The Financial Industry Regulatory Authority (FINRA) has issued Regulatory Notice 07-59, Final Guidance Regarding Review and Supervision of Electronic Communications. The guidance permits review and supervision of electronic communications on a risk based approach. However, communications required by rule or law to be reviewed individually cannot use this random method, such as, communications subject to the research analyst rule, customer complaints, order error or account designation changes, and communications between the proprietary trading desk and other parts of the firm. Supervisory policies must (i) identify correspondence that will be subject to pre or post-review, (ii) identify positions in the firm responsible for reviewing different types of correspondence, (iii) periodically re-evaluate the procedures’ effectiveness, (iv) prohibit employees’ use of electronic communication systems not subject to supervisory and review procedures, and (v) train and educate personnel with respect to these obligations.

Members should provide employees quick and easy access to electronic communication policies and procedures , e.g. use of the member’s intranet; a statement that non-listed means are prohibited; the potential consequences of non-compliance; and training on a regular and as-needed basis. Member policies must include the types of electronic communications that require review and utilize risk-based principles to determine the exact extent to which additional supervisory policies and procedures are required.

In the case of external communications, members may prohibit use of other than the members’ communication system and require employees to periodically confirm compliance with this policy. Alternatively, members may block access through the firm’s computer system. Another approach is to require employees to obtain pre-approval for use of outside systems by filing a written detailed business justification and annual re-certification. Use of message boards should be prevented, and e-faxes are communications subject to this guidance. In the case of internal communications, members should consider (i) is there an adequate barrier in place to deal with potential conflicts of interest, (ii) reviews of communication regarding internal or regulatory examinations or investigations, (iii) review of communications in connection with transaction reviews, and (iv) review of communication related to issues arising from a review of external electronic communication.

The member policy must identify the persons responsible for the review of electronic communications although delegation is permitted if there are procedures for escalation. All supervisors, including delegated reviewers, must have sufficient knowledge, experience and training to conduct reviews. There should be a developed review process that is reasonably designed to achieve compliance with applicable securities laws, regulations and FINRA rules and appropriate to the member’s business and structure.

Three random review methods include: (i) a Lexicon review based on specified words or phrases may be used, but the Lexicon must be kept confidential and periodically updated (adds and deletes), and if selected messages are reviewed on a random basis, the rationale for such review must be part of the member’s policies; (ii) a random review sampling of a percentage of all electronic communication that is a reasonable amount is permitted. Members should consider such factors as percentage to be reviewed, the business line, branch office, or individuals to be reviewed; and (iii) a combination Lexicon and random sample review. Any review process should be periodically evaluated.

Members must consider the frequency of reviews which may vary depending on the type of business conducted, the type of customers involved, the scope of the activities, the geographical location of the activities, the disciplinary record of the covered persons and the volume of the communications subject to review. Reviews should be completed within a reasonable time frame. Finally, Members must document reviews, whether electronically or on paper, and be able to reasonably demonstrate that such reviews were conducted. In conclusion, FINRA notes that this is only guidance and is not all-inclusive, does not represent all areas of inquiry that a member should consider and does not establish any safe harbor protections.