With the SEC & FINRA 2020 examination priorities letter released, we will take a closer look at the trends in 2019 and what to look for in 2020.
In the letters, the regulators highlight their top priorities while reminding firms of the need to adopt comprehensive supervisory processes that will ensure compliance and exam preparedness. Companies should expect that the SEC & FINRA won't tolerate inadequacy or indifference to compliance in the year ahead.
Join Elin Cherry from Elinphant, L.L.C. with Robert Cruz and Marianna Shafir from Smarsh on January 28th as they review:
- Top priorities, including communications with the public, fintech, and Regulation Best Interest (Reg BI)
- Items directly impacting supervisory review processes
- How to prepare for exams in 2020
Senior Director of Information Governance, Smarsh
Robert Cruz is Senior Director of Information Governance for Smarsh and Actiance. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and Discovery cost and risk reduction.
Regulatory Advisor, Smarsh
Marianna Shafir is Regulatory Advisor at Smarsh, where she’s responsible for regulatory affairs worldwide. With her expertise in financial services industry, compliance and eDiscovery, Marianna counsels Smarsh clients on meeting regulatory obligations, leveraging technology and guidance on best practices related to electronic communications supervision. Prior to joining Smarsh, Marianna worked for BNY Mellon and Invesco where she was an instrumental member on compliance teams. Marianna has also served as an adjunct professor at New York Career Institute where she taught Law Office Management and Real Estate Law. She earned her Juris Doctorate from Nova Southeastern University. She is a frequent speaker at industry conferences and a contributor to various online publications.
Founder and CEO, Elinphant, L.L.C.
Elin Cherry is founder and CEO of Elinphant, L.L.C., a financial compliance consulting firm. She is a Capital Markets and Compliance Executive who has served as a key member of Compliance Senior Management teams. Known for gaining regulator confidence, she has a proven track record in managing regulatory relations and examinations and has strengthened firm’s credibility with regulators during times of financial stress. Elin is adept at successfully implementing Compliance Programs to enable firms to be proactive regarding compliance matters. Prior to founding Elinphant, Elin was a Principal and the Head of Capital Markets at Compliance Risk Concepts (“CRC”). In that role, she grew a book of business generating half a million dollars in revenue.
Transcription of Webinar Audio
Davi Schmidt: Hello. Thank you for joining us for today's webinar, “Key takeaways from the SEC and FINRA 2020 Priorities Letters.” Please be aware that all participants will be muted for the duration of the call. Feel free to submit any questions you may have via the GoToWebinar messaging app, and we'll attempt to answer as many of them as possible during the Q&A session at the end. Joining us today, our presenters, Elin Cherry, Marianna Shafir, and Robert Cruz. With that I'll hand it over to you, Robert.
Robert Cruz: Thank you, Davi, and thank you everyone for joining us this afternoon. Really appreciate you taking the time to talk through some of the key takeaways from the 2020 SEC and FINRA priorities letters. There's a lot to get to, but let me first start with the standard disclaimer. Smarsh provides this information for informational purposes only. Smarsh does not provide legal advice or opinions. You must consult with your attorney regarding compliance with applicable laws and regulations. Walking through the agenda real quickly, a very fast introduction of the folks on the line. We will then do a really quick recap of the 2019 enforcement themes, something we've discussed in December. We'll touch [on] that again just to make sure that folks have seen some of the things that came out of 2019 that lead into 2020 and the top priorities that are coming out of the enforcement letters. We'll finish it up with a brief overview of how Smarsh can help firms to address these new priorities for 2020.
Robert Cruz: First of all, by way of introductions, coming to you from all corners of the universe today, let me first welcome Elin Cherry, founder and CEO of Elinphant. Elin, thank you very much for joining. Why don't you tell us a little about yourself?
Elin Cherry: Robert, thank you … I am calling from Kenya, where I'm doing some work with the Capital Markets Authority here. I'm putting in a trading surveillance system, which is just a good way to kind of introduce myself. I'm a broker-dealer-compliance person. Have been doing it for over 20 years and I have a consulting firm now. I'm happy to be joining Marianna and Robert.
Robert Cruz: Terrific. Thank you, Elin. Next, let's go to Marianna, our regulatory advisor here at Smarsh. Welcome, Marianna. I think you may be on mute, Marianna. If you can tell us a little bit about yourself.
Marianna Shafir: I am very excited to be here today. I’m the regulatory advisor at Smarsh, and I'm responsible for the regulatory affairs worldwide. [I have] expertise in the financial services industry, compliance, e-discovery. Basically I help and counsel our customers on meeting regulatory obligations, leveraging technology, and guidance on best practices related to e-com supervision. Prior to joining Smarsh, like many of you, I wasn't in compliance and I worked at Bank of New York Mellon and Invesco. Now I'll pass it back to Robert.
Robert Cruz: Thank you, Marianna. Myself, I'm Robert Cruz. I am the vice president of information governance at Smarsh. Basically, myself along with Marianna and her team work with our customers in the areas of best practices and sharing and helping to leverage the expertise from across our customer base, particularly focusing around discovery as well as supervisor review. I have a background here in Silicon Valley in essentially all facets of governance risk and compliance and I've been with the company for the past couple of years, having come through the acquisition with Actiance—or the integration or merger with Actiance. Great. Now let's just give a quick overview of Smarsh as an organization for those that may not be as familiar.
