On Dec. 7, 2007, FINRA (formerly NASD) issued formal Guidance Regarding Review and Supervision of Electronic Communications by member broker-dealer firms. The Guidance sets forth "principles for members to consider when developing supervisory systems and procedures for electronic communications that are reasonably designed to achieve compliance with applicable federal securities laws and selfregulatory organization (SRO) rules." FINRA Regulatory Notice (Notice) 07-59; December 2007; available at http://www.finra.org/web/groups/rules_regs/documents/notice_to_members/p037553.pdf
Some highlights of this action are summarized below.
Member electronic communications related to a member’s business are subject to its overall supervisory and review procedures. FINRA issued this Guidance to assist members in establishing and maintaining supervisory systems for electronic communications that are reasonably designed to achieve compliance with the federal securities laws and SRO rules, particularly in light of continuing technological innovations in this area. The Guidance neither creates new supervisory requirements nor requires the review of every communication. Rather, it sets forth principles that firms should consider in developing supervisory systems and procedures for electronic communications (which are broadly defined to include such forms of communication as email, instant messaging, text messaging, and E-faxes).
Nevertheless, FINRA cautions members that "this guidance is not all-inclusive and does not represent all areas of inquiry that a member should consider when establishing and maintaining a supervisory system for electronic communications, including any existing and future electronic communications technology that this guidance may not address." Moreover, "this guidance does not serve to establish a safe harbor with respect to potential supervisory or compliance deficiencies."
At the outset, the Guidance acknowledges that policies and procedures may differ among members depending on the nature of their business (e.g., size, structure, customer base, and product mix), and that members generally may use "risk-based principles" in deciding the extent to which the review of incoming, outgoing, and internal electronic communications is necessary in accordance with the supervision of their business. However, the Guidance also makes it clear that members must have policies and procedures for the review by a supervisor of employees’ incoming, outgoing, and internal electronic communications "that are of a subject matter that require review under FINRA rules and federal securities laws" (and it goes on to list as examples several SRO rules that impose such requirements).
The Guidance notes that, when employing risk-based procedures to review electronic communications, members should consider how to effectively:
- “Flag” electronic communications that may involve customer complaints, problems, errors, orders or other instructions for an account; or conduct inconsistent with regulatory requirements, and other matters of importance to the member’s ability to adequately supervise its business and manage risk
- Identify such other business areas the member may identify as warranting supervisory review
- Educate employees to understand and comply with the member’s policies and procedures in this area
The Guidance also reminds members of existing related SRO requirements, such as:
- Identifying the types of correspondence that will be pre- or post-reviewed
- Identifying the organizational position(s) responsible for conducting reviews of the different types of correspondence
- Monitoring the implementation of, and compliance with, the member’s procedures for reviewing public correspondence; periodically re-evaluating their effectiveness; and considering any necessary revisions
- Reporting customer complaints to the SROs
- Prohibiting employees from using electronic communications unless such communications are subject to supervisory and review procedures developed by the member
- Conducting necessary and appropriate training and education
The Guidance is divided into six categories, as briefly reviewed below.
Written Policies and Procedures
These should, of course, be clear, and should be updated as necessary to address new technologies. Member employees should have "quick and easy" access to the policies and procedures, and there should be very specific guidance regarding what are (and are not) permissible "electronic communication mechanisms." Members should provide specific language explaining to employees the potential consequences of non-compliance, as well as appropriate training (on a regular and "as-needed" basis).
Types of Electronic Communications Requiring Review
External Communications. Members are required to establish policies and procedures regarding the forms of electronic communications that they permit employees to use when conducting business with the public, and to take reasonable steps to monitor for compliance with such policies and procedures. More specifically, FINRA expects members' policies and procedures to prohibit communications with the public for business purposes from employees’ own electronic communications devices (including, for example, home computers) unless the member is capable of properly supervising, receiving, and retaining such communications. Absent a prohibition, members should consider requiring pre-approval for the businessrelated use of any such device. The approval process might require a detailed initial business justification and an annual re-evaluation and re-certification of the approval. In addition, members should consider obtaining agreements from employees authorizing the member to access any such devices. Members should also consider prohibiting, where appropriate, the use of personal electronic communication devices in certain sensitive firm locations (e.g., where material non-public information could be accessed). The Guidance also notes that members may consider blocking employee access to publicly accessible message boards related to the securities industry to prevent them from communicating through these boards for business purposes.
