Firms and Brokers Penalized for Failing to Comply with Recordkeeping and Supervision Obligations
This year, the regulators continue to penalize firms and individuals for failing to comply with supervisory and retention obligations. Failure to meet FINRA and SEC retention requirements results in serious consequences for firms and brokers, including fines and other disciplinary actions.
No reasonable supervisory system
FINRA fined a firm $15,000 and the firm must demonstrate it has completed a risk-based retrospective review of electronic communications sent or received by its associated personnel. The review must be reasonably designed to achieve compliance with FINRA Rule 3110(b)(4) and show that the firm has completed an inspection of each of its offices to achieve compliance with FINRA Rule 3110(c).
A lower fine was imposed after considering, among other things, the firm’s revenue and financial resources. The findings stated that the firm failed to establish, maintain and enforce a reasonable supervisory system, including written supervisory procedures (WSPs), concerning the review of electronic communications. The firm’s WSPs did not provide guidance as to the quantity of emails that would be reviewed, irrespective of how they were selected, or set forth other risk-based procedures that it would utilize to conduct the review.
Moreover, notwithstanding that its WSPs referenced the potential use of keywords or phrases, the firm did not attempt to develop such a list until late in the email violation period. The firm’s principal responsible for email review admitted that he did not conduct regular, documented reviews of electronic communications.
The findings also concluded that the firm failed to conduct inspections of any of its offices, and its WSPs lacked the required office inspection schedule and explanation for the frequency of such inspections. The firm also failed to meet its obligations to evaluate and document various aspects of the outside business activity of one of its registered representatives.
False compliance questionnaires
A broker was fined $25,000 and suspended from association with any FINRA member, in all capacities, for one year. The broker exercised discretion in a customer’s account without written authorization or acceptance of the account as a discretionary account by his previous member firm. The findings stated that in connection with this violation, the broker completed false annual compliance questionnaires wherein he denied having any accounts in which business was transacted on a discretionary basis.
The findings also stated that the broker engaged in unauthorized trading. After the broker left the previous firm and became associated with a new firm, the broker engaged in unauthorized trading again. FINRA also found that prior to accepting an offer of employment from the new firm, the broker sent nonpublic personal information regarding his customers at his previous firm to his personal email account, in violation of the firm’s policy and without the knowledge or consent of it or any customer. The nonpublic personal information consisted of client account numbers, among other information.
Upon becoming associated with his new firm, the broker forwarded the information to his email account at the new firm without the knowledge or consent of the firm or any customer. Significantly, the broker should have been aware of the impropriety of sending the information to his account at the new firm because the firm’s terms of transition specifically prohibited taking account numbers from a prior employer. Consequently, the broker caused his previous firm to violate its obligations under Regulation S-P.
Personal email account
A broker was fined $15,000 and suspended from association with any FINRA member in all capacities for three months. The broker caused his previous firm to violate the SEC’s Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information. When the broker departed the previous firm to join the new firm, he failed to return hard copies of the previous firm’s completed new customer forms and kept them for use at the new firm.
The new customer forms kept by the broker contained nonpublic personal information, including customer social security numbers, dates of birth, driver’s license numbers, and other personally identifiable financial information. The broker subsequently instructed his sales assistant to use the customers’ nonpublic information from the new customer forms to populate change of broker/dealer requests to transfer the customer accounts to the new firm.
The broker used his personal email account and instructed his assistant to use a separate personal email account maintained by the broker to transmit already completed change of broker/dealer forms containing the nonpublic information to his customers. Neither personal email account was encrypted to protect the nonpublic information sent and received in those accounts. The change of broker/dealer forms containing the nonpublic information were then transmitted to the new firm.
At least one customer who did not wish to have her account moved to the new firm complained after discovering a change of broker/dealer form had been filed on her behalf without her knowledge or consent.
The findings also stated that after joining the new firm, the broker prevented the firm from preserving his emails as required and caused it to fail to comply with its recordkeeping obligations by using unauthorized personal email accounts to communicate with customers concerning business-related matters.
During an investigation of the matter, FINRA requested that the broker produce copies of the emails so that it could determine whether any additional violations had occurred, but the email account that was maintained by a third party was no longer accessible and had not been preserved. Accordingly, the broker’s use of personal email accounts is aggravated by the fact the emails have now been permanently lost.
Outside business activity
A broker was suspended from association with any FINRA member in all capacities for seven months. Considering the broker’s financial status, no monetary sanction has been imposed. The broker participated in an outside business activity without providing prior written notice to his member firm.
