Regulatory Update

2023 Q1 Regulatory Update: Firms and Off-channel Digital Communications

May 02, 2023by Tiffany Magri

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

In this first of a two-part regulatory update, we review major regulatory actions and fines against firms and individuals in the first quarter of 2023. In this post, we highlight how firms need to understand the evolving realities of regulatory enforcements and what they need to prioritize when planning, refining and executing their compliance strategy. In part two, we cover the regulatory impacts to individual advisors.

It’s only been a few months since the start of 2023, and a lot has happened within and adjacent to the financial services industry. The modernization of SEC 17a-4 is in full effect, both the SEC and FINRA emphasized their focus on cybersecurity and digital communications, and new technologies like ChatGPT are creating plenty of compliance challenges.

Get the Q1 2023 Quarterly Regulatory Update.

regulatory update q1 2023 feat img

Books and records top enforcement issues

Overall, Eversheds Sutherland’s Annual Analysis of FINRA Disciplinary Actions showed a decrease in sanctions and enforcement actions in 2022.

2021 2022 Percent change

$103 million in fines

$45 million in fines

Decreased by 56%

$47 million in restitutions

$21 million in restitutions

Decreased by 55%

While the number of overall cases reported by FINRA decreased in 2022, there was an increase in the number of “supersized fines” of $1 million or more reported.

Books and records was the most enforced rule, as measured by fines. In 2022, FINRA reported 50 such cases and levied over $14.8 million in fines.

Several of these cases included instances where firms failed to supervise and preserve business-related communications. In the largest case where books and records was the primary focus, FINRA fined a firm $2.8 million, finding that the firm failed to correct inaccuracies in trade confirmations it sent to customers over multiple years and after three warnings.

The big violations (and fines) of Q1 2023

Missed call (records) costs firm

FINRA fined a firm $1.1 million for failing to timely and completely produce phone records in response to FINRA's requests for documents. The firm:

  • Inaccurately produced certain phone records
  • Failed to search a storage location containing older call detail records
  • Failed to promptly advise FINRA of its production failures
  • Did not identify all affected investigations where its responses were likely incomplete until more than a year after discovering the issue
  • Failed to preserve certain responsive call detail records from an internal network drive
  • Did not prevent responsive records from being deleted, resulting in missing call detail records ranging from several days to several weeks.

Ineffective WSPs for email supervision

One firm was fined $45,000 for failing to establish, maintain, and enforce reasonable supervisory systems, including written supervisory procedures (WSPs), to review electronic communications.

The firm's email review was unreasonable in practice, as it reviewed only 0.26% of the emails sent or received by registered representatives. The keywords used to flag emails for review were also inadequate, as they included the firm's own name, which appeared in virtually all emails.

In addition, the firm's WSPs did not specify any keywords or process for identifying keywords to flag emails for review or describe any parameters for conducting random sampling.

The firm's WSPs also lacked clarity on:

  • The personnel responsible for email review
  • Frequency and sample size of email review
  • Keywords or process for identifying flagged emails
  • Parameters for conducting random sampling, types of red flags requiring follow-up steps
  • Steps for escalating issues identified during email review

Customer complaints weren’t archived

A firm was fined $3 million for inadequate supervision in establishing and maintaining a supervisory system and WSPs to identify and respond to customer complaints.

The firm's supervisory system for identifying and responding to customer complaints was found to be poorly designed. There was insufficient allocation of staff and resources to handle the high volume of customer communications, including complaints.

Additionally, the firm failed to report written customer complaints to FINRA, including those involving theft or misappropriation. The use of a lexicon tool to identify potential customer complaints was deemed inadequate, and the firm's WSPs did not clarify that grievances related to customer questions, operational concerns, or service issues should be treated as customer complaints.

Archiving solution failed to capture encrypted iMessages on firm-owned devices

FINRA fined a firm $200,000 for failing to retain business-related iMessages sent and received by its registered representatives on firm-owned iPhones. While the firm permitted work-related text messages, the firm’s third-party archiving system couldn’t capture end-to-end encrypted iMessages.

The firm attempted to disable or block the iMessage function for the iPhones it had previously issued and for those going forward. However, the disabling control was not working on new iPhones due to an issue with a new version of the iPhone’s operating system.

A firm representative referenced sending and receiving specific text messages that the firm could not find in its archiving system. The firm realized that the referenced text messages were iMessages, which were not being archived by the firm’s third-party system.

After conducting a supervisory review, the firm collected firm-owned iPhones from its representatives and uploaded iMessages from those iPhones into the firm’s archiving system to perform a supervisory review. The firm also worked with vendors to deploy a more robust blocking control to disable the iMessage feature on firm-owned iPhones.

Intentional use of ‘auto-delete’ messaging feature lands firm in hot water

The CFTC charged a firm for willfully evading Federal Law and operating an illegal digital asset derivatives exchange.

The firm was alleged to knowingly disregard applicable provisions of the Commodity and Exchange Act (CEA) while engaging in a calculated strategy of regulatory arbitrage to their commercial benefit. The complaint indicated that the firm acted as a designated contract market or swap execution facility based on its role in facilitating derivatives transactions without registering with the CFTC, as required.

The complaint charges the firm for conducting activities outside the US to avoid CFTC regulation requirements, including intentionally structuring entities and transactions to avoid registration and instructing customers on how to evade the firm’s compliance controls.

The charges state the [firm] used different messaging applications (e.g., Telegram, WeChat, Signal) to conduct business and would enable auto-delete features to cover their tracks after communicating about inculpatory matters.

Prepare for the rest of 2023

Regulatory actions in Q1 give the financial services a taste of what’s to come: firms will need to shore up their compliance strategy to meet the heavily enforced books and records requirements.

More specifically, enforcement actions are strongly trending towards an emphasis on discovering and reasonably supervising for off-channel communications. This is a challenging reality as more firms, employees and customers are gravitating towards newer (and often encrypted) communication tools.

Failure to meet regulatory requirements can result in fines and disciplinary action. Firms must establish a reasonable supervisory system for business communications and ensure that the policies are properly enforced and followed through reasonable supervision.

Based on the above, firms should consider the following elements:

  1. Reassess your established WSPs to review electronic communications to meet current communications pitfalls
  2. Make sure you can retain and supervise all business-related communications including text messages and mobile messaging applications
  3. Review your supervisory system and written supervisory procedures to assess if you can properly identify and respond to customer complaints
  4. Reassess if you have adequate allocation of staff and resources to meet your compliance obligations, particularly in light of the increase in communications firms are experiencing
  5. Work with proven archiving vendors to enable business communications

While an effective WSP is the first step to defining your firm’s compliance strategy, it can’t simply be a prohibition policy. It won’t save firms from fines if their brokers communicate with clients over those prohibited channels. And as we’ve consistently seen, the number of off-channel communications will continue to grow.

Share this post!

Tiffany Magri
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

Contact Us

Tell us about yourself, and we’ll be in touch right away.