In light of the increasing use of electronic communications, the Financial Industry Regulatory Authority ("FINRA", then NASD and NYSE Member Regulation) in 1998 amended a prior rule which required members to review all communications relating to the solicitation or execution of securities transactions.1 Under the amended rule, members were permitted to design a system for the supervision of external communications which was tailored to the members' specific circumstances.
Following the issuance of proposed guidance for comment,2 a discussion of which can be found in the July 2007 White & Case Financial Services Advisory Update,3 FINRA recently issued final guidance on the review and supervision of electronic communications.4 The guidance, without imposing additional supervisory requirements, provides a guideline for members to follow when creating and implementing systems and procedures to review electronic communications. According to the guidance, the requirement to review electronic correspondence is based not on the particular electronic form of the communication (e.g., text message or e-mail), but on the content and target audience.
General Considerations in Reviewing Electronic Communications
Members may design systems and procedures for the review of electronic communications, taking into account their size, location, business, customer base and other such factors. However, the use of electronic communications that will not be subject to supervision or review in accordance with the members' policies must be prohibited. A member's chosen supervisory method must identify the types of communications that will be subject to review as well as the person(s) responsible for conducting the review. Members should monitor the enforcement of their policies, as well as regularly evaluate the effectiveness of the policies and any need for modification, while providing appropriate training and guidance to employees. Members must also ensure that all customer complaints they receive, in any form, are properly reported to FINRA.
Required Review of Certain Communications
Under FINRA rules and federal securities laws, members must review certain types of communications and must have in place a procedure for the review of these communications by a supervisor. The communications that must be reviewed are those relating to subject matters such as research reports, customer complaints, order errors and account designation changes.5
Considerations in a Risk-Based Review
For other types of electronic communications which do not fall under these subject categories, members can determine the extent to which a review is necessary by employing risk-based procedures. Some important considerations in this regard are how to identify communications relating to customer complaints, information concerning a customer's account and other matters relevant to the member's supervision and management of its business and risks. Additional considerations include how to identify the business areas warranting supervision and review and how to provide adequate training to employees on the member's policies regarding supervision of electronic communications.
Have Clear Written Policies and Provide Training
Members should have clear written policies regarding the use and supervision of electronic communications. The policies should identify the methods of electronic communications that are permitted and prohibited and whether any limitations on permitted methods exist, based on the recipient of the correspondence. Employees must be able to easily access these policies, as well as any revisions or modifications thereto. Employees should also be aware that they are responsible for complying with these policies and be notified of the potential consequences of non-compliance. All employees should be given regular training on the member's electronic communications supervision policies, with further guidance provided to certain employees whose positions may require additional training.
Identify the Types of Communications Subject to Review
If employees are permitted to communicate externally using message boards, e-mail platforms other than the members' own platform, or other third-party Internet communications systems such as Bloomberg or Reuters, such communications must be supervised and retained by the members. If these methods of communications are prohibited, members should monitor employee compliance, as well as periodically test any systems that are in place to block employee access to the prohibited platforms. The use of e-faxes, a relatively new development, is considered electronic communication and similarly must be reviewed.
Members should prohibit the use of personal electronic devices by employees for business-related communications with the public, unless they are able to effectively supervise and retain the communications. This may entail requiring employees to obtain approval for the use of personal devices, by, for example, showing a business justification and may also require the member to conduct a periodic assessment to ensure that employees' use of personal electronic devices is appropriate. It also may be necessary to prohibit the use of personal electronic devices in certain areas where non-public or other sensitive information is accessible to employees.
In supervising internal electronic communications, members should take into account the need to protect customer or issuer information, as well as comply with FINRA rules in avoiding undue influence on research personnel and separate proprietary desk trading activity from other business activities. Some processes for members to consider are taking steps to manage conflicts of interest, such as by putting in place information barriers between certain groups and reviewing internal electronic communications related to matters such as regulatory inquiries or examinations, reviews of transactions, customer complaints or arbitrations, as well as internal electronic communications that occur in connection with the supervision of external communications.
