medium clients find most familiar
and comfortable — and that’s in addition to the key benefit of a properly deployed BYOD program: Regulatory compliance that does not come at the cost of productivity.
Technology Stack Basics for BYOD
Two key technologies are at the heart of a successful BYOD program: Mobile Device Management (MDM) and Containerization. MDM refers to the ability to remotely manage a device, whether that means uploading or downloading data, changing settings, or even wiping its memory. Containerization, meanwhile, is deployed alongside MDM and creates a secure workspace that exists within a device but remains separate from all personal data. Essentially, in lieu of employees carrying two separate phones, containerization splits their personal device into sections, one identical to their personal phone, and another, work-focused section, where messages are archived and supervised. This container can even have its own unique phone number. How your organization utilizes MDM and containerization will vary depending on your goals and the regulatory requirements facing your industry.
Fortunately for Smarsh customers, alongside our archiving and supervision products for more traditional business communications, we also offer BYOD management solutions that work with every device and operating system available.
Key Considerations for BYOD Adoption
Thinking of embracing the benefits of BYOD in your organization? Finding the answers to the following questions will put you on the right track:
- What types of devices will be allowed, and will you need an MDM or Containerization solution?
- What apps and types of messaging will you allow your employees to use for business?
- What requirements need to be in place for employee–client communications?
- Will your security checklist require PEN testing?
- How will you develop, train your employees on the organizational BYOD use policy and enforce compliance violations?
- Which archiving solution will meet your organizations compliance needs for ingesting and monitoring all mobile/text communications data in addition to the rest of your electronic communications?
An excellent primer on why BYOD has grown so popular and the immense benefits it can provide, this webinar should be required viewing for anyone hoping to introduce a BYOD program to their organization. Regardless of industry or business size, it should give you the information necessary to ensure you’re walking the right path to BYOD deployment and compliance.
Watch the on-demand version of the Building The Compliant Mobile Ecosystem webinar here.
Understanding how to retain and manage content and how to extract insight and intelligence from that content is essential for successful organizations.
As follow up on the earlier post that described the collision of supervision and surveillance as ‘Superveillance,’ we want to dive deeper into key principles and attributes that firms should consider as they seek solutions that go beyond the boundaries of traditional supervisory and surveillance tools.
As a starting point, we’d like to suggest a common definition that would uniquely describe it as a solution to address today’s communication patterns and information risks. This definition must recognize that a variety of market disciplines are converging upon a holistic view of information risks (as discussed in a recent blog and report located here). These disciplines include:
- Technologies to manage employee communications (e.g. messaging, archiving, unified communications, etc.);
- Voice, video and other rich media-centric technologies (e.g. PBX and VOIP-enabled communications, voice recorders and transcription, etc.);
- AI, machine learning, behavioral and sentiment analysis technologies; and
- Products designed to manage structured data and transactional activity
Each of these areas of technology provides an important component to meeting broad regulatory mandates such as MiFID II that requires that all communications leading to a transaction be captured and reconciled. However, in order to address each of the elements discussed in the previous post, we’d like to offer the following as a definition for Superveillance to address these requirements:
Superveillance = Holistic insight into conduct across activities and communications channels, using a continuous feedback loop of pre-defined rules (Supervision) and identification of anomalous behavior (Surveillance).
Superveillance can be expressed visually as delivering capabilities that cover the spectrum – from the known, regulatory-driven supervisory requirements to the unknown and hidden risks that are uncovered through the use of advanced analytics. It encompasses the compliance fundamentals of policy management and storage, to the ability to use behavioral and sentiment analysis to uncover actions of high-risk brokers requiring heightened supervision. Very importantly, the outcomes in uncovering unknown risks should be fed back to build into new policies and rules for use in future supervisory tasks. Superveillance should also treat each content source natively, so the breadth of email, social media, unified communications and other sources can be normalized and delivered to external systems for trade reconciliation.