Robert Cruz: The company has been around since 2001, and basically the mission has always been the same, which is to help organizations use the communication channels of their choice, the channels that are in demand from your clients, providing technology that allows companies to capture, archive, and supervise that information. As already demonstrated in the line, we've got a very good base of expertise in financial services and supervisor review as well as the areas of public sector and other regulated industries as well. We have been recognized by both Forrester and Gartner as a market leader, which is very important from our point of view. And we think our customers see value here as well in recognizing our ability to execute as well as the vision in being able to embrace the latest communication network to be able to continue to move these new compliance capabilities to new communication sources as they emerge. We provide a single repository for all communication sources, so that really simplifies the process of being more effective and efficient in a way that you're managing your supervisor review as well as your e-discovery activities.
Robert Cruz: Let's get right to it. I think the place to start is what we covered, the three of us, actually, in mid December, which was a recap of the things that were coming from the regulators in terms of key themes for 2019. I think the place to start here is ... Marianna, looking at one of the things that came from the FINRA exam findings and observations from 2019 was really this emphasis around digital communications. The fact that this is something we've been talking about for a long time and now it seems that FINRA is very much tuned into the way that companies are communicating through these new networks, as well as the activities they have in place to monitor those activities on prohibited channels. Why don't you tell us a little about some of the key things that came from the report?
Marianna Shafir: Yeah. From last year's report, there was a section on digital communications for the first time, and at a high level, the inclusion appears to acknowledge that the number and nature of communication applications are rapidly expanding. FINRA mentioned collaboration tools, video blogs, live stream content, messaging applications with self-destruction capabilities and digital channels used to host electronic sales seminars, and [those] are just some of the platforms included in the report. I think the big win here, the major focus, was this was the first time that FINRA mentioned collaboration tools. I know every year we do these webinars … I'm asked questions at conferences, has FINRA mentioned collaboration tools yet? They hadn't until this report. So this is a very, very big deal.
Marianna Shafir: The report specifically states, "If a firm permits its associated persons to use an application, for example, an app-based messaging service or a collaboration platform, the firm must preserve records of business-related communications and supervise activities and communications of those persons on the application." So FINRA specifically noted that in the report. Also, some noteworthy findings based on actual rule violation was around messaging and collaboration, which stated, "In some instances, firms prohibited the use of texting, messaging, social media, or collaboration applications [examples such as WhatsApp, WeChat, Facebook, Slack, or HipChat for business-related communications with customers] but did not maintain a process to reasonably identify and respond to red flags that reps were using impermissible, personal, visual channel communications in connection with foreign business."
Marianna Shafir: What does this mean? Many of you have prohibition policies. It's not enough just to have a prohibition policy, right? You need to check that the prohibition policies are actually working, and in many cases they're not. In many cases the reps, the advisors, are still using those personal channels for communication. That is something that's critical to check. You need to check the red flags; you need to have systems in place to check those prohibition policies. At the end of the day, I always say prohibition policies, they do not work. Some noteworthy examination findings: Firms prohibited the use of texting, messaging, social media, or collaboration applications for customer communication but did not maintain process to identify reps using those prohibited communication channels. The red flag is detected through customer complaints, reps’ emails outside business activity reviews, and advertising reviews. This was all noteworthy examination findings. It really does take us into 2020 for FINRA and SEC as well.
Robert Cruz: I think it’s interesting, Marianna, that it's very broad. And Elin, we'll be interested in your thoughts as well in terms of looking at the variety of red flags that they called out … email communications, other business activities, advertising. It seems like that's really addressing a number of dimensions that previously had not been covered. What do you make of that in terms of addressing all of those particular topical areas?
Elin Cherry: I really want to second Marianna that prohibition of communication channels isn't working, and if you're going to do it, it needs to be looked at as a stop gap—just something until you can get a technology in place. Then you should ask for your reps to sign an affidavit that they aren't using that vehicle to communicate either. What we're seeing is that the communication channels are just popping up. The different collaboration channels, different ways to communicate, are popping up so quickly that firms can't even really get their arms around them right now. I think that the red flags of, if somebody's saying in an email, “let's get on Slack” or “let's get on text,” I think that those are pretty easy things for the regulators to find now. You need to be finding them yourself and then making sure you're on top of it.
Robert Cruz: All right. We're going to come back to this because I think this is a key topical area for 2020 as well. Yeah, I think it's very important to recognize that this is a very prominent area of the report. Let's keep going onto some of the themes that specifically came out. Marianna, I know you do a terrific job in tracking the enforcement activities throughout the course of the year. You highlight a few things here. What really sticks out to you in terms of the areas that enforcement was targeting in 2019? What are the key things that you would take away?
Marianna Shafir: Some of the biggest ones that I thought were critical, and something to look at was, let's start with the beginning, the failure to execute just on the fundamentals. Last year, FINRA fined a firm $90,000 for failing to establish, maintain, and enforce a reasonable supervisory system, including WSPs, for the review of email and hard copy customer correspondence. Because the firm did not conduct correspondence reviews in time to receive any sales practice concerns or red flags, such correspondence could go undetected for long periods of time. What's critical about this case was just executing on the fundamentals, those timely reviews. You don't want to have a backlog. They're looking at that.
