On June 14, 2007, the National Association of Securities Dealers, Inc. (the “NASD”) posted Notice to Member 07-30 (“NTM”) requesting comment on proposed joint guidance (“Proposed Guidance”) by the NASD and New York Stock Exchange (“NYSE”) (together, the “SROs”) relating to the review and supervision of electronic communications.1 The Proposed Guidance sets forth principles for a firm to consider when developing supervisory systems and procedures for electronic communications that are reasonably designed to achieve compliance with applicable federal securities laws and self-regulatory organization rules. The Proposed
Guidance provides interpretative guidance on supervising electronic communications in the following six areas:
- Written Policies and Procedures;
- Types of Electronic Communications Requiring Review;
- Person(s) Responsible for Reviews;
- Review Methods;
- Frequency of Reviews; and
- Review Documentation.
The Proposed Guidance would permit a firm to employ risk-based principles to determine the extent to which additional supervisory policies and procedures are required to adequately supervise its business and manage the firm’s reputational, financial, and litigation risk. Comments on the Proposed Guidance are due by July 13, 2007.
The Proposed Guidance indicates that a firm generally may decide, by employing risk-based principles, the extent to which the review of electronic communications, both internal and external, is necessary in accordance with the supervision of its business. The Proposed Guidance notes that when employing risk-based procedures to review electronic communications, a firm should consider effective ways to:
- “flag” electronic communications that may evidence or contain customer complaints, problems, errors, orders, or other instructions for an account; or evidence conduct inconsistent with SRO rules, federal securities laws, and other matters of importance to the firm’s ability to adequately supervise its business and manage its reputational, financial, and litigation risk;
- identify such other business areas the firm may identify as warranting supervisory review; and
- educate employees to understand and comply with the firm’s policies and procedures regarding electronic communications.
Overview of Proposed Guidance
As noted above, the Proposed Guidance provides interpretive guidance on supervising electronic communications in six areas, as discussed below.
Written Policies and Procedures
The Proposed Guidance indicates that an effective supervisory system starts with clear policies and procedures for the general use and supervision of internal and external electronic communications. The Proposed Guidance notes that these policies and procedures should be updated regularly to address new technologies, such as the use of weblogs and podcasting. The Proposed Guidance also indicates that a firm should provide its employees with the following:
quick and easy access to electronic communications policies and procedures (e.g., through the intranet system);
timely updates to such policies and procedures; and
a clear list of permissible electronic communications mechanisms (including a clear statement that all other mechanisms are prohibited) and their proper use. when developing policies and procedures, the Proposed Guidance suggests that a firm, among other things, avoid vague language, explain the potential consequences of non-compliance with such policies and procedures, and provide for training on the use of electronic communications.
Types of Electronic Communications Requiring Review
The Proposed Guidance addresses the types of external and internal communications that require review. In regard to external communications, the Proposed Guidance notes that a firm is currently required to establish policies and procedures on the forms of electronic communications that it permits an employee to use when conducting business with the public and to take reasonable steps to monitor an employee’s compliance. The Proposed Guidance points out that in the past a firm-supplied e-mail address was likely the primary way in which employees communicated with customers. However, the Proposed Guidance explains that with advances in technology there are more ways to communicate with the public. As a result, the Proposed Guidance suggests that a firm consider taking technological steps to block or otherwise regulate the external and internal use of prohibited electronic communications in accordance with its policies and procedures. Specifically, the Proposed Guidance suggests that a firm consider the following options:
Non-Member E-Mail Platforms
- If a firm permits an employee to communicate with customers through non-member e-mail platforms or addresses, the firm must supervise and retain those communications.
- If a firm’s policies and procedures prohibit an employee from accessing non-member e-mail platforms for business purposes, then the firm should consider requiring the employee to certify on an annual or more frequent basis that he or she is complying with such policies and procedures.
- Alternatively, a firm may block access to these e-mail platforms through its networks. A firm should periodically conduct tests to ensure that its blocking system is functioning as designed or intended.
Employees’ Personal Electronic Devices
- A firm’s policies and procedures should prohibit communications with the public for business purposes from an employee’s own electronic devices unless the firm is capable of supervising, receiving, and retaining such communications.
- Absent a prohibition, a firm should consider requiring pre-approval for the business-related use of any personal electronic communications device. In addition, a firm should consider obtaining an agreement from an employee authorizing the firm to access any such personal electronic communications devices.
- A firm should also consider prohibiting, where appropriate, the use of personal electronic communications devices in certain sensitive firm locations (e.g., where material non-public information could be accessed).
- A firm should consider blocking access by its employees to message boards to prevent them from communicating through these boards for business purposes.
- A firm should treat E-faxes as electronic communications that require firm supervision.
