On December 7, 2007, the Financial Industry Regulatory Authority (FINRA) – the entity formed this year through the merger of NASD Dispute Resolution and NYSE Member Regulation – issued Regulatory Notice 07-59 providing new guidance for the review and supervision of both internal and public electronic communications, as required by FINRA rules and U.S. federal securities laws for correspondence to and from registered representatives. The guidance sets forth principles for members to consider when developing policies and procedures for electronic communications that will comply with those rules and laws. The guidance does not create any new supervisory requirements; nor does it require the review of every individual electronic communication transmitted to and from a member’s registered representative.
The new guidance recognizes that the pace of technological innovation requires proactive attention to keep up with burgeoning forms of electronic communications. For example, as the guidance observes, members’ policies regarding electronic communications that were developed five years ago are unlikely to account for blogs and podcasts. Therefore, as discussed further below, the guidance suggests that members regularly review and update their policies and procedures to ensure that all methods of electronic communication remain in compliance with the members’ regulatory obligations.
The guidance also acknowledges that the breadth and volume of electronic communications make review and supervision a daunting task. Accordingly, the guidance is designed to be used by any member regardless of size, but recognizes that the policies and procedures may differ according to a member’s business model (e.g., size, structure, customer base and product mix). Indeed, the guidance notes that the review and supervision of electronic communications is an evolving process. At one time, FINRA’s predecessors required that members review all correspondence of their registered representatives pertaining to the solicitation or execution of any securities transactions; for practical considerations, however, the rules were amended in 1998. The 2007 guidance supplements members’ implementation of the amended rules.
The guidance is divided into six categories:
1. Written Policies and Procedures
2. Types of Electronic Communication Requiring Review
3. Identification of the Person(s) Responsible for the Review of Electronic Communications
4. Method of Review for Correspondence
5. Frequency of the Review of Correspondence
6. Documentation of the Review of Correspondence
A notable recommendation by FINRA is that members set forth a clear list of the methods of electronic communication that may be used by registered representatives to correspond internally and with the public. This is vital to members’ regulatory compliance because every permitted method of electronic communication for business purposes must be reviewed and supervised.
Accordingly, FINRA’s guidance concerning the types of electronic communications to be reviewed focuses on members’ policies and procedures that permit or prohibit methods of electronic communication. FINRA also subdivides the guidance between external and internal communications. “Traditionally, members have limited employees’ electronic communications with customers to a member-supplied email address that is connected to the member’s communication network.” But, the guidance observes, employees can communicate through a host of other platforms, including Internet-based email such as Yahoo; third-party systems like Bloomberg and Reuters; and message boards, blogs, efaxes and wireless text messaging. Members who permit their employees to communicate with the public through any of these methods are required to supervise and retain those communications.
Conversely, FINRA recommends that members block employees’ access to forms of communication that are prohibited by the members’ policies. Moreover, “FINRA expects members to prohibit, through policies and procedures, communications with the public for business purposes from employees’ own electronic devices unless the member is capable of supervising, receiving and retaining such communications.”
With respect to the supervision of internal communications – except for enumerated types of correspondence that must be reviewed by supervisors, including email “over the wall” between research and non-research areas – FINRA suggests that members employ “risk-based principles” and consider relevant existing processes, such as reviews that already occur regarding disciplinary reviews and regulatory inquiries.
FINRA underscores that persons responsible for the review of electronic communications should be clearly identified, have sufficient knowledge and training to adequately perform a review and be prohibited from conducting a review of their own communications unless there is no reasonable alternative. Notably, supervisors are permitted to delegate review functions to persons who are not registered, but the supervisor remains responsible and the firm’s procedures must provide a protocol to escalate regulatory issues to the supervisor.
FINRA proposes three choices of methods of reviewing electronic correspondence: (1) lexicon-based reviews, dependent on sensitive words or phrases; (2) random review, based on a reasonable percentage sampling technique; or (3) a combination of lexicon and random reviews. Whichever review method is chosen, FINRA advises members to incorporate ongoing evaluation procedures to identify and remedy any issues that may arise as the means of transmitting sensitive information “under the regulatory radar” become more sophisticated and difficult to capture. FINRA provides no specific guidance on the frequency of correspondence review, leaving the details to members to base this on their specific business model. FINRA does note, however, that members with a primarily retail business may need to conduct more frequent reviews than members that conduct exclusively institutional business.
Finally, FINRA requires that members document the review of electronic communication (either electronically or on paper) and be able to reasonably demonstrate that such reviews are, in fact, conducted.
In conclusion, FINRA offers several caveats to members. The guidance is not all-inclusive and does not represent all areas of inquiry that members should consider when establishing and maintaining policies and procedures for electronic communication. Furthermore, the guidance does not serve to establish a safe harbor with respect to supervisory or compliance deficiencies.