Marianna Shafir: I always say what's even more important … say you're doing weekly reviews; you need to make sure you're doing whatever your WSPs say you're doing. So you need to check what your review process is. In this case, they weren't having timely reviews and they got fined … it was a big fine of $90,000. Also, lack of focus on new communication tools. Yeah. Yes, Elin?
Elin Cherry: One thing, and most of you probably don't have this, but I think it'll just bring the point home. I recently had a firm that was a new broker-dealer, and FINRA came in, they did the review. We didn't get our keywords in until after the first month. And because our keywords didn't go in until after the first month, they thought they'd found something, that we hadn't maybe reviewed our first month of emails, which we had reviewed. We'd reviewed more than we had to, but just so you know, they looked to make sure that we were reviewing emails from the very, very first day. I think it just emphasizes they're being very thorough in these reviews, and if you've got gaps and a backlog, I would suggest taking care of it immediately.
Robert Cruz: That's a great point.
Marianna Shafir: I think that's a very valid point … like executing on the fundamentals, it's something that every firm should be doing. It's not enough just to say you're doing it in the policies. You really need to make sure you're enforcing and carrying out those policies, and they are looking for that. Next would be the lack of focus on new communication tools. The same firm was also fined for failing to conduct weekly reviews of the reps' social media sites. Again, why this is important, it's just not emails they're looking for anymore. They're looking at social media sites. FINRA found that contrary to WSPs, the firm failed to conduct a weekly review of the reps' social media sites that the reps disclose to the firm 22 times out of a sample of 26 weeks reviewed.
Marianna Shafir: In addition, because the firms did not have a reasonable system to monitor for compliance with the social media policies, reps were able to maintain business-related pages on the social media sites that had not been pre-approved by a qualified registered principal. As a result, the firm was not reasonably monitoring for the usage of undisclosed websites. It failed to pre-approve websites operated by reps as required by WSP. Elin, are you seeing something similar also from your clients in this case when it comes to social media sites?
Elin Cherry: Yes, and I especially think that ... I look at social media sites not just for the review, for the reps that are using them for work, but I've been getting more questions lately like, “do we need to check LinkedIn and social media sites to see if people have outside business activities that they haven't disclosed?” Surprisingly, my answer to people has been yes. It is starting to become the thing that you need to do. If you're not looking at your registered rep LinkedIn pages once a year and noticing that they've got a side business, you might want to think about doing that.
Marianna Shafir: That's also a great way for testing, right? So it shows that you're testing your policies. What can you do? You can look on the LinkedIn page, you could print it out, their profiles, you could put it into the folders for your reps, and it shows that you were testing to see their outside business activities. I think that's a great way. We used to do that at my old firm as well. That's how they used to test for outside business activities.
Marianna Shafir: Moving on to not treating mobile as a first-class target. What I've seen FINRA do in the past year or two was personally fine brokers for using their personal device to text message business communications. In this case, last year, a broker was fined $20,000, which is the highest fine I've seen to date and was suspended for using text messaging and his personal email accounts to engage in business-related communications with the customer, causing his firm to fail to comply with its recordkeeping obligation. The findings stated that these communications included a written complaint by a customer alleging that the broker failed to follow the customer's instructions. Now, why this case is noteworthy, and I always give it as an example, is because I always have customers ask me, “how do the regulators find out about the usage of text messaging or personal email account?” Most of the time it's through a customer complaint. That is something to keep in mind. Next ...
Elin Cherry: Marianna, one thing I'd like to add … there is something that is happening that I'm starting to talk to all of my clients, and especially when I'm doing training, is that the way these things are often found is in a review of another firm's communications. I've actually been at a firm where we were surprised to get a call that one of our employees was using a personal email address, but it was found in a review of another firm's email. I've definitely now included that in my training to let representatives know that yeah, we may not catch you, but chances are somebody's still going to see it.
Marianna Shafir: Absolutely. It's a very good example and a very good point. Supervision, always on the mind of the regulators. The SEC fined a firm $700,000, and the CEO was barred from FINRA and fined personally another $100,000 for failing to establish and maintain a reasonable supervisory system for the review of electronic communication. I think it's something also important to know that, why was the CEO personally fined here as well? A lot of times, if you noticed, the regulators, I've seen personally, fine a CEO when they wear many hats. In this case, the CEO was also the CCO. In those cases when you wear many hats, that is something they are looking at. Specifically, in this case, the WSPs did not address how the supervisors were to select electronics communication for review, how they were supposed to review it, the frequency of such reviews, and the manner in which the documents are reviewed, nor did the firm maintain records of its supervisory review of electronic correspondent.
Marianna Shafir: In addition, FINRA found that the firm failed to establish and maintain a reasonable system of supervisory control. The rule is a reasonable system. Every firm is really different, but you need to make sure that you do have these policies in place. They're not expecting a lot, but you have to be doing the reviews. They have to be timely. You have to be documenting them. I always recommend to customers, even if you're looking at electronic communications and it's spam, I would note it's spam in the log box. Because a year down the line, two years down the line, you can go back in those reviews and show, “I did look at that.” There's a log when you're looking at these messages, and you just want to have the message be able to stand on its own if the regulator comes knocking on the door. And it's a great example to show that you were doing the review.