The findings stated that a company offering subscription-based stock and cryptocurrency research and recommendations enlisted the broker to design an automated system that would direct emails to its existing subscribers nearing expiration, as well the founder’s followers on LinkedIn. The company paid the broker a salary and bonuses for his employment. The findings also stated that the broker provided untimely responses to FINRA’s requests for documents and information.
Private securities transaction
A broker was fined $5,000 for participating in a private securities transaction without providing prior written notice to his member firm. The findings stated that one of the broker’s customers invested a total of $50,000 in a private placement offering. The broker participated by introducing the transaction to the customer, summarizing the reasons he liked the investment, meeting with the customer to review and sign the paperwork, and causing the paperwork to be submitted.
The broker did not receive compensation for his participation in the transaction. The broker attempted to conceal his role in the transaction by suggesting to the customer that they communicate about the transaction via the broker’s personal email address in the future. After the customer complained to it, the firm entered into a settlement to resolve the complaint. FINRA began an investigation into this matter after receiving a Form U5 amendment submitted by the firm.
Firms need to establish, maintain, and enforce a reasonable supervisory system. You’ll want to track, manage, log and audit all electronic communications. Review the adequacy of your electronic communications policy and supervisory systems.
At a minimum, your written supervisory procedures (WSPs) should identify the reviewers and describe the process the reviewers will follow to conduct each review, the timing and frequency of the review, and how the reviewers will evidence that the required supervisory steps were taken. This would include provision for escalation of regulatory issues to the designated supervisor or other appropriate department. Your reviewers should know how to detect and report potential violations. However, reviewers may not conduct supervisory reviews of their own electronic communications.
Conduct inspections of all branch offices and include in the WSPs the office inspection schedule and explanation for the frequency of such inspections. WSPs should not be updated only to reflect changes to regulations, but also when changes are made to the supervisory process. Ensure the policies are properly enforced and followed by the designated reviewers.
Random and Lexicon Reviews
FINRA Notice 07-59 recommends that firms adopt a combination of random and lexicon reviews of electronic correspondence. If your WSPs state the firm is using lexicons, make sure the firm has developed a meaningful list and implement the list into your electronic communication review process.
A lexicon-based system should consider a significant list of phrases and/or words (including industry jargon) based on the size of the firm, its type of business, its customer base and its location (including any branch offices that may require the inclusion of certain foreign language components). The lexicon system should be comprehensive enough to yield a meaningful sample of flagged communications.
The system should have the ability to add and delete phrases and words on an ongoing basis, review attachments, and restrict access to the phrases and/or words that make up the lexicon system. It must be able to conduct searches that exclude any disclaimers used by the firm, as these disclaimers often contain sensitive words such as "guarantee" (e.g., "firm does not guarantee"), which would flag every such email.
Firms’ lexicon policies need to be reasonably designed in light of the compliance risks of the firm. It’s important to make sure that lexicons are flagging high-risk communications. You can create keywords and key phrases to flag the risk of brokers using unauthorized communication channels, fraud, promissory statements, or failure to follow privacy policies. Red flag examples include: “respond to my Gmail,” “text me,” and “let’s take this offline.”
You can also set up lexicons to find promissory statements such as “100% guarantee,” “guaranteed to be profitable,” “no downside risk.” Use examples from enforcement cases to create lexicons to target your search and enhance your supervision process.
Review your WSPs
There is no prescribed formula for determining how many messages to review. Policies and procedures are not required to specify exact percentages or quantities to review. The most important takeaway here is to review as many messages as are required in the firms WSPs. If the policies and procedures call for a review of 4% of all emails each month, reviewing only 2% every quarter is missing the mark. However, enough messages should be reviewed for a firm to be able to defend it as a reasonable review sample.
This is a good time to review your WSPs. Make sure all employees are trained and well aware of all policy guidelines and permitted communication channels. Most importantly, enforce the policies and document the reviews—simply having a set of policies is not enough.
All these steps will advance your compliance program, supervisory systems, and protect your business. New advancements in archiving technology and solutions make this easy and possible, so firms and brokers can stay in compliance.
Share this post!
Archiving and Compliance Blog
Our Blog explores the news, trends and best practices in electronic recordkeeping. It’s about managing and getting value from your electronic communications data. It’s about satisfying legal and regulatory obligations. It’s all about turning compliance liability into business insight.