Small Firms Beware: Regulators Are Focused on Off-Channel Communications
With the fast adoption of evolving technology across industries, the surface area of risk continues to grow rapidly. And, while firms in the financial industry must be ready to adapt to meet customers on the channels they prefer to communicate with, they also need to remain compliant with their recordkeeping and supervision obligations.
Regardless of the firm’s size, having the proper safeguards in place is crucial. It only takes one employee’s actions to pose significant risks — especially when it comes to the use of off-channel communications.
Off-channel communications refer to any form of communication not carried out on a company's approved communication channels.
Given the 2023 examination priorities from both FINRA and the SEC, and recent enforcement actions from the SEC, FINRA and CFTC, the regulatory focus on off-channel communications is clear. Small firms and RIAs should expect the same regulatory scrutiny larger organizations have faced in recent months and must remain hyper-focused on their recordkeeping. Off-channel communications that are not captured and preserved leave the firm unable to meet their responsibility to reasonably supervise employees’ electronic communications. Also, off-channel communication cannot be reviewed during an audit or examination, making it more difficult to identify bad actors and penalize for policy violations.
Firms must be prepared — as soon as possible — to demonstrate an effective and robust recordkeeping program that includes a careful review of policies and how those policies are implemented.
The risks of off-channel communications
Off-channel communications pose a significant risk for financial firms. Employees may use these channels to circumvent the firm’s compliance measures or policies or to engage in other unwanted activities. Prohibition policies alone are not enough. If employees are communicating with clients on prohibited channels, those firms are at risk for regulatory violations and fines.
As an example, suppose an employee uses their personal email to share confidential client information, and the email account is hacked. In that case, the firm will be held responsible for the breach, even if they had no knowledge of the off-channel communication. Moreover, firms are still responsible even if the employee had no ill-intentions while sharing the confidential client information.
Off-channel communications pose several real risks for firms, including:
- Non-compliance: FINRA noted that off-channel communications fall under the firms’ books and recordkeeping obligations laid out in the SEC’s Exchange Act Rule 17a-4. FINRA advised that it will focus on firms’ supervisory procedures governing off-channel communications, including what steps are taken to address issues, what technologies are used to ensure employees can communicate in a compliant manner, and whether all appropriate personnel are provided the technology, and the quality of the training programs in place.
- Loss of control: Off-channel communications can be difficult to monitor, control, or retrieve. This lack of control can lead to the loss of critical business information, intellectual property, or confidential client data.
- Reputation damage: A single inappropriate off-channel communication can damage the reputation of the firm. This damage can be compounded if the communication is shared publicly via social media.
Managing off-channel communications
To effectively manage off-channel communications, firms must ensure that they have the right policies and procedures, training, and tools to help capture, preserve and supervise properly. The regulations governing business communications vary depending on the type of financial service offered, the location of the firm, and the types of clients served.
FINRA Rule 3110 requires firms to establish and maintain a supervisory system that is reasonably designed to achieve compliance with applicable securities laws and regulations. FINRA also requires firms to establish procedures for the review of incoming and outgoing written (including electronic) correspondence with the public.
Here are some strategies that firms can use to manage these risks:
- Establish clear policies and guidelines: A firm’s policies should clearly state what is and is not allowed, which channels are acceptable, how communication should be secured and monitored, and who is responsible for these procedures and consequences of violations.
- Train employees: Employees should receive thorough training on the firm’s data security and privacy policies — including which channels are sanctioned for use.
- Monitor approved communication channels: Firms should conduct ongoing and comprehensive monitoring of all sanctioned communication channels for compliance and data security.
- Monitor for unapproved communication channels: Firms need to check-in regularly to ensure employees are not using unsanctioned channels and they understand why not to use off-channels communications. Firms also should document how they plan to monitor for off-channel communications and be able to provide evidence of that review.
- Conduct regular supervisory reviews: Regular reviews can help a firm identify and address risks associated with off-channel communications. This should include a review of policies and guidelines, training, communication tools, and monitoring practices.
While larger firms have made headlines, smaller firms also need to be mindful of off-channel communications. The failure to comply with regulations can be far more devastating for smaller firms. Unlike their larger counterparts, they often lack the resources and expertise to effectively manage these channels, making them more vulnerable to risks. Moreover, it’s not as easy for smaller firms to absorb large-scale fines for violations.
The bottom line: regulators will penalize all offenders — big and small. Now is the time to be proactive in addressing these issues.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.