Robert Cruz: Exactly. Hey, Marianna, I think I want to table that last one because I think we're going to talk a lot more about reg tech here coming up in 2020, but I want to stay on the SEC portion of this. And Elin, I know that you've looked at this on the SEC side as far as just the overall activity of enforcement action. What are some of the themes here that jump out to you? Because I see one of the things … is just this increase in volume and focus around the investment advisor community. Is that something that is a key takeaway from 2019 for you?
Elin Cherry: I think what's key to me is, what I don't want people to get lost in, is that if you look at the broker-dealer findings, they're substantially down from this year, but I wouldn't necessarily take that as a good sign because it'll come back around the other way. But I do think the investment advisor clients, the SEC is visiting them a lot more often and doing a lot more thorough reviews, but I don't think that the broker-dealer world should be saying, okay, we can relax now. Because my first look at it was actually positive, saying, "Wow, my clients might have a little bit of a break," but I don't think so.
Robert Cruz: And this comes out again in 2020.
Marianna Shafir: I agree. I think in this case why the broker-dealer numbers are on the lower side is also because SEC knows that FINRA is going to be examining them. So they're focusing definitely more on the RIAs, but that doesn't mean that they're going to get less focused on the broker-dealers.
Robert Cruz: Interesting. Clearly there's a lot of topics covering everything from the basic blocking and tackling to the use of advanced technologies and artificial intelligence, the supervisory procedures, making sure that you’re encompassing all the communication channels that are used for your firms. Let's transition this over to 2020 and where this takes us into the exam letters and the things that have been called out. A place to start here is looking at the office of compliance inspection report. I think, just as we noted, innovation and fintech are important here across a number of different dimensions. Elin, can you talk to us about where you see these areas of focus taking shape for 2020.
Elin Cherry: I think with this area, as far as fintech and innovation for 2020, this is continuing along things that we've had with digital assets and whether digital assets need to be registered. Cybersecurity has got to be probably the number one focus I think for just about every regulator this year … and I think every firm is focused on it, vendors are focused on it. But … I don't expect it to be just “a this” year thing. I think it's going to continue to increase. I think as we have the innovation, we've got marketing practices changing. I think that that's a big area also where the regulators are really focusing on, how we're marketing and whether the materials are being approved, etc. Marianne, did you want to cover some of this one too?
Marianna Shafir: And the robo-advisors is a big, big one for the SEC I think this year, and they're really going to be focusing on that. Last year, I also said ... the trend would be that they would be continuing to focus on investment advisors and investment companies. And as we've seen, the priorities, they did mention again that they're going to be looking at RIAs who have never been examined, same in broker-dealers focused on [inaudible 00:26:27] rule making, which will take us into Reg BI. They mentioned they will focus on issues relating to the prep for and implementation of recent rulemaking, and broker-dealers should expect that the Reg BI rulemaking package will become effective as scheduled in June 2020. Then the other areas, such as ML, senior investors, continue to be on the priorities list.
Robert Cruz: A lot of territory covered here. Let's look into some of it in a little bit more detail, or actually, let's first turn to FINRA and some of the things that have come from the exam letter. I think your digital communication theme you see again as continuing for 2020. Marianna, what are some of the things that catch your eye here within the FINRA letter?
Marianna Shafir: Similar to SEC, I think technology continues to lead the focus area. Again, FINRA is doing a really good job. They're more specific mentioning the visual communication, what they're going to be looking for: Reps’ and customers' use of digital communication channels such as texting, messaging, social media, collaboration applications that pose tech challenges to a firm's ability to comply with obligations related to the review and retention of such communications. They highlighted digital communication in this year's priorities letter. I think that's really, really important. They haven't really done that in the past. With the recent 2019 report and now the priorities letter, this is really them telling us that this is what they're going to be focusing on.
Marianna Shafir: Communication channels. It's not just email anymore. You need to look at the collaboration tools and social media sites, the text messaging. These are the communication channels they are looking to see if firms are capturing, archiving, and supervising. They were also mentioning the private placement of the retail communication. In addition to the ongoing reviews for compliance with these core obligations, FINRA will focus on the retail communications, so review how firms review, approve, supervise, and distribute retail communications regarding private placement, security, online distribution channels such as traditional channels.
Marianna Shafir: Again, it's critical. You need to test the systems to ensure that communications are being captured for review and retention to test whether advisors are using unapproved communication channels. I like to recommend setting up automated keyword searches. So for example, you can set up, in those keyword searches, “text me,” “send to my personal email,” “let's take this online.” These are really great examples to check. So if you do have a prohibition policy, this is a great way to check that the reps aren't using those other channels, and if they are using it, you'll find it in those communications when they say such keywords. That's also a great way to test your system and look for those red flags that the regulators want to see that you're looking for. Elin, what do you see, and what examples have you seen working with your clients?
Elin Cherry: Well, I think one of the things … and this is very, very specific, but one of the things that's been cropping up with my clients is some of my clients ... their employees may have broker-dealer email addresses as well as email addresses at a corporate address. Trying to segregate the two is continuing to be a difficulty and continuing to cause some issues with the regulators. When you talk about the non-approved email addresses, it is something that I've seen FINRA is focusing on. So it's a very specific item, but I think one that's important to highlight.
