Regulatory Updates: Firms Penalised for Electronic Communication Retention & Supervision Deficiencies

Dec 18th '17

Regulators continue to examine and penalize firms for inadequate electronic communication policies, supervision, and records. In November, FINRA penalized four firms for electronic communication retention and supervision deficiencies.

The Recent Enforcement Cases

A firm was censured and fined $175,000 for failure to establish, maintain and enforce Written Supervisory Procedures (“WSPs”) reasonably designed to achieve compliance with the record retention requirements under Exchange Act Rule 17a-4.  The firm failed to maintain electronic brokerage records related to approximately 46 million market-making transactions in write one, read many (WORM) format. The findings stated that the firm did not have an audit system for those records it failed to maintain in WORM format.

A second firm was fined $35,000 for failure to supervise websites and social media accounts. The firm failed to establish a policy or system for approval, supervision, or retention of registered representatives’ business social media accounts, and did not review, approve, supervise, or retain any of the social media accounts maintained by registered representatives for securities-related business purposes.

Another firm was censured and fined $30,000 because the firm allowed certain representatives to use their personal emails to send and/or receive business-related communications. The firm’s former CCO allowed the use of personal emails so long as such emails were copied to a firm email address for review and retention purposes. The firm’s written procedures were not updated to reflect this modification. In addition, not all representatives complied with the condition that they copy emails to a firm email address. At least three representatives used personal email addresses to send and/or receive business-related emails that were not always copied to the firm. Most of these emails were internal firm communications sent from a firm email address to the representatives’ personal email addresses and were thus captured by the firm. Additionally, the firm failed to enforce its WSPs pertaining to email review. Those procedures required that, on an ongoing basis, 10 percent of all retail registered representatives’ emails and five percent of other department emails would be reviewed for appropriateness of communications using a random sampling basis. The firm’s email review system flagged a random sample of approximately 350,000 emails for review during a period of time, but the firm reviewed less than one percent of the flagged emails.

Lastly, a firm was censured and fined $5,000 for failure to properly communicate the email-review responsibilities to all of the principals that the firm had designated in its WSPs as responsible for email review. The firm’s automated email-surveillance system flagged 135,855 emails for review by one of four principals to which it had assigned that responsibility; however, only 73 of those emails were actually reviewed. The firm subsequently reviewed the flagged emails after the failure was identified. A lower fine was imposed after considering, among other things, the firm’s revenue and financial resources.

The Regulatory Requirements

Firms need to demonstrate to regulators that they are supervising the activities of their associated persons. FINRA Rule 3110 “requires a firm to establish and maintain a system to supervise the activities of its associated persons that is reasonably designed to achieve compliance with the applicable laws and regulations and FINRA rules.” FINRA Rule 3130 also requires broker-dealers test and report on the firm’s written supervisory procedures effectiveness annually, and to store those policies and procedures in accordance with 17(a)-4 requirements.

The Bottom Line

As you can see in the above enforcement cases, having a set of WSPs is not enough. It’s important to enforce the policies and document the reviews. Not following the firm’s policies and procedures is just as bad as not having any in first place.

Your firms WSPs should be tailored to your firm and reflect all the activity in which your firm engages. At a minimum, the firm’s WSPs should identify the designated responsible supervisor, describe the process the supervisor will follow to conduct each review, when (i.e., how frequently) such actions will be taken and how the supervisor will evidence that the required supervisory steps were taken. WSPs should not be updated only to reflect changes to regulations, but also when changes are made to the supervisory process. Ensure the policies are properly enforced and followed by the designated reviewers. And finally, make sure employees are aware of all policy guidelines and permitted communication channels.

Review the adequacy of your electronic communications policy and supervisory systems. If your firm permits various electronic communication channels, establish a system for approval, supervision, and retention. As for supervision, there is no prescribed formula for determining how many messages to review. However, enough should be reviewed for an advisor to be able to defend it as reasonable. The objective is to review as many messages as are required in the firm’s WSPs. If the WSPs call for a review of 10 percent of all registered representatives’ emails, don’t review only 1 percent.

Technology solutions are available that can help firms automate much of the electronic communications supervision process.  The Archiving Platform from Smarsh has monitoring features that assist with electronic communication surveillance and automatically log the reviews. This is incredibly effective to find potential violations of advisors using their personal email to communicate with clients. You can create keywords and key-phrases to flag the risk of advisors using unauthorized communication channels. Examples include: “send to my personal email,” “respond to my gmail,” “text me,” and “let’s take this offline.”

One of the most frequently cited violations is failure to follow the firm’s Written Supervisory Procedures. The solution is simple — spend time supervising your employees to help affirm compliance with regulations to avoid fines and to protect your firm’s reputation.

Source: Smarsh

Author: Marianna Shafir Esq. Corporate Counsel, Regulatory Advisor at Smarsh

Marianna Shafir is Corporate Counsel and Regulatory Advisor at Smarsh, where she’s responsible for legal and regulatory affairs worldwide. In addition, she helps Smarsh clients navigate compliance obligations, technology trends, and new industry regulations through her vast knowledge of best practices related to electronic communications supervision. Prior to joining Smarsh, Marianna worked for BNY Mellon and Invesco in varying compliance roles.

Marianna is an adjunct professor and lecturer of Law at New York Career Institute, where she teaches Law Office Management and Real Estate Law. She earned her J.D. at Nova Southeastern University, and a B.B.A. degree in marketing from Baruch College.