Internal Communications. As noted above, in the absence of specific rule requirements for supervisory review of particular communications, members may use "risk-based principles" to decide the extent to which internal communications will be reviewed. In connection with reaching such a risk-based assessment, the Guidance suggests areas that members should consider, including assessing the effectiveness of information barriers, protecting against undue influence on research personnel contrary to SRO rules, and segregating the member’s proprietary trading desk activity from all or part of the other operating areas of the member.
n addition, members may consider "various relevant existing processes," such as steps taken to reduce, manage, or eliminate potential conflicts of interest (including implementing appropriate firewalls); and reviews of internal electronic communications that occur in connection with internal and/or regulatory examinations, transaction reviews, internal disciplinary reviews, and reviews relating to customer complaints or arbitration.
Identification of the Person(s) Responsible for the Review of Electronic Communications
Members should clearly identify the person(s) responsible for performing the reviews, who must evidence their supervision and performance of relevant procedures. To the extent a supervisor/principal may delegate certain functions to other persons, the supervisor/principal remains ultimately responsible for the performance of all necessary supervisory reviews, and must take reasonable and appropriate action to ensure delegated functions are properly executed. This would include provision for escalation of regulatory issues to the designated supervisor or other appropriate department. All reviewers must have sufficient knowledge, experience, and training to adequately perform the reviews, and members should be able to demonstrate that the reviewers meet these criteria. Also, absent highly unusual circumstances, an individual may not conduct supervisory reviews of his or her own electronic communications.
Method of Review for Correspondence
As a general matter, regardless of what review method is used, members should alert their reviewers as to the issues to be raised and material to be examined, including acceptable content. (Note: Certain SRO rules, such as NASD Rule 2210, prescribe content standards for specified types of communications.) Members should also provide guidance on other applicable areas of concern, such as the use of confidential, proprietary, and inside information; anti-money laundering issues; gifts and gratuities; private securities transactions; customer complaints; front-running; and rumor spreading.
In addition, where members permit the use and receipt of encrypted electronic communications, they must be able to monitor and supervise those communications and must educate reviewers on how this can be accomplished. Members must also be able to review electronic correspondence in all languages in which they conduct business with the public. Moreover, under certain circumstances (e.g., when a specific problem has been identified), members should consider having their legal and/or compliance departments re-review e-mails that have already been reviewed by line supervisors. Members should also consider rereviewing selected electronic communications as part of their standard branch office inspection program. The Guidance goes on to discuss in particular two methods of review - "lexicon-based" reviews (those based on sensitive words or phrases, the presence of which may signal problematic communications), and "random" reviews (which employ a reasonable percentage sampling technique, whereby some percentage of the electronic communications generated by the member is reviewed), and identifies areas of consideration with each method.
Members are also encouraged to consider "complementary review techniques," which would entail use of some combination of lexicon-based and random reviews. Moreover, "to best assure the effectiveness over time of any system, members should incorporate ongoing evaluation procedures to identify and address any 'loopholes' or other issues that may arise as the means of transmitting sensitive information 'under the regulatory radar' become more sophisticated and difficult to capture."
Frequency of the Review of Correspondence
The Guidance allows that the frequency of correspondence review may vary depending on the nature of the member's business, and should be related to factors as the types of business conducted, the type of customers involved, the scope of the activities, the geographical location of the activities, the disciplinary record of covered persons, and the volume of the communications subject to review. With those considerations in mind, members should prescribe reasonable timeframes within which supervisors are expected to complete their reviews.
Documentation of the Review of Correspondence
Members must evidence their reviews, whether electronically or on paper, and be able to reasonably demonstrate that such reviews were conducted. This would entail, at a minimum, clear identification of the reviewer, the communication that was reviewed, the date of review, and the steps taken as a result of any significant regulatory issues identified during the course of the review. Perhaps somewhat gratuitously, FINRA adds that "Members should remind their reviewers that merely opening the communication will not be deemed a sufficient review."