Robert Cruz: I think that's an interesting one. Marianna, you mentioned the inspection of systems to make sure that you're actually capturing and reviewing the entirety of the communication types that are flowing through it. But I'd imagine this also includes just ensuring that the system works, the basic functioning of the system, to make sure that it's doing what it's supposed to be doing. Is that an area, Elin, that you've seen change in terms of how firms are inspecting their technology to make sure it's fully operational and not creating any kind of uncertainties for the firms?
Elin Cherry: I don't think it's changed. What I would worry about is whether people are doing that comprehensive review to make sure that … you've got all communications, that some wire somewhere hasn't—and I know that's not a technical term—but to make sure that all the connections are still in place. I would guess if it comes to critical business, those are being checked most of the time. But when it comes to things like making sure you're retaining your records, I wouldn't be surprised to see some of those connections potentially fall off and haven't been reviewed. The last thing you want is that found in a regulatory exam.
Robert Cruz: Right. So ensuring that the integrity is there, that you've got an audit process to inspect and make sure that there's reconciliation, etc. The basic backend capabilities to ensure that everything's in the supervisory process that needs to be, right?
Elin Cherry: Yes.
Robert Cruz: Another interesting area, Marianna, I thought that you did a good job of capturing in the blog, which is the checklist, the things that firms should be inspecting to make sure that the supervisory processes are operating as they should be, operating efficiently. Talk us through this checklist and some of the key things that you see firms needing to spend more time and energy on this year.
Marianna Shafir: For the first time, FINRA provided a checklist to help firms, to guide them in the digital communications space. I want everyone to think of this as a cheat sheet. They're basically telling you what you need to look for and what they’ve seen in the past and what the examiners are going to be reviewing with a firm. They mentioned, does your firm have a process to evaluate new tools available to your reps? Whether there are digital communication channels that should be captured, including in your firm's routine electronic communications … and stored in accordance with books and records requirements. We were just talking about this … and I think it's very critical to know it's not enough just to partner with a vendor, an archiving vendor, and check the box. You really need to make sure that those communication channels are actually being captured and you should check them. They mentioned that, does your firm periodically test ...? Yes, Elin.
Elin Cherry: One of the areas I'd really recommend people focus on when you say about checking and making sure that we've captured everything is, this is the time where you really need to be training your technology people along with your business people. Because it's the technology people who are implementing these systems, they're really the first ones that you have to let know. You've got to make sure that if it's a communication system, that it's hooked up here. I've also been emphasizing more and more training for technology people.
Marianna Shafir: I agree. Technology people, the compliance teams, don't wait for the examiners to come knocking at your doors to check your logins to see if it works. They want to know that you know how to log in and you know how to use the platform. I've had a client tell me before that when FINRA came, they wanted to see the archiving system and how they use it in supervision. They sat down, logged in, and then they said, “oh we have keywords set up.” Smarsh, that's when I was implementing keywords. “We have the Smarsh keywords in place, not Smarsh policies.” And they're like, "Oh, okay." And they're like, "Do you want to see them?" They're like, "No, no need." They just want to really see that you do have a process in place. So I think that's really critical; check your login. If you've never logged in before, you definitely do not want to wait till the examiners walk in.
Marianna Shafir: They want to know that you know to use the system and write down notes and basically review the communication. They mentioned, does your firm periodically test its system to ensure these communications are being captured for review and retention? Again, we were just talking about this as well. You need to periodically test it. Don't just log in once and not log into your system a year later. You need to do this timely. You need to periodically test that it's being captured and archived. You don't want to find out you had some messages down the line that never got captured and archived. The firm is always responsible. Elin, anything you want to add to that?
Elin Cherry: No, I think we've covered this one well.
Robert Cruz: I would just add that I think it's even more important now because of things like persistent chats. It's not just an individual series of emails. It's really trying to understand the context of a conversation in its entirety. So I think it's just doubly as important. And considering all the new communication sources and … being interactive, that'll change from an initial point in time to a later point in time. Even more critical with today's communication sources.
Marianna Shafir: That's a very good point, Robert. With all the different communication channels, you don't want to lose the chain of custody. So you start with an email, you move on to LinkedIn, then your text messaging. You really don't want to lose all those different communications. Also, FINRA mentioned, do your firm's supervisors know the red flags that indicate a rep may be communicating through unapproved communication channels? Are your firm's supervisors following up on those red flags, which include, but are not limited to, the email chains that include the non-approved email addresses? The references and emails to communications that occurred outside of approved channels, the customer complaints mentioning such communications? I mentioned the customer complaints earlier, that's how you really do find out about those prohibited communication channels being used. I do see frequently that FINRA is fining firms for not following up and escalating the red flags. So you really need to make sure that you are following up on those red flags.