Defining the Ideal Superveillance Solution Attributes
Given the number of specialized technology domains touched by superveillance, don’t expect a ‘one-size-fits-all’ solution. Many firms have already invested in specific components, and are more concerned about how new technologies will interoperate or feed those existing solutions. Superveillance should be a critical element of the risk management fabric within an organization and, accordingly, firms should be prioritizing the following attributes when evaluating solutions or writing RFPs:
- Openness and extensibility: Superveillance requires the ability to deliver content downstream, and return insights back upstream to further inform policies. Doing so requires fully accessible APIs, connectors, and SDKs to address custom content sources. The benefits of leveraging cloud technologies are greatly diminished if utilizing technology that cannot communicate or collaborate with other vital systems
- Ability to preserve all content sources: firms today are using a multitude of communications sources, each of which must be captured and preserved to meet regulatory mandates. Modern superveillance solutions will handle each of those sources natively, with conversations preserved for more efficient review and analysis – unlike legacy supervisory tools that convert non-email sources into an email format
- Coverage for the Compliance Fundamentals: Solutions touching superveillance processes must be purpose-built for compliance and ensure that content is captured with the appropriate chain-of-custody, immutable storage, and policy management capabilities required by any SEC, FINRA, or MiFID II regulated firm. Superveillance should be thought of as extending the boundaries of traditional supervisory review – it does not replace or diminish the importance of managing the day-to-day tasks more efficiently or effectively.
- Scale and performance: Give the large volume of transactions requiring reconciliation, as well as the overwhelming volume of communications data in general, superveillance solutions must be designed for enterprise-scale, and not restricting the use of analytics to defined sub-sets of data applying only to registered representatives. Today’s information risks can reside anywhere, and having the ability to broaden the supervisory lens to cover all corners and edges of the risk perimeter is paramount
- Security and Privacy by Design: clearly, superveillance solutions will touch some of the most sensitive and important assets governed by a firm. Any solution designed for use in today’s world of increasingly complex security threats and evolving data privacy mandates must provide the audited protocols, third-party attestations, and accompany in-house expertise to reveal and respond to any risk that is exposed in its everyday use. As we see across the industry – compliance must work in harmony with other functions to create a more effective response to today’s information risks.
Where to Go from Here
Given the significant differences between traditional supervisory and surveillance tools, a good place to start is to check your vocabulary and definitions to make sure you are speaking the same language as your vendor. Once the proper nomenclature is established, firms should explore whether those traditional capabilities are equipped to address their current communications patterns and today’s information risks – or whether defining the requirements for a Superveillance solution is the better path toward a holistic approach to achieving insights across activities and communications networks.
Contributors to this post include: Robert Cruz, Gregory Breeze and Shaun Hurst
Mobile Phone Communications at Center of Conspiracy
A judge has issued confiscation orders totaling £1.69m against two recently-convicted insider dealers. These confiscation orders follow an FCA prosecution in which a former investment banker and a chartered accountant were convicted in the largest ever FCA insider dealing investigation. Investment banker Martyn Dodgson and chartered accountant Andrew Hind received sentences of 4.5 years and 3.5 years, respectively.
To prove the conspiracy, the FCA worked alongside the National Crime Agency and relied on evidence of insider dealing in relation to five specific stocks. The conspiracy operated between 1 November 2006 and 23 March 2010. During that time, Mr. Dodgson held senior positions at Morgan Stanley, Lehman Brothers and Deutsche Bank. He used those positions to source insider information, which he passed on to his close friend, Mr. Hind, who in turn placed trades for the benefit of both defendants.
The FCA investigation uncovered elaborate strategies used by the defendants to cover up their activities, including the use of unregistered mobile phones, safety deposit boxes, and encoded and encrypted records.
The FCA levied £229.4 million ($307 million) in penalties last year, a dramatic increase over the £22.2 million levied by the Authority in 2016. This year, the FCA has already fined a brokerage firm over one million pounds for weak surveillance procedures. This stands as one of the largest fines ever levied against a retail broker for poor surveillance.
This should serve as a reminder to review your policies and procedures to ensure you are compliant with current recordkeeping and supervision rules. MiFID II requires that firms have systems and processes in place to capture, retain and reproduce complete records of all services, activities and transactions. This includes all telephone calls on fixed and mobile, and all forms of electronic communications — text messaging, email, social media, instant messaging, and so on. MiFID II rules apply to relevant communications from any personal or business device.
Firms must make records available to clients for five years and for up to seven years for regulators. Records must be maintained in a durable medium, such as Write-Once-Read Many (WORM), that cannot be altered or deleted but must be searchable and readily available upon request.
