FINRA is increasing disciplinary actions against firms and individuals for failing to comply with recordkeeping and supervision rules. This month, FINRA reported enforcement actions against firms and individuals for failing to comply with recordkeeping and supervision obligations.

A brokerage firm was fined $95,000 for failing to establish a reasonably designed supervisory system to ensure that business-related emails were being reviewed and retained by the firm. The firm is required to submit to FINRA a written plan of how it will undertake a comprehensive review of the adequacy of relevant policies, procedures, and supervisory systems. At the conclusion of the firm’s comprehensive review, it shall certify in writing to FINRA that it has adopted and implemented policies, procedures, and systems reasonably designed to ensure compliance with federal securities laws and FINRA rules.

Individuals penalized

A broker was assessed a deferred fine of $2,500 and suspended from association with any FINRA member in all capacities for 45 days. Without admitting or denying the findings, the broker consented to the sanctions and to the entry of findings that he exchanged emails discussing securities business with customers using his personal email address, which was not approved by the member firm. The findings stated that the firm’s Written Supervisory Policies (WSPs) prohibited the use of unapproved email addresses to communicate with customers, and the broker attested to his understanding of that policy on annual attestation forms. The broker did not forward his emails from his personal email address to the firm for review and retention. As a result, the broker caused the firm to fail to comply with its recordkeeping obligations.

Another broker was assessed a deferred fine of $5,000 and suspended from association with any FINRA member in all capacities for 20 business days. Findings indicated that the broker caused the firm to make and preserve inaccurate books and records that falsely stated that the order tickets were unsolicited and nondiscretionary. The broker consented to the sanctions and acknowledged that in order to generate funds for a requested wire transfer, she sold securities from the account of a customer of her member firm without obtaining verbal or written authorization from the imposter purporting to be the customer. The findings also stated that unbeknownst to the broker, an email requesting a $33,000 wire transfer to a third-party contractor for home improvements was not from the customer, but rather from an imposter who had obtained unauthorized access to the customer’s email account. The broker was sent a reply email stating that she would need to sell securities in the account to raise the requested funds. The broker then executed unauthorized sell transactions in the customer’s account and also mismarked the order tickets for these transactions as unsolicited and failed to mark them as discretionary. These transactions were neither unsolicited nor nondiscretionary because the broker selected the positions to sell in the customer’s account. The findings also stated that the broker entered the wire request into the firm’s system, and falsely attested in its systems that she received the customer’s wire instructions verbally, even though she actually received the instructions via email. The firm approved the wire request based on the broker’s false attestation. After receiving an email from the customer questioning the activity in the account, the broker discovered that an imposter sent the wire request and informed the firm. The firm recalled the wire and returned the funds to the customer’s account.

Takeaway

Firms cannot assume advisors aren’t using their personal emails to communicate with clients. Since firms can’t rely on social networks for recordkeeping, this means that firms need to work with third party vendors. Smarsh Supervision tools and Policy Libraries allow organizations to automatically flag emails that contain certain words or phrases likely to warrant review. These keywords or key phrases can be customized which allows the firm to control which words or phrases are flagged and to adjust them as the business changes or new risks emerge. You can create keywords and key-phrases to flag the risk of advisors using unauthorized communication channels. Examples include: “send to my personal email”, “respond to my gmail”, “text me”, “let’s take this offline.” These common phrases are indicative of the risk of using unauthorized communication channels.

Review the adequacy of your electronic communications policy and supervisory systems: At a minimum, your WSPs should identify the reviewers, describe the process reviewers need to follow to conduct each review, the timing and frequency of the review, and how reviewers will deliver evidence that the required supervisory steps were taken (which would include provisions for escalation of regulatory issues to the designated supervisor or other appropriate department). Reviewers may not conduct supervisory reviews of their own electronic communications. WSPs should not be updated only to reflect changes to regulations, but also when changes are made to the supervisory process. Ensure the policies are properly enforced and followed by the designated reviewers. There is no prescribed formula for determining how many messages to review, but enough should be reviewed that you’re able to reasonably defend your efforts. Make sure all employees are trained and well-aware of all policy guidelines and permitted communication channels. And most importantly, enforce the WSPs for the review of electronic communication.

These steps will advance your compliance program, supervisory systems, and protect your business.