Robert Cruz: That's a lot of good information. I think that the idea of a checklist, you can get very specific in terms of how you do each of these things, and we're going to talk a little bit more about that in terms of what firms should be doing as part of their supervisory practices. But this is a very good start. Why don't we shift the attention now to a couple of other areas. We focus a lot on books and records supervisory, but clearly there's other things that are important here, including from operations and governance. Either of you, what are your thoughts in terms of, as you mentioned, Elin, the ongoing focus on cybersecurity? I think it's also very important to recognize that they're looking at governance as a topical area, which seems to be a fairly new thing for FINRA. What do you see as the key takeaways from these additional topics? Why don't you start us, Elin?
Elin Cherry: Yeah. Back first to cybersecurity. I do think the mention of Reg S-P here is really important and hope that anybody who's reviewing some of your keywords is going to contain anything that could get picked up for Reg S-P. Because that should be a significant concern to you and something that hopefully your email or your correspondence reviews are picking up—anything with Reg S-P. Also, with cybersecurity, you're going to be able to notice a lot of that stuff coming in and hopefully get better and better at blocking the spam email addresses and getting the firewalls and fine-tuning better and better. But your email reviewers should be trained on recognizing these items too, and perhaps even noticing when your reps could be corresponding with somebody who's ... they're being hacked, etc. So you really can use your electronic correspondence reviews to be reviewing for a lot of other rules and regulations. Especially, when it comes to privacy and when it comes to cybersecurity.
Robert Cruz: Exactly. What are your thoughts, Marianna?
Marianna Shafir: I think that's a very valid point, Elin. Think of it as the checks and balances. I always say supervision, you shouldn't just be doing it just because it's required. There are so many benefits from it. The testing of the policies, looking for wrongdoing. In this case, even cybersecurity, you could really find if there was some sort of fraudulent email or some sort of hacker so you really can be on the lookout. If you train your reviewers, they can find that as well.
Robert Cruz: Yeah, that's a great point. Just on the governance front, I thought it was interesting that they call out not just the approved or prohibited networks but the other networks that may be in use that you discover. How you specifically address that in your plan seems to be a pretty important concept, just to make sure that individuals have clear guidance on the next communication source that'll ultimately emerge and firms will start to see as part of the supervisory inspection.
Elin Cherry: I really feel like one of the things is that any technology that isn't critical to the business can get overlooked in things like technology governance. That's where I put your books and records archives and things like that. While they're critical to the firm, they're not critical to settle a transaction on a day-to-day basis, or to make sure business is actually happening. Those are the ones that I worry are going to slide through the technology governance cracks and ... I would want to see the technology governance plan and see where the communication and correspondence tools and collaboration tools sit within the plan.
Robert Cruz: Right. That's a great point, kind of taking a lesson from MiFID too and making sure that these communication activities all can tie back to a transaction at the end of the process. We talked about Reg BI, and clearly there's some additional considerations here, in particular the current challenges in court. What are the key things to think about here, Elin, as this makes its way through the judicial process?
Elin Cherry: This is a little bit of a non-sequitur going onto Reg BI, but something I specifically want to point out is, we all know that the SEC and FINRA, we need to be ready for BI, we need to be ready. You've got to have this done. I really wanted to just take this opportunity to lay out that Reg BI is being challenged in court today. Chris Dodd and Barney Frank have now joined seven states in arguing that Reg BI violates the Dodd-Frank Act. I think, as in September, people did not think that it was going to be successful, but there's been some recent activity where there are some views that this could be successful, this court challenge to Reg BI. While we have not heard anything from our regulators about it, nor would I expect us to yet, I would say it's something you guys should keep in your pocket and keep watching.
Elin Cherry: The DOL rule, it never happened, but I don't want to say the same thing will happen here, but you need to be ready for BI. But I also would say keep your eyes and ears open for the news around what's going on with that court case.
Robert Cruz: Yeah, that's good advice. Remember the past, but be ready for anything as it might transpire at the end of the judicial process. A lot of information here. You read the exam letter, you see some of the key points, what should firms do? What's the takeaways here that the two of you would call out in terms of putting these letters into action, in terms of folks’ overall governance and compliance programs?
Elin Cherry: I think other than BI, the other thing other than correspondence … I would really like to say is that this letter of the priorities from FINRA is lengthy and it is really best practice. Take the letter and take each topic, put it into a spreadsheet, determine if it's applicable or not to your business and then figure out when you last tested it. I think that going through that process you're going to find things in that letter. First of all, the document is a great document to show the regulators about how you're keeping up with regulatory initiatives, etc., but also if you're sitting there and you are the CCO or you support the CCO, this is a really good thing to have done and have a little document that you've gone through that letter and you know where your firm sits in regards to that letter.
Robert Cruz: Great advice. Let's click in one level below that, which is how do you supervise changes in your supervisory process? I think we've talked a lot about the items here, including making sure that you're anticipating the next network, the next device. You are making the assumption and the expectation that risk and value to the firm lives on any of these new communication networks, that your governance programs or your policy self-reflect all the different tools that companies, that individuals, are using, and potentially those may be in use without any specific guidance. Supervising your supervisors I think is a great point. Just making sure that they know that you can inspect to make sure that they know what they need to be doing. What do you guys recommend here in terms of just the tactical changes in supervision and how they should be thinking about that, given the items that were serviced from the exam letter? Mariana, what are your thoughts?
