Last month, the SEC and FINRA fined several firms for failure to establish reasonably designed supervision programs to ensure compliance with applicable securities laws and regulations. Individuals were also fined for failing to comply with securities laws and regulations pertaining to electronic communications. 

The SEC penalized a bank $3.7 million for failing to reasonably supervise traders who made false and misleading statements while negotiating bond prices. The investigation found the bank did not have compliance procedures in place designed to detect the misconduct that increased the firm’s profits on commercial mortgage-backed securities. The SEC specifically pointed to several communications made over Bloomberg message and other electronic communication channels like instant message. In the communications at issue, traders and salespeople misrepresented the bid and offer prices on one or both sides of the transaction, where the information was important to the customer’s buying decision. The bank failed to detect damaging communications such as, Trader B saying to Salesperson X, “this is just a lie, right?” Salesperson X replied, “well, I don’t care.”  The bank’s communication surveillance did not sufficiently incorporate search terms unique to market securities fraud or misconduct risks.

FINRA fined a firm $20,000 because its supervisory system for email review was deficient. The firms Written Supervisory Procedures (WSPs) did not specify how the firm would conduct reviews of its securities-related emails. The findings stated that the firm’s written procedures stated only that a compliance principal would review all emails it received and sent, and that reviews would occur no less than annually. The firm’s procedures failed to set forth a methodology to review emails, establish a percentage of emails to be reviewed, or set forth an escalation process for problematic emails. In addition, the firm failed to conduct any supervisory email reviews for eight of its registered representatives, and it failed to document the email reviews that it did conduct.

Another firm was fined $10,000 by FINRA for failing to retain and supervise emails. The findings stated that during an approximately four-year period, the firm failed to review approximately 25,000 emails captured by the firm’s third-party electronic storage media provider for five of the firm’s registered representatives. During the same period, the firm did not review or retain in the manner required by the Securities Exchange Act of 1934 Rule 17a-4 any of the emails for 11 representatives who were dually employed by the firm’s affiliated investment advisory firm. These representatives used an email address provided by the investment advisory firm to conduct business for the firm. FINRA found that the firm failed to test its system of supervisory controls, it failed to prepare an annual report detailing its system of supervisory controls, and it failed to prepare an annual certification of the firm’s compliance and supervisory processes for four consecutive years.

FINRA also fined a firm $65,000 for failing to maintain and enforce a supervisory system reasonably designed to ensure compliance with laws and regulations pertaining to electronic retail communications. The firm failed to maintain and enforce a supervisory system reasonably designed to ensure adequate due diligence was performed on private placement offerings recommended to customers. The findings also stated that the firm sent an email concerning one of the private placements to a list of investors compiled by a contracted marketing and advertising company. The email and a linked PowerPoint presentation contained misleading statements concerning the private offering including representations about the company’s past performance and projected future performance, and did not contain any disclosures regarding the speculative, illiquid and risky nature of the investment opportunity.

Individuals

FINRA fined a broker $5,000 for using an unapproved personal email account to communicate with a customer of his member firm about securities-related matters. The findings stated that the firm did not have access to the broker’s personal email account and as a result was not able to preserve, maintain, and perform timely review of these communications, in accordance with its own procedures and supervisory obligations. The findings also stated that the broker sent emails to individuals containing inaccurate, exaggerated, unwarranted or promissory representations pertaining to a single security.

Another broker was fined $5,000 for sending unencrypted emails from his firm email address to his personal email address, and to a third party that included attachments containing nonpublic personal information for firm customers. The findings stated that by transmitting nonpublic personal information to his personal email address and to a third party, the broker placed the customers’ information at risk and caused his firm to violate Regulation S-P of the Securities Exchange Act of 1934.

A broker was assessed a deferred fine of $7,500 for setting up online account access for four customers’ accounts held at outside institutions and providing her firm email address to be used as the customer’s email address for these accounts. In doing so, the broker falsely represented that her firm-provided email address was the email address for her customers. As a result, the institutions sent four emails intended for the broker’s customers to her firm provided email account. The broker’s actions misled these outside institutions into believing that they were communicating with their customers and cut off a direct channel of communication that was supposed to exist between these firms and their customers.

Takeaway: Set forth a methodology to capture and review all electronic communications

It’s important to review the adequacy of your electronic communications policy and supervisory systems, especially as new rules and areas of priority are published. Electronic communications must be easily accessible, indexed, and stored on non-erasable and non-rewriteable media as required by Rule 17a-4(f). Engage an archiving vendor that is compliant with the regulatory rules and has the technical ability to capture instant messaging conversations including Bloomberg, Facebook, and Slack, as well as text messages. Firms must be able to capture conversations the instant they happen, so information can’t be deleted. It’s recommended to periodically test and audit your reviews of electronic communication channels to ensure that all are being captured in supervisory systems.

You want to track, manage, log, and audit all electronic communications. The policies and procedures must provide for adequate electronic communication reviews, the methods of review, the frequency, escalation process, and documentation procedures. Your reviewers should know how to detect and report potential violations. There is no prescribed formula for determining how many messages to review. However, enough messages should be reviewed for a firm to be able to defend it as a reasonable review sample. Most importantly, enforce the policies and document the reviews—simply having a set of policies is not enough.

Firms must also have compliance procedures in place designed to detect fraud and misconduct. The good news is there are compliance tools available to help firms enhance their supervisory systems. You can set up your archiving platform to detect risk with lexicons focused on misconduct, flagging terms focused on fraud, unethical sales practices or anti-money laundering and get instant notifications when a user is non-compliant. Supervisory systems related to electronic communications must be dynamic.

Incorporate search terms aligned with the types of business the firm engages. Be mindful of jargon and acronyms used by employees and clients. A great way to create a dynamic keyword list is to use enforcement actions and the quoted conversations. As in the above bank enforcement case, “is just a lie,” “need to make money,” “deserve to get paid” are all examples of language indicative of misconduct risk. The timely review of electronic communications is a first line defense against improper conduct by employees. If the bank had sufficiently captured and monitored the Bloomberg messages and other electronic communication channels, they could have prevented the regulatory sanctions and reputational damage.

With increasing governance and regulatory oversight, the harsh penalties and punitive consequences for failing to comply with retention and supervision requirements outweigh the cost of implementing technology solutions.