The next time FINRA knocks on your door, you should expect their exam team to want to jump into your message archive as well see evidence of a well-constructed ongoing electronic communications surveillance process.
The violations noted by FINRA in recent months highlight many instances where broker-dealers not only failed to adequately supervise employees’ electronic communications, but in certain situations failed to retain required books and records. Examples of actions in the past year include:
- January 2017 - a large broker-dealer was fined $1,000,000 for omitting 3,500 secondary email accounts from the accounts to be monitored. The omission resulted in the firm not having access to millions of emails, including over 11,000 customer emails related to the securities business.
- March 2017 - a broker-dealer paid a $125,000 fine after the firm failed to evidence in writing that it completed timely monthly reviews of its electronic communications for four of its six business groups.
- July 2016 - a broker-dealer paid a $20,000 fine due to its email archival system lacking dedicated supervisory review functions, as well as its inability to create a verifiable audit trail.
- May 2016 - a broker-dealer was fined $15,000 after certain registered representatives were identified as using personal email accounts to conduct firm business.
- March 2016 - a broker-dealer paid a $45,000 fine for failing to conduct a manual review of its emails involving certain registered representatives. The firm failed to review the messages despite establishing an automated computerized surveillance system to randomly select batches of emails and emails triggering select keyword hits.
This is just a sampling of fines related to electronic communications and it should come as no surprise. Broker-dealers were warned in FINRA’s 2017 Priorities that Social Media and Electronic Communications Retention and Supervision would be a continued topic of focus.
Broker-dealers are expected to establish and maintain adequate systems and procedures for the preservation, maintenance, and review of electronic correspondence. However, many compliance officers struggle to find the resources necessary to perform comprehensive reviews of electronic communications.
Below are some considerations to make when developing a good electronic communication surveillance process:
Monitoring New/Secondary Accounts
- When a new employee is brought on board, on that first day, examine your archive to avoid the possibility that messages sent or received from the account are not being captured.
- If your team establishes secondary accounts for employees, consider at the time of creation sending a test message and then ensuring that the message has been archived appropriately.
- Many systems allow for summaries that outline the volume of data that is captured on a daily basis. If normally there are 100,000 messages daily, and one day the number drops to 20,000, you may have an issue that requires investigation. Consider asking your archival provider about this real-time tracking capability.
- If new messaging platforms are approved for use, ensure that the correspondence is archived.
Documentation of Reviews
- Regulators will often take the view that if it is not documented, it didn’t happen. Consider establishing a simple, repeatable documentation process outlining the search parameters, dates with the scope, volume of content reviewed, and actions taken to address any issues identified.
Partnering with an Archival Provider
- It is important to not only retain all necessary correspondence, but also to be positioned to effectively and efficiently monitor the correspondence for potential risks.
- Many platforms allow for compliance teams to establish risk-based lexicons that can make the “random” sample of messages being pulled for review more targeted.
Personal Email Usage
- Conduct a review of messages being sent to common personal email domains (e.g., @gmail.com, @yahoo.com, @hotmail.com, etc.).
- Regulators expect retained messages to be reviewed in line with the firm’s WSPs.
- This process can be supported by outside parties.
About ACA's Electronic Communications Reviews
ACA’s Electronic Communications Reviews can help ease resource concerns by providing a team of surveillance analysts to assist with required surveillance. Our experienced surveillance team has taken on protocols outlined in WSPs and has worked with hundreds of advisers and broker-dealers to enhance their broad surveillance testing. ACA supports testing for 250+ clients and partners with firms to develop customized testing, reporting, and documentation of the reviews.
Prior to each review, ACA conducts a teleconference with members of the firm to get up to speed on recent developments and appropriate targeted review areas. ACA couples the targeted review areas with regulatory developments, insight into industry best practices, as well as existing internal supervisory procedures. Our testing assists with identifying messages that may warrant further review by the firm while taking away the time burden required to conduct thorough testing. The review process is very much customizable to meet unique needs.
About ACA's Compliance Support Solutions
ACA’s Electronic Communications Review Solution is offered as part of our Compliance Support Solutions, which help CCOs manage their budgets and do more with less. ACA’s Electronic Communications Review Solution is provided out of ACA’s Analysis and Review Center (“ARC”) in Pittsburgh, PA. The ARC’s team, which is overseen by a former regulator and a former CCO, has practical experience and knowledge specific to the regulatory challenges and obligations faced across the industry.