Marianna Shafir: I think it's just really important. It's critical. You have to be doing what your policies say you're doing. Many times firms get written up for not carrying out, not enforcing their actual policies. If your WSPs say that you're doing daily reviews [but] you're doing weekly reviews. If you're doing a 4% review, you need to make sure that you're doing that. That's actually what gets firms fined. I always say be more broad. If your WSP just says you're reviewing those messages, it doesn't have a percent, then that's better than actually having an exact number and not following through on that. You need to make sure you're doing those supervisions timely and documenting it. I think that's really critical.
Robert Cruz: Having the process and making sure that you can furnish the proof that you actually are following it as a routine of the business. Elin, how about you? What are the key things in your mind?
Elin Cherry: I don't like to use the word “training” all the time, but I think communication and education with your supervisors I would recommend. So for your people who do email review, this webinar's recorded. This is a good thing for them to listen to, but I also would say with your supervisors, make sure you're constantly training your supervisors, and that isn't like doing an hour training session. Training could be sending them an email with three bullet point takeaways that they should be paying attention to, or letting them know what's happening in the regulatory environment and in a very short, concise way that's going to pique their interest. But to me, that's what you really need to do, is be communicating what's in this 2020 priorities letter. That needs to go to your supervisors, and get it to them in a way that they can consume it.
Robert Cruz: Great. That's great advice from both of you. I just want to make one fast point … which is something that we're seeing as kind of the expanded circle of supervision, the need for ongoing monitoring of employee communications. In light of cases like the CEO having to resign because of bullying on Slack or the various cases of textual harassment, as it's being called now, or other things where there’s potential loss of intellectual property to the firm. This is not just about the registered reps, it can be happening anywhere within your organization. The discipline and the process that you establish for supervision can easily be extended to look at other areas where there may be things happening in your organization where you can expand up that circle of monitoring to be able to understand what your employees are engaged in right now.
Robert Cruz: With that, I think that's a good place to leave it before we get to the discussion about how Smarsh can help. I want to thank Elin Cherry and Marianna for your insights and guidance here. I think they're very informative and instructive. If the two of you could hang on here for the next couple of minutes, I think we've got a couple of questions that have come in and you could help us address those in a second.
Robert Cruz: The way that Smarsh … address these priorities that come from the FINRA letters is really the capabilities we bring that start with the ability to capture the various communication sources that companies are using. This is where we come from. It's knowing how to deal with email and chat messages and messaging systems and collaborative platforms and having a technology set that allows firms to capture all of those natively, working with the carriers and the source providers to ensure that you understand the conversational context when it happens. Everything looks like an email anymore. So the idea of having technology to be able to capture that securely and completely so that you could validate ... you can ensure that that communication is complete is where we start. But then that leads to our archiving technologies to be able to ensure that the information is accessible; not just to meet your books and records obligations and your … immutable storage demands, but also so that you can supervise it at the levels, the volumes, the frequency that you need to as part of your supervisory processes.
Robert Cruz: Making sure this information is available in a content platform that can deliver it to your supervisors or be available for your HR or your legal teams for e-discovery, or to make that content available and accessible for other applications. Things like content surveillance technologies or AI or ML, if you're using those to spot anomalies or other areas of risk that may be hiding from your policy sets. This is the portfolio we're bringing, and the breadth of communication networks, it just continues to grow and expand. This number of 80 plus will be different tomorrow. There's always going to be a new communication source, and we have a very good track record of very quickly being able to build a technology to capture, store, and supervise this very wide variety of these new communication sources as they emerge.
Robert Cruz: Finally, in the supervisor area, the focus is really helping organizations to become more effective. It's spotting risks sooner in the process. In addition to just making sure that you can get through your supervisor process more efficiently, it's really about making sure folks are effective in spotting risk. So doing that with a lot of flexibility … from very simple policies to the most complex, being able to transform those policies from your legacy environments into a platform that's modern, that's user-friendly, that's something that is more easily manageable for your compliance teams. The configurability and the ease of integration with the archiving technologies are all things that come from our supervisory platform. With that, I think we have probably a few minutes and some questions here that we can take before we wrap it up. Let me see what we have and hand it back to Davi.
Davi Schmidt: Awesome. Thanks Robert. Yeah, we had a ton of great questions that came in. So if you asked a question and we don't get to it in the next 10 minutes, we will definitely have somebody reach out after the webinar to make sure all those questions get answered. To kick it off, our first question here is, do you expect regulatory guidance on the use of encrypted and ephemeral tools like WeChat and WhatsApp?
Robert Cruz: Well, let me start on that one because I think that was fortunately addressed in the 2019 letter, at least referencing what firms ... have to be thinking about in terms of their policies. I think it's a fair assumption that they're going to continue to provide guidance on what firms should do to supervise those networks. I think, Marianna, there's already things companies can do just to see where these tools might be appearing in your communications traffic. What do you advise clients to do in that area?
Marianna Shafir: Yeah, that's a great assumption. I recommend that you create, again, keywords in your policies. I think that's a great tool. I would help my customers do that. You would implement policies lexicons such as WhatsApp, HipChat, all those encrypted apps that they're prohibited from using, they're not allowed to be using, and you can see if it comes up in the communication, if they're mentioning it: “message my WhatsApp,” “reach me at WhatsApp,” that's how you'll know if they're using an encrypted app. That's a great way to see if they're using those prohibited encrypted apps. I always recommend training. You need to list out the apps. Don't just say they're not allowed to use encrypted channels. You need to be very specific. You need to list that they cannot use WeChat, they cannot use any encrypted app that cannot be captured. It is very critical, and I think, training, have them attest to it. Those are all the ways that a firm can protect itself from reps using encrypted apps. Elin, any recommendations?
