On June 14, 2007, NASD and NYSE Regulation (the "SROs"), issued a request for comment on proposed joint guidance on the review and supervision of electronic communications (NASD Notice to Members 07-30).1 While SRO members currently are required to have policies and procedures in place for review of electronic communications that are the subject of SRO rules or federal securities laws, the new guidance permits members to use risk-based methods to review internal and external electronic communications at their own discretion to supervise their businesses. The proposed guidance supplements previous guidance by addressing supervisory procedures in the six areas described below.
A. Written Policies and Procedures
Members should provide employees with clear and updated policies regarding the use of internal and external electronic communications. Members should inform employees of such policies and the consequences of non-compliance. Throughout the course of employment, employees should have easy access to the policies and should receive timely notification of updates as well as regular training as needed. The policies themselves should list permissible means of electronic communications clearly, any restrictions on those means, and should list prohibited forms of electronic communications explicitly.
B. Types of Electronic Communications Requiring Review
As discussed above, members have discretion to review electronic communications concerning the supervision of their businesses, subject to mandatory policies required to comply with SRO rules or federal securities laws. With respect to external communications, members must establish policies regarding employee communications with the public and to ensure compliance with these policies. Members are urged to consider technologically blocking employee access to prohibited means of electronic communications, especially Internet-based e-mail, third-party communication systems (e.g., Bloomberg), message boards and e-faxes. To the extent members choose not to block access, they must supervise (and in the case of Internet-based e-mail and third-party communication systems, retain) such communications. Furthermore, the SROs urge members to prohibit communication with the public through employees' own personal devices absent any compelling needs by those employees.
Members should consider review of internal communications to ensure the protection of customer or issuer information and to maintain the independence of the research staff and the proprietary traders from undue influence of other parts of the operation. Members may also want to review current internal communications, in general, such as conflict management procedures.
C. Identification of the Persons Responsible for the Review of Electronic Communications
Members should identify clearly the supervisor or principal responsible for review of electronic communications, including any such person to whom the supervisor or principal delegates the responsibility. If members delegate, they must be able to show that any such delegees meet the requisite levels of knowledge, experience and training to sufficiently perform reviews. Additionally, subject to limited exceptions for member's size or structure, individuals may not conduct reviews of their own communications.
D. Method of Review for Correspondence
In general, members should notify reviewers as to what material they should review and which issues they should flag. Included among electronic communications that members must be able to review are those that are encrypted and those that are in foreign languages to the extent that members carry on business with the public in those languages. Under certain circumstances, members should have their legal or compliance departments re-review communications, after review by a supervisor.
Members have some latitude to determine their methods of review consistent with applicable laws, regulations and SRO rules and based on their individual business models. They should undertake ongoing evaluations of these methods to ensure effectiveness. The methods that members may select are:
- Lexicon-based review, which focuses on certain key words or phrases in electronic communications
- Random review, in which members typically choose to review a certain percentage of electronic communications by business unit or by individual
- Combination of lexicon-based review and random review
E. Frequency of Review of Correspondence
Members maintain autonomy to determine the frequency of review in accordance with their individual business models and the methods of review they choose to apply. They should develop a reasonable timeline, taking into consideration the type of businesses in which they are involved and the extent to which a review's usefulness decreases over time in those lines of business.
F. Documentation of the Review of Correspondence
Members must be able to reasonably show that they conducted the requisite reviews. The evidence, at a minimum, should show the communication reviewed, the date of review, and the steps taken as a result of the review.
NASD and NYSE have developed the proposed guidance as a result of the growth of electronic communication methods used by their members. The proposed guidance is not all-inclusiveand does not provide a safe harbor to any potential violations. NASD and NYSE intend that these new guidelines will assist members in developing and maintaining supervisory systems for electronic communications that will comply with applicable laws, regulations and SRO rules. The NASD and NYSE are currently reviewing comments related to the proposed guidance. We will inform our clients when the guidance is finalized. In the meantime, please contact your White & Case lawyer with any questions regarding this proposed guidance.