In this first of a two-part regulatory update, Smarsh review major regulatory actions and fines against firms and individuals in the first quarter of 2023. In this post, they highlight how firms need to understand the evolving realities of regulatory enforcements and what they need to prioritize when planning, refining and executing their compliance strategy. In part two, Smarsh cover the regulatory impacts to individual advisors.
It’s only been a few months since the start of 2023, and a lot has happened within and adjacent to the financial services industry. The modernization of SEC 17a-4 is in full effect, both the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) emphasized their focus on cybersecurity and digital communications, and new technologies like ChatGPT are creating plenty of compliance challenges.
Books and records top enforcement issues
Overall, Eversheds Sutherland’s Annual Analysis of FINRA Disciplinary Actions showed a decrease in sanctions and enforcement actions in 2022.
While the number of overall cases reported by FINRA decreased in 2022, there was an increase in the number of “supersized fines” of $1 million or more reported.
Books and records was the most enforced rule, as measured by fines. In 2022, FINRA reported 50 such cases and levied over $14.8 million in fines.
Several of these cases included instances where firms failed to supervise and preserve business-related communications. In the largest case where books and records was the primary focus, FINRA fined a firm $2.8 million, finding that the firm failed to correct inaccuracies in trade confirmations it sent to customers over multiple years and after three warnings.
The big violations (and fines) of Q1 2023
Missed call (records) costs firm
FINRA fined a firm $1.1 million for failing to timely and completely produce phone records in response to FINRA’s requests for documents. The firm:
- Inaccurately produced certain phone records
- Failed to search a storage location containing older call detail records
- Failed to promptly advise FINRA of its production failures
- Did not identify all affected investigations where its responses were likely incomplete until more than a year after discovering the issue
- Failed to preserve certain responsive call detail records from an internal network drive
- Did not prevent responsive records from being deleted, resulting in missing call detail records ranging from several days to several weeks.
Ineffective WSPs for email supervision
One firm was fined $45,000 for failing to establish, maintain, and enforce reasonable supervisory systems, including written supervisory procedures (WSPs), to review electronic communications.
The firm’s email review was unreasonable in practice, as it reviewed only 0.26% of the emails sent or received by registered representatives. The keywords used to flag emails for review were also inadequate, as they included the firm’s own name, which appeared in virtually all emails.
In addition, the firm’s WSPs did not specify any keywords or process for identifying keywords to flag emails for review or describe any parameters for conducting random sampling.
The firm’s WSPs also lacked clarity on:
- The personnel responsible for email review
- Frequency and sample size of email review
- Keywords or process for identifying flagged emails
- Parameters for conducting random sampling, types of red flags requiring follow-up steps
- Steps for escalating issues identified during email review
Customer complaints weren’t archived
A firm was fined $3 million for inadequate supervision in establishing and maintaining a supervisory system and WSPs to identify and respond to customer complaints.
The firm’s supervisory system for identifying and responding to customer complaints was found to be poorly designed. There was insufficient allocation of staff and resources to handle the high volume of customer communications, including complaints.
Additionally, the firm failed to report written customer complaints to FINRA, including those involving theft or misappropriation. The use of a lexicon tool to identify potential customer complaints was deemed inadequate, and the firm’s WSPs did not clarify that grievances related to customer questions, operational concerns, or service issues should be treated as customer complaints.
Archiving solution failed to capture encrypted iMessages on firm-owned devices
FINRA fined a firm $200,000 for failing to retain business-related iMessages sent and received by its registered representatives on firm-owned iPhones. While the firm permitted work-related text messages, the firm’s third-party archiving system couldn’t capture end-to-end encrypted iMessages.
The firm attempted to disable or block the iMessage function for the iPhones it had previously issued and for those going forward. However, the disabling control was not working on new iPhones due to an issue with a new version of the iPhone’s operating system.
A firm representative referenced sending and receiving specific text messages that the firm could not find in its archiving system. The firm realized that the referenced text messages were iMessages, which were not being archived by the firm’s third-party system.
After conducting a supervisory review, the firm collected firm-owned iPhones from its representatives and uploaded iMessages from those iPhones into the firm’s archiving system to perform a supervisory review. The firm also worked with vendors to deploy a more robust blocking control to disable the iMessage feature on firm-owned iPhones.
Intentional use of ‘auto-delete’ messaging feature lands firm in hot water
The CFTC charged a firm for willfully evading Federal Law and operating an illegal digital asset derivatives exchange.
The firm was alleged to knowingly disregard applicable provisions of the Commodity and Exchange Act (CEA) while engaging in a calculated strategy of regulatory arbitrage to their commercial benefit. The complaint indicated that the firm acted as a designated contract market or swap execution facility based on its role in facilitating derivatives transactions without registering with the Commodity Futures Trading Commission (CFTC), as required.
The complaint charges the firm for conducting activities outside the US to avoid CFTC regulation requirements, including intentionally structuring entities and transactions to avoid registration and instructing customers on how to evade the firm’s compliance controls.
The charges state the [firm] used different messaging applications (e.g., Telegram, WeChat, Signal) to conduct business and would enable auto-delete features to cover their tracks after communicating about inculpatory matters.
Prepare for the rest of 2023
Regulatory actions in Q1 give the financial services a taste of what’s to come: firms will need to shore up their compliance strategy to meet the heavily enforced books and records requirements.
More specifically, enforcement actions are strongly trending towards an emphasis on discovering and reasonably supervising for off-channel communications. This is a challenging reality as more firms, employees and customers are gravitating towards newer (and often encrypted) communication tools.
Failure to meet regulatory requirements can result in fines and disciplinary action. Firms must establish a reasonable supervisory system for business communications and ensure that the policies are properly enforced and followed through reasonable supervision.
Based on the above, firms should consider the following elements:
- Reassess your established WSPs to review electronic communications to meet current communications pitfalls
- Make sure you can retain and supervise all business-related communications including text messages and mobile messaging applications
- Review your supervisory system and written supervisory procedures to assess if you can properly identify and respond to customer complaints
- Reassess if you have adequate allocation of staff and resources to meet your compliance obligations, particularly in light of the increase in communications firms are experiencing
- Work with proven archiving vendors to enable business communications
While an effective WSP is the first step to defining your firm’s compliance strategy, it can’t simply be a prohibition policy. It won’t save firms from fines if their brokers communicate with clients over those prohibited channels. And as we’ve consistently seen, the number of off-channel communications will continue to grow.
Author: Tiffany Magri – Regulatory Advisor at Smarsh
As a Regulatory Advisor at Smarsh, Tiffany monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.
Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.
Need A Regulatory Marketing Compliance Consultant? A Bit More About Us
Why Not Download our FREE Brochures! Click here.
Call Us Today on 020 8087 2377 or send us an email.
We welcome individual bloggers / Professional Writers / Freelancers to submit high quality contents. Find out more…
You can see our Google reviews here.
Connect with us via social media and drop us a message from there. We’d love to hear from you and discuss how we can help.