Elin Cherry: The only thing I would add to that is in the annual attestation, I would actually have them attest that they are aware they're not supposed to be using these, because it's just a little bit extra, and it has shown to help firms when employees choose to use things that they shouldn't be using, such as text messaging. If they're not capturing it, the employees can't use it, have the employee sign, but then the firm needs to follow its own rules. I think that's a good thing to do to just protect yourself.
Robert Cruz: I would also continue to monitor the availability of solutions in this area. There are some interesting technologies that are beginning to emerge. They may not be perfect, but ... having a solution to address some of these capabilities is better than, not being addressed at all. Keep monitoring this area of technology. It is moving very, very quickly.
Davi Schmidt: Awesome. Thank you. Okay. Next question we have here is, have you seen regulators going after electronic communications used in an office? For example, Salesforce chatter where the staff is talking to each other and not to clients.
Elin Cherry: I haven't seen them going after it, but it is clearly in the rules that it needs to be maintained and reviewed when the rules changed over. My view is … it's just not quite yet what we're seeing, and it's not going to be until there's a problem there where we're really going to see that. That's what I've seen. I don't know, Marianna or Robert, if your experiences have been different.
Marianna Shafir: I also haven't seen Salesforce, but I have seen incoming messages where a rep was fined for texting with his assistant about a customer, customer's account. That rep was fined even though he was only communicating with his assistant. That's an example of incoming messages. Internal messages do need to be captured for business communications.
Robert Cruz: And I would just separate supervisory obligations from your books and records obligations, because the question of, is a communication on Microsoft Teams or Slack a business record? It depends on the content and the context of the conversation. If it's a broker-dealer and an advisor, but it happens to be talking about a specific financial product, it could very clearly trigger a record's requirement for retention. Even though you are retaining it, it doesn't necessarily mean that it has to be taken into the supervisory process. Look at the basic retention obligation first, because we are seeing, as I mentioned, issues that have arisen in the inappropriate use of some of these interactive tools. So I think it's an area where if you believe that there may be risk residing in that communication network, it's always good to have that incorporated into your confidence selection process.
Davi Schmidt: Great. Thank you. Next question we have here. For social media are newsfeed screenshots that show evidence of review by a registered principal acceptable forms of supervision?
Elin Cherry: Newsfeed screenshots, I would argue yes, that they are. I would look to see that that's the best that you can do and that there isn't something else that you could do to solidify that up. Because you want to make sure that it's very clear that there's the right metadata showing that the supervisor was the one who is actually doing the screenshots. I would argue yes, but I would also argue that you're going to be making that argument versus having a rock-solid way to show evidence. I would ask for more. I would try to get more. It just depends on what tools you have available, how much time it would take, things like that. Be aware that you might be in a position of having to argue that you've got good controls in place with that process.
Robert Cruz: Yeah, that's a good angle. I would add only that keep in mind the earlier conversation we had regarding interactive communication networks. What may be appearing in the screenshot in a persistent chat, right now it's going to be different, 30 minutes from now. There may be better methods. It may not be up-to-date and complete, it may not be encompassing all the things that people can do as they interact over a period of time. So it's another limitation on the idea of a screenshot being complete, one that's already been argued in court on the litigation side. Be aware of these interactive sources, because one snapshot isn't going to necessarily give you the full picture.
Davi Schmidt: Great. I think we have time for maybe one more question. This one's regarding social media. Do firms need to supervise likes and sharing of pages and/or posts?
Elin Cherry: Well I think that the answer on posts and sharing is pretty clear. Just off the top of my head, I don't know Marianna, if you or Robert are better on the likes, but I think that for the post and the sharing, if it's done for business purposes it needs to be supervised. If you look at LinkedIn, if the person is using LinkedIn to sell their broker-dealer services, then the posts and the shares need to be supervised.
Marianna Shafir: Absolutely. If it's a business communication, it does need to be captured. Archived, captured, and supervised.
Robert Cruz: Right. It's also good to refer back to, was it on 1139, and the follow-up to that, that delineates some of the interactive communications and technologies that potentially can help you to disable features that you may not want to put in the hands of your registered reps, like disabling the ability to like a third-party post. Those capabilities are in the market. These are things that we've been doing for a number of years. It's not just an issue of capturing or not capturing. You can do this, in many cases, across different networks like LinkedIn at a granular level where you can disable some of those features that you might consider to have too much risk.
Davi Schmidt: Great. Thank you. We are out of time, but I want to thank everyone for attending today, and thank you to our speakers. Please note that the webinar has been recorded and a link to the recording will be sent out via email. If you asked a question and we were not able to get to it, we'll definitely have someone reach out after the webinar to make sure all of those questions get answered. You're also welcome to send any additional questions to us at firstname.lastname@example.org. Again, if you have questions that you didn't get in the chat, you can email us at email@example.com. Thanks again, and have a great rest of your day.