FINRA Enforcement Cases Emphasize Importance of Retention and Review of Electronic Communication
On multiple occasions, through enforcement actions, FINRA has shown that it places great emphasis on the review and retention of business-related electronic communication — bringing enforcement actions against representatives, compliance officers and firms.
Sanctions for Unauthorized Use of WhatsApp
A registered representative was sanctioned through a February 2020, Letter of Acceptance, Waiver and Consent (AWC) for using WhatsApp to conduct securities business with overseas customers. The representative initially disclosed to his firm that he had used WhatsApp for business purposes, but he subsequently told the firm that he would use only firm-issued communication devices, and he acknowledged that the firm prohibited text messaging.
Despite his statements and acknowledgment, he exchanged 894 WhatsApp communications, many of which were securities-related, with three customers on his personal cell phone and on his work computer. His firm did not approve his use of WhatsApp and could not capture or review those communications. FINRA suspended the representative for 30 days and fined him $5,000.
CCO Disciplined for Failure to Capture, Retain and Review Business-Related Emails
FINRA disciplined a chief compliance officer (CCO) in April 2019 through an AWC for failing to ensure that his firm captured, retained, and reviewed business-related emails. The firm’s written supervisory procedures (WSPs) delegated the CCO as “responsible for [the firm’s] supervision (including compliance with the [email review and retention] rules identified above), the review of emails, and the maintenance of the firm’s books and records.” The CCO, however, did not take any steps to review or retain on behalf of the firm representatives’ emails. Specifically, the CCO failed to ensure that the firm captured, reviewed, or retained emails sent and received by one representative, as well as certain business-related emails sent and received by the CCO himself through his outside email address.
The CCO failed to fulfill these retention and review requirements concerning an investment banking representative associated with the firm through a d/b/a entity. The CCO knew of the representative’s use of a third-party email address associated with the d/b/a. However, the CCO failed to take any steps to review or capture the representative’s use of email through the d/b/a email domain until January 2015. Even then, although he took steps to capture the emails, they could still have been permanently deleted through June 2015.
With regard to his own emails, the CCO almost exclusively used a third-party email account instead of his firm account to conduct firm business. FINRA found that he sent only three electronic communications, which were calendar invitations, using the firm’s email address during the relevant period. During the investigation, the CCO was unable to produce all of his business-related emails sent via his third-party account. Thus, the CCO failed to adequately retain his own email.
As a result of these violations and other conduct, the CCO was fined $5,000 and suspended for 30 days from associating with any FINRA member in any capacity.
Firm Sanctioned for Failure to Have Written Supervisory Procedures
Finally, a firm was sanctioned in a litigated case for failing to have written supervisory procedures that addressed the review and retention of electronic correspondence. In July 2019, the US Securities and Exchange Commission (SEC) sustained a FINRA disciplinary proceeding finding that a former member firm failed to establish and maintain a reasonable supervisory system for the review of electronic correspondence, among other violations.
In its opinion, the SEC found that between March 2007 and September 2010, the firm’s written supervisory procedures failed to provide a clear procedure for conducting the required review and retention. Specifically, the firm’s WSPs did not provide how supervisors should select which electronic correspondence to review, how they should review it, nor the frequency they should conduct such review. Further, the firm did not maintain a record of any such review. For this violation, among others, the firm was fined $500,000.
- Representatives, compliance officers, and firms can be sanctioned for inadequate retention and review of electronic communications
- Representatives and compliance officers can be sanctioned for failure to be aware of and follow their firm’s policies and procedures regarding electronic communications
- Firms can be sanctioned if their WSPs do not contain sufficient detail regarding the review of electronic communications documentation of that review
- Firms may want to pay attention to:
- Third-party and outside email accounts
- New technology and apps for electronic communications such as WhatsApp
We recently met with FINRA and gave guidance on best practices for firms balancing remote work and regulatory risk. More on FINRA and SEC violations from the last year in this Regulatory Update Roundup.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.