Identify the Position(s) Responsible for Supervision
Employees should generally not review their own communications. For both external and internal electronic communications, the person(s) responsible for reviewing the correspondence should be clearly identified and records documenting the review and identifying the reviewers should be maintained. A supervisor must evidence the supervision in accordance with FINRA rules, although review functions may be delegated to others. Supervisors retain responsibility for the review process, however, and must ensure that any delegation to other reviewers is proper. All reviewers must be shown to be sufficiently trained and knowledgeable to properly perform reviews.
Members must give reviewers guidance on the proper procedures to follow in conducting a review, keeping in mind that merely opening a piece of correspondence is not considered a review. Reviewers should be instructed as to the pertinent issues to be raised, types of materials which warrant review, as well as acceptable content. Members may reference the standards regarding content set forth in NYSE Rule 472 and NASD Rule 2210, as well as identify other areas of concern for reviewers. A member permitting the use of encrypted electronic communications must instruct reviewers on the proper procedures for reviewing such communications. Additionally, members must be able to review communications in every language in which they conduct business and in the case that a reviewer does not speak the language used in a correspondence, proper interpretation by someone other than the author or recipient is required.
Choose the Appropriate Method of Review
In choosing a method of review that is appropriate given the nature of their business and specific needs, members are not limited to one particular method and may supplement the method chosen with additional procedures, if necessary. Some examples of review methods are lexicon-based reviews of electronic correspondence, random reviews and a combination of the two methods.
To effectively utilize a lexicon-based review, which flags communications containing certain key words or phrases, members should compile a list of appropriate lexicon, which should be confidential and revised or updated periodically. This method of review does not mandate examining each piece of correspondence which contains the lexicon, as long as there is a rationale for not doing so. The list of lexicons should be meaningful, comprehensive, but not over-inclusive, and tailored to each member's size, customer base, location and business. Members should be aware of possible loopholes in using a lexicon-based system, such as the potential for attachments in a correspondence to evade review. The effectiveness of the lexicon-based method should be tested regularly, especially if the system is provided by an outside vendor, as members are ultimately responsible for the overall performance of proper review. If there are any indications that the lexicon-based reviews may be deficient, it can be supplemented by random reviews.
Random reviews are based on reviewing a specified percentage of the members' communications. This number must be reasonable in light of each member's size, business, customer base and other such factors. Members need not apply a uniform standard in reviewing correspondence for all offices, departments or employees and thus may determine that a higher percentage of communications from certain individuals, departments or offices must be reviewed.
Combination of Both Methods
A combination of both the lexicon-based review and random review methods may also be considered. However, regardless of the method chosen, it is important that members be cognizant of any limitations of that method and that the efficacy of the method be regularly assessed, as well as possible weaknesses identified.
Determine the Frequency of Review
Although there is no prescribed frequency of reviews, members should consider their size, location, customer base and business in determining how often a review of electronic correspondence will be conducted. Supervisors should be required to complete reviews within a specified timeframe that is reasonable in light of the member's circumstances, keeping in mind that the nature of the member's business may warrant more frequent reviews.
Document the Reviews
Members must document the reviews and be able to show that they were conducted. The record evidencing the review should identify the reviewer, types of correspondence reviewed, date of the review and any important issues that were raised during the review, as well as any steps taken as a result of those issues.
Members should design a system to review electronic communications which is appropriate to their business models. Regardless of the method chosen, members must have clear written policies concerning the supervision of electronic communications and give employees access to these policies, as well as provide appropriate training and guidance. Members must periodically test the effectiveness of their supervisory and review policies, as well as monitor employee compliance.
It is important to note that the final FINRA guidance is not all-inclusive and will not provide a safe harbor with respect to inadequate supervision or compliance. Members should be cognizant of the fact that while the guidance provides members with a great deal of flexibility in the design and implementation of a supervisory and review system for electronic communications, they must continuously test, modify, update and enforce these policies in order to ensure compliance with federal securities laws and FINRA rules.