It’s a new year, and there’s no sign that regulators will be slowing down their review and enforcement actions. Now more than ever, regulators are penalizing firms for non-compliance of retention and supervision obligations. “Firms have a clear obligation to reasonably supervise electronic communications, which includes periodically re-evaluating the effectiveness of existing procedures” said Susan Schroeder, FINRA’s Department of Enforcement Executive Vice President. This recent statement is a clear indication that retention and supervision of electronic communications continues to be a top priority for 2018.

Last month, FINRA fined a Broker-Dealer $2 million for failing to properly supervise email messages. FINRA found that during a nine-year review period, the firm’s email review system was significantly flawed, allowing millions of emails to evade meaningful review. This created the unacceptable risk that certain misconduct by firm personnel could go undetected. The firm did not choose words or phrases that would identify potentially problematic conduct in light of the nature of the firm’s business, or implement enough resources to review emails flagged by the system even as the number of emails increased over time. FINRA also found that the firm did not “periodically test the configuration and effectiveness of its lexicon-based email surveillance system.” The focus on reducing the number of “false positives” that would need to be reviewed prevented the firm from ensuring that the system was effectively identifying all potentially problematic categories of emails. The firm also did not identify prior disciplinary action taken against firm employees and failed to maintain adequate personnel records.

FINRA also fined a firm $175,000 for failing to maintain brokerage records in a non-erasable and non-rewriteable format, known as “Write-Once, Read-Many” (WORM) format. The findings also stated that the firm failed to implement an audit system regarding retaining and preserving electronic records, and failed to establish, maintain and enforce Written Supervisory Procedures (WSPs) reasonably designed to achieve compliance with Rule 17a-4 of the Securities Exchange Act of 1934. The firm’s WSPs failed to specify how the firm would supervise its compliance with Rule 17a-4(f).

Individuals Penalized for Recordkeeping and Supervision Violations

A broker was fined $10,000 and suspended for not reporting his private securities transactions and for using a Twitter account to send tweets about his securities business without receiving approval. The firm prohibited using Twitter accounts without approval. In addition, the broker did not provide copies of those Tweets to the firm so that it could retain them.

A broker was fined $5,000 and suspended for routinely using multiple personal email accounts to engage in firm-related business without the firm’s approval, which violated the firm’s procedures. The findings stated that the broker continued to use personal email accounts for firm-related business even after the firm instructed him not to do so. The firm did not retain the broker’s firm-related business emails sent from his personal email accounts. The broker’s use of these email accounts caused the firm to fail to comply with its recordkeeping obligations.

Takeaway:

Firms need to capture, archive and supervise all written business communications. Establishing firm policies and procedures to capture, retain and supervise all emails, text messages, social media posts, and instant messages is critical – as well as addressing communications on other emerging platforms that have not been approved for business use, such as encrypted text messaging and chat applications. This also includes popular sites such as Facebook, LinkedIn, Twitter, Bloomberg, and Slack. Because firms can’t rely on social networks for recordkeeping, this means that firms need to work with third party vendors. Lastly, make sure to test the firm’s electronic communication channels; this is important to ensure that all content is being captured in supervisory systems and is in compliance with recordkeeping rules.

FINRA previously issued Regulatory Notice 07-59 to guide members with the review and supervision of electronic communication. Although the Notice was issued for FINRA members, it’s a helpful supervision guide for all financial services firm.  Firm employees should have access to the policies and procedures, and there should be very specific guidance regarding permissible and prohibited electronic communication channels. There is no prescribed formula for determining how many messages to review, but enough should be reviewed for an advisor to be able to defend it as reasonable. FINRA adds that “Members should remind their reviewers that merely opening the communication will not be deemed a sufficient review.” I recommend keeping track of who is reviewing what, and ensure that your compliance team can track progress and escalate messages that require further scrutiny.

The regulator recommends that firms adopt a combination of lexicon and random review of electronic communication. Any system should have the ability to add and delete words or phrases over time, and existing words or phrases should be periodically reviewed for effectiveness.  Ideally, your supervision platform will have the ability to automatically flag emails that contain certain words or phrases likely to warrant review. It’s important to remember that reducing false positives allows your firm to reallocate your resources towards the riskiest messages, but the end goal is still to correctly identify potential compliance violations. You can create lexicons on applicable risk areas such as inside information, anti-money laundering issues, gifts and gratuities, private securities transactions, and customer complaints.

As you can see in the above enforcement cases, advisors continue to use unauthorized communication channels. I recommend creating lexicons to find advisors trying to take the conversations offline. It’s also a red flag of a possible violation such as insider trading. Lexicon examples include: “send to my personal email,” “respond to my gmail,” “text me,” “let’s take this offline,” and “call me on my cell”. Using acronyms and misspellings are also magic tools to find suspicious conversations are being taken offline. Examples such as “TOL” (talk offline), “LDL” (Let’s discuss later); “TYOP” (tell you on phone) “fon” (phone). The words people use in business communications change frequently so a regular assessment is recommended.  The Archiving Platform from Smarsh has built-in supervision features that focus on prohibited communication channels.

Now is the time to enhance your electronic communications compliance program. There’s no time for excuses as there’s enough guidance to help you meet the regulatory obligations.  The electronic communication landscape continues to evolve and the regulators have taken notice.