Organizations must be able to provide evidence of their ability to detect behaviors that may be relevant to market abuse in all recordings — and this evidence must be readily available for regulatory investigation. The Archiving Platform from Smarsh features recordkeeping and surveillance aspects that allows firms to meet the MiFID II requirements. These supervisory capabilities allow users to flag activities that may be criminal or prohibited. For example, if a client sends a text to one of your firm’s employees that reads, “this is nonpublic,” or “material, nonpublic information,” the message will be automatically flagged for review, with the indication of a potential insider information policy violation. Lexicon policies can help test and verify that your firm’s supervisory procedures are reasonably designed to achieve compliance with applicable regulations. Monitoring electronic communications can be incredibly effective to find early indicators of any wrongdoing or sharing of non-public information. Firms must demonstrate effective oversight and control over policies and procedures relating to their communications.
Training and ongoing education are critical for effective oversight. Provide focus training on specific topics to inform reviewers of prohibited practices. Your reviewers should know how to detect and report potential violations. With the new MiFID II rules in effect, there are real and significant consequences for firms and individuals found out of compliance with global regulations.
Congrats to FINRA on yet another tremendous Annual Conference! As always, it was a terrific opportunity to catch up with clients, prospects and colleagues from around the industry. This year’s conference marked a major milestone for us, our first as a joined team of Smarsh + Actiance. We were thrilled to hear extremely positive feedback and excitement over the breadth of capabilities we will bring to market.
The energy level at our booth, suite, and receptions was high throughout the entire conference, with several key themes dominating our discussions.
- Text messaging: Beginning with our full-house executive briefing on Monday, we spoke with many firms seeking solutions to address the use of text messaging by registered representatives in response to FINRA’s guidance on the use of social media in April 2017. Unsurprisingly, many firms continue to update their mobility strategies and BYOD policies and are beginning to shift their focus toward technological solutions that can facilitate and enforce those changes.
- Archiving replacement: Many firms we spoke with are actively investigating solutions to help migrate data from legacy on-premises and first-generation cloud archiving tools to solutions designed to address today’s messaging, social, and collaborative applications. The discussions here focused on a common set of issues: approaches to create more predictability in migration project costs, identifying defensible methods to delete unneeded data prior to moving to a new archive, and strategies to overcome the difficulties created by cloud archiving vendors who de-prioritize migration projects and attempt to extract exorbitant fees from their customers to export their data.
- High risk activities: Following the issuance of FINRA’s recent guidance on Heightened Supervision and discussed here, many conversations focused on how Smarsh + Actiance can aid compliance when working with high risk brokers and activities designed to avoid supervisory controls. It appears that many firms are exploring how they can move beyond simple random sampling and basic lexicon-based supervision in the direction of more sophisticated approaches toward content surveillance.
- GDPR and Data Privacy: What happens when you conduct your annual conference at 11:59:59 in front of the launch of a major piece of data privacy regulation? TONS of questions and discussion! How do we product EU citizen data? Can we respond to the 72-hour breach notification? How does GDPR potentially conflict with regulatory retention requirements? We believe that the elevation of data privacy is terrific news for our industry (as we’ve extensively discussed) as it will create further differentiation between technology vendors, separating those that have been constructed with data privacy “By Design and Default” from those who weren’t.
Conference keynotes and break-out sessions also produced interesting perspectives from across the industry, including more cryptocurrency, block chain, and cybersecurity discussions than one could consume. Additional topics of interest included:
- Examples of how firms are attempting to apply artificial intelligence to big data problems. These include detection of money laundering activities, using natural language processing to search 1 billion messages consisting of more than 1 trillion words, and using contextual search methods to identify communications in over 1 million trades in an average day. Clearly, large financial services firms are big data, and innovative use of AI in this market will continue to lead the way for other industries.
- In a session on social media, a survey of attendees revealed that 55% of respondents continue to prohibit the use of social media beyond publishing static profiles and using pre-approved content. This was a surprisingly large percentage which suggests that firms have not yet identified meaningful solutions to address the perceived risks of broader social media adoption.
- In the same social media session, FINRA signaled that firms would soon see new guidance covering messaging apps to address the growing use of tools such as SnapChat, WeChat, and WhatsApp.
Clearly, the financial services industry is living in very dynamic times with new forms of client communications encountering new threats, new regulations, and emerging analytically-driven technologies that are attempting to help mitigate the risks. This year’s FINRA Conference provided an excellent forum to bring together the practitioners, regulators, and vendors to engage on these important topics. The team at Smarsh + Actiance is excited to be a part of the discussion.