A recent FINRA disciplinary action sends a strong message to broker-dealers that the development of their compliance systems—particularly with respect to email review and retention—must keep pace with the growth of their businesses.
FINRA fined LPL Financial LLC (LPL) $7.5 million for significant failures in its email system that prevented LPL from accessing hundreds of millions of emails, and from reviewing tens of millions of other emails over an approximately six-year period. FINRA stressed that LPL’s inadequate systems and procedures caused the firm to provide incomplete responses to email requests from regulators, and also likely affected the firm’s production of emails in arbitrations and private actions. Accordingly, FINRA also required the firm to establish a $1.5 million fund to pay discovery sanctions to customer claimants that were potentially affected by the system failures, and to notify regulators that may have received incomplete email production.
Also notable are FINRA’s findings about the firm’s failure to be fully candid with the regulator in its self-report of the email lapses (FINRA has a strong focus on the obligation of firms to report internal conclusions of violations under Rule 4530), and about the breakdown of the firm’s internal audit processes in following through on preliminary findings about its email systems.
FINRA’s findings suggest some "best practices" that broker-dealers should consider implementing to ensure their systems are consistent with relevant FINRA rules, as discussed below.
THE FIRM’S SUPERVISORY FAILURES
FINRA attributed LPL’s supervisory lapses, at least in part, to the firm’s rapid expansion without a concomitant investment in technology and compliance resources. As a result, emails subject to supervisory review and retention obligations were captured from a variety of sources, including numerous financial institutions and several separate outside email vendors. The resulting "patchwork" of email systems did not provide LPL with adequate access to and oversight over the email correspondence of its registered representatives.
FINRA also focused on the nature of the firm’s business model, in which many of its registered representatives are independent contractors rather than employees, and frequently operate under more than one or more DBA names and use more than one DBA email address in addition to their firm address.
FINRA found the following supervisory failures, among others:
DBA Accounts. For almost a year, LPL's systems could not accommodate DBA email, and therefore the firm had not been reviewing those emails. After discovering that problem, the firm modified its system, but it still failed to capture more than one DBA email address per representative. A subsequent project to pull in more DBA addresses was stopped before completion, as was a resulting review by internal audit.
Email Archives. LPL failed to ensure that its emails were archived properly when it moved to a new email retention system. As a result, LPL was unable to respond completely to certain regulatory requests for emails.
Bloomberg Archives. LPL failed to review or archive Bloomberg messages for seven years prior to 2011. Moreover, the firm failed to take action to rectify this situation in a timely manner once it was brought to its attention.
Failure to Supervise Certain Registered Employees’ Email. Prior to 2011, LPL did not review the emails of its registered employees, such as home office personnel.
Failure to Enforce Policies Against the Use of Unauthorized Emails. Although the firm’s examination of its branch offices identified instances of independent contractors using unauthorized email addresses to conduct firm business, the firm did not discipline these individuals for such use, nor did it prohibit such individuals from continuing to use these email addresses.
Failure to Archive Emails Sent Through Third-Party Advertising Platforms. LPL allowed independent contractors to send emails through third-party email-based advertisement platforms, and even though firm employees were aware that these emails were not being archived, the firm took no action to address this issue for at least two years.
Registered broker-dealers should take careful note of this disciplinary matter, and assess their compliance with supervisory and recordkeeping obligations with respect to electronic communications.
Consider conducting a comprehensive compliance audit of existing systems, policies and procedures related to surveillance, retention and recordkeeping obligations for electronic communications. Among other things, such audits should seek to ensure that:
- The firm is capturing, retaining and reviewing the emails of all registered representatives, including emails used by registered representatives in the conduct of their employment outside of the firm’s email systems;
- The firm has procedures for identifying all email addresses and platforms used by its registered representatives; and
- The firm has established appropriate recordkeeping policies specifying, among other things, when records may be destroyed, and ensuring that such policies are consistently applied.
- Ensure that the firm’s procedures contemplate an internal audit function that has adequate resources, authority and support to investigate identified issues and make recommendations for corrective action.
- Remediate any identified issues promptly. One of the central themes of FINRA’s formal disciplinary action is that while the firm’s business grew rapidly, attention to compliance issues did not receive the same amount of attention or resources. FINRA is clearly signaling that directing firm resources to the building of a business without a similar level of commitment to compliance will not be tolerated.
- Take steps to ensure that annual training includes adequate instruction regarding a registered representative’s use of email and other electronic communication media (see FINRA’s Guide to the Web for Registered Representatives, available at http://www.finra.org/industry/issues/advertising/p006118). Representatives should annually demonstrate their understanding of their obligations under the firm’s compliance policies related to the use and retention of emails and other electronic forms of communication.
- When compliance breaches are identified, firms should take deliberate and immediate disciplinary action against the registered representatives involved, consistent with firm policies.