On September 23, 2020, the U.S. Securities and Exchange Commission (“SEC”) announced a settlement pertaining to charges against a registered broker-dealer (“BD”) for the failure to preserve relevant business-related text messages of several of its registered representatives, members of senior management, and compliance personnel. The SEC found that the BD’s failure to retain the text messages was in direct violation of Section 17(a) of the Securities Exchange Act of 1934 (the “Exchange Act”), requiring the maintenance and retention of certain records, and Rule 17a-4(b)(4) thereunder, which requires BDs to preserve original copies of certain business-related communications sent or received for three years.
The BD’s electronic communications (“e-comms”) policy stated that employees were prohibited from conducting business-related correspondence via text messaging, as well as from using personal devices to communicate for business purposes. Despite the firm’s policies prohibiting texting for business, the SEC found that certain employees communicated via text messages on personal devices with each other, with customers, and with additional third parties regarding, among other items, trade orders, product offerings, and the pricing of certain securities. The SEC also found that, due to the firm’s failure to preserve business-related text messages on a firm-sponsored system, it was unable to produce certain records that were requested by the SEC during an ongoing investigation into a third party.
As part of the settlement, the broker-dealer has agreed to the following: to cease and desist from any violations of Section 17(a) of the Exchange Act and Rule 17a-4 thereunder, to be censured, and to pay a civil penalty of $100,000.00 to the SEC. It is worthy to note that in recent years, the Financial Industry Regulatory Authority (“FINRA”) has fined multiple BDs for similar violations related to e-comms retention.
E-comms channels used by financial services firms are evolving rapidly. Compliance teams are left facing the challenge of how to provide for the ever-changing messaging needs of employees while mitigating risks by maintaining proper records as required by applicable U.S. securities laws. The following checklist includes recommendations for ensuring that your firm remains compliant with regards to archiving relevant business-related e-comms:
- Review your firm’s electronic communications policy to ensure that all approved messaging channels, as well as those that are currently unapproved for business purposes, are clearly defined and the risks associated with the use of unapproved channels are communicated appropriately in your written policies and procedures.
- Encourage open communication with employees regarding the firm’s changing needs with respect to messaging platforms and consider exploring options for archiving e-comms channels that appear to be legitimate business requests. If your firm’s archival vendor does not currently offer a solution for a requested channel, it may be able to work with another vendor to convert the messages into a format that can then be archived with the firm’s other e-comms.
- Conduct consistent risk-based e-comms monitoring and surveillance to test for the potential use of unapproved communications channels; consider searching for the names of commonly-used platforms (i.e., “text,” “WhatsApp,” “Signal,” “Telegram,” etc.), as well as phrases such as, “not in email,” “sent you a text,” “texted me,” or “check your phone.”
- If your firm relies on a lexicon for purposes of e-comms testing, make sure to regularly assess the terms and phrases that are included as flagging rules. The lexicon should be updated on an ongoing basis in order to remain current, comprehensive, and tailored to the risks of your firm.
- If employees may be communicating in languages other than English for business purposes, be sure to monitor and test for references related to the use of unapproved communications channels in those non-English languages; furthermore, consider including non-English search terms and phrases in your firm’s lexicon, if applicable.
- Implement social media testing to assist with identifying potential social media accounts used by employees for business-related communications (i.e., LinkedIn, Twitter, StockTwits, etc.).
- Conduct regular compliance training related to the proper and improper use of messaging channels for business purposes. Consider using redacted examples found during your firm’s e-comms reviews to further emphasize to employees that messages are being reviewed and Compliance is testing for the use of unapproved channels.
- With the continuing work from home environment and dispersion of employees, consider increased attestations from employees regarding their adherence to policies regarding communications channels.
- Remember the importance of documentation. Be sure to maintain records of all e-comms-related training, reviews, and attestations and to document any follow-up with employees conducted post-reviews.
How We Help
If your firm is finding it difficult to maintain the proper level of monitoring in this new environment, ACA can be of assistance. We specialize in conducting thorough reviews of electronic communications that use a tailored lexicon and design implementation to meet your firm’s needs. We can perform these reviews on all archived e-comms within dozens of archival platforms, and are able to perform e-comms reviews in seven languages.
We also provide the following services to ensure your firm continues to meet its regulatory obligations:
For More Information
For more information about the SEC’s regulatory actions, or to find out more about ACA’s electronic communications review services, please reach out to your ACA consultant or contact us here.