In regard to internal communications, the Proposed Guidance notes that, with the exception of certain enumerated areas requiring review by a supervisor, a firm may decide, by employing risk-based principles, the extent to which review of any internal communications is necessary in accordance with the supervision of its business. In reaching a risk-based assessment regarding the review of internal communications, the Proposed Guidance suggests that consideration be given to, among other things: detecting when a firm’s information barriers are not working to protect customer or issuer information; protecting against undue influence on research personnel contrary to SRO rules; and segregating the firm’s proprietary trading desk activity from all or part of the other operating areas of the member.
Person(s) Responsible for Reviews
The Proposed Guidance suggests that a firm’s procedures for persons responsible for the review of electronic communications (internal and external) should address the following:
- The person(s) responsible for performing the reviews.
- The person responsible for performing a review should be clearly identified.
- The supervisor/principal must evidence his or her supervision as required by SRO rules. Evidence of review can be satisfied by use of a log or other record from the electronic communications system that identifies the reviewers.
Delegation of certain electronic review functions by supervisor/principal to persons who need not be registered.
- The supervisor/principal remains ultimately responsible for the performance of all necessary supervisory reviews and should ensure delegated functions are properly executed.
- The procedures must provide persons delegated with review responsibilities a protocol to escalate regulatory issues to the designated supervisor or other appropriate department.
- The required knowledge, experience, and training for a reviewer to adequately perform the reviews.
- A firm should be able to demonstrate that a reviewer meets these criteria, which could include: prior supervisory or other experience, years of service in the industry, professional licenses, completion of firm and regulatory element training, product knowledge, educational degrees, knowledge of member products and services, etc.
- Absent certain limited circumstances (e.g., a sole proprietor), an individual may not conduct supervisory reviews of his or her own electronic communications.
The Proposed Guidance indicates that a firm should develop review procedures for correspondence that are both reasonably designed to achieve compliance with applicable securities laws, regulations, and SRO rules and appropriate for its business and structure, consistent with the principles set forth in the Proposed Guidance. The Proposed Guidance suggests that a firm include in its methods of review, among other things: the issues to be raised and material to be examined during a review such as SRO communications; indicia that a customer has received a communication that is not in conformance with the firm’s policies and procedures; the ability to monitor and supervise encrypted electronic communications if applicable; the review of electronic correspondence in all languages in which it conducts business with the public; and the re-review of electronic correspondence by legal and/or compliance departments of e-mails that have already been reviewed by a line supervisor and his delegatee in certain limited situations, such as the case of an internal investigation or branch office inspection program. Furthermore, the Proposed Guidance suggests that a firm consider the following methods of review:
Lexicon-based Reviews of Electronic Correspondence
- A firm should utilize an appropriate lexicon, take reasonable security measures to keep the list confidential, and periodically evaluate the efficacy of the lexicon.
- A firm should consider a supplemental random review of electronic communications if the effectiveness of the lexicon is in question.
- A firm should assess the effectiveness of a lexicon-based system.
Random Review of Electronic Correspondence
- A firm may choose to use a reasonable percentage sampling technique, whereby some reasonable percentage of the electronic communications generated by the firm is reviewed (i.e., a percentage of electronic correspondence based on a branch office, department, or business unit or a percentage of electronic correspondence for each individual).
Combination of Lexicon and Random Review of Electronic Correspondence
- Given the strengths and weaknesses of any single review tool, a firm should consider complementary review techniques.
Standards Applicable to All Review Systems
- A firm should incorporate ongoing evaluation procedures to identify and address any “loopholes” or other issues that may arise as the means of transmitting sensitive information “under the regulatory radar” become more sophisticated and difficult to capture.
Frequency of Reviews
The Proposed Guidance indicates that the frequency of correspondence review may vary depending on the business. It indicates that such frequency should be related to the type of business conducted (i.e., the market sensitivity of the activity); the type of customers involved; the scope of the activities; the geographical location of the activities; the disciplinary record of covered persons; and the volume of the communications subject to review. The Proposed Guidance suggests that a firm prescribe reasonable timeframes within which supervisors are expected to complete their reviews of correspondence, taking into consideration the type of review being conducted and the method of review being used. Further, when determining the reasonableness of such timeframes, a firm should carefully consider the type of business it is conducting and the extent to which a review’s usefulness, in the context of that business, is diminished by the passage of time.
The Proposed Guidance indicates that a firm must evidence its reviews, whether electronically or on paper, and be able to reasonably demonstrate that such reviews were conducted. The Proposed Guidance suggests that the evidence of review should, at a minimum, clearly identify the reviewer, the communication that was reviewed, the date of review, and the steps taken as a result of any significant regulatory issues that were identified during the course of the review.
The NASD and NYSE are requesting comments on the Proposed Guidance. The SROs explained that they developed the Proposed Guidance as a guideline to assist members in the establishment and maintenance of supervisory systems for electronic communications that are reasonably designed to achieve compliance with the federal securities laws and self-regulatory organization rules. The SROs noted that the Proposed Guidance is not intended to specifically address every regulatory issue that may arise in connection with the supervision of electronic communications. The SROs also represented that the Proposed Guidance is not a safe harbor. The comment period closes July 13, 2007.