Many companies that transitioned to a work-from-home environment in early 2020 may have reasonably anticipated a return to the normalcy of in-office operations by the end of the year. Yet as 2021 commences, remote work has become the new normal and firms can expect this arrangement to continue through the first quarter of the year, if not longer. While working from home poses challenges for all businesses, it poses unique concerns for broker-dealers whose associated persons are conducting business from their homes. Broker-dealers must remain keenly attuned to the risks posed by work-from-home arrangements, including specifically the risk that registered representatives and other associated persons use their personal devices or other unapproved and unmonitored channels to communicate with clients and conduct business.
The use of personal devices by associated persons to conduct business creates significant supervisory challenges. Firms that have changed their processes and procedures this year to account for the remote work environment should ensure that they have designed supervision and surveillance systems to monitor for personal device use; are addressing personal device use in their policies and procedures, including any changes implemented during this work-from-home time; and are conducting focused training on the issue. Regulators are likely to look closely at how firms supervised to ensure that their associated persons did not use unapproved and unmonitored communications channels while working from home. Accordingly, while broker-dealers may well have focused attention on this issue at the onset of the COVID-19 pandemic, the start of a new year and the extended duration of work-from-home conditions warrant a renewed consideration of firms’ supervision methods related to personal devices.
This article considers the challenges and risks personal device use create for firms’ supervision structures. It also outlines specific steps firms may take to mitigate the risk that associated persons are using personal devices to conduct business communications. Finally, it considers how the Financial Industry Regulatory Authority (FINRA) may use its enforcement authority to address supervisory gaps regarding personal device use in the coming year.
I. Personal Device Use: Always a Concern, but Now More Than Ever
The use of personal devices or other unmonitored communication channels to conduct business creates obvious supervision issues under FINRA Rule 3010 and record-keeping problems under Rule 4511. Accordingly, firms have always had to have policies and procedures in place to ensure that their associated persons are not using unmonitored personal devices to conduct business. FINRA has long taken the position that a firm’s obligations under these rules depends on the content of the communication (whether it pertains to conducting the business of the broker-dealer) rather than the mode of communication (whether the communication occurs through a firm-issued or personal device). Indeed, in a 2011 regulatory notice (11-39), FINRA noted that “new technologies” like text messaging may “facilitate the ability of associated persons to perform their responsibilities” but that “a firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person” (emphasis added).
Given FINRA’s longstanding guidance, nearly every firm’s policies and procedures likely either prohibit outright the use of personal devices to conduct firm business or provide strict parameters to ensure that any business communications are both supervised and retained. But the current remote work environment creates heightened risk that associated persons, either intentionally or inadvertently, utilize personal devices for business communications. In the office, financial advisors face no obstacles to using their work phones and computers to call clients, answer emails and otherwise conduct business. Working from home, however, causes the line between the personal and the professional to fade, if not disappear entirely: A financial advisor already using her personal cell phone may naturally be tempted to simply text a client or respond to a social media message rather than communicate through a firm-approved and monitored channel. An associated person’s use of a personal device could fall into one of three categories:
“Innocent” use and momentary lapses. A financial advisor may text a client simply out of convenience or a desire to be immediately responsive to a client, perhaps momentarily forgetting that she should not be using a personal device to conduct business. Similarly, a purely personal conversation with a client over text may evolve into a discussion that could be construed as a business communication, even if the advisor does not intend or expect that to happen.
Conducting business in an unauthorized manner. A financial advisor may move past a momentary lapse in memory or judgment and begin actively conducting business through a personal device out of convenience. The financial advisor may believe it is “not a big deal” and that his communications, while conducted through unauthorized means, are not inappropriate.
Intentional evasion of firm controls to hide misconduct. A financial advisor may intentionally use a personal device with the goal of avoiding detection of inappropriate business conduct. A common case in this category is a financial advisor attempting to settle a dispute with a customer without notifying the firm.
Firms must be aware of, and monitoring for, each of these types of situations. A firm’s supervision system for ensuring associated persons utilize only firm-monitored communications channels may very well be “reasonable” pursuant to FINRA Rule 3010 in an environment where financial advisors are working in their offices. This same system, however, may prove ineffective when advisors are working from home, given the heightened risk that they will utilize personal devices to conduct firm business. Indeed, in August 2020, the U.S. Securities and Exchange Commission (SEC) Division of Examinations, previously known as the Office of Compliance Inspections and Examinations (OCIE), issued a risk alert to broker-dealers and investment advisors detailing compliance and supervision risks created by the pandemic environment. The risk alert specifically noted that “firms may wish to modify their practices to address ... communications or transactions occurring outside the firms’ systems due to personnel working from remote locations and using personal devices” (emphasis added). This advice continues to merit attention — especially as the work-from-home environment stretches into 2021.
II. Managing the Risk Posed by Potential Personal Device Use
Given the increased risk that associated persons may use personal devices or other unmonitored communications channels during this time, firms should consider taking proactive steps to ensure their compliance and supervision systems adequately manage this risk. To the extent firms took steps to address personal device use at the onset of the pandemic, firms should revisit and review their efforts to determine their effectiveness and whether additional measures should be taken. Firms should consider:
reviewing and updating policies and procedures;
conducting specific training or issuing targeted reminders or alerts;
ensuring their email surveillance lexicon is tailored to capture indicia of unsupervised communications;
asking about personal device use during compliance reviews and branch exams; and
weighing risk factors that lead to personal device use.
Guidance regarding each of these topics is set forth below.
A. Review and Update Policies and Procedures
Firms should review their policies and procedures and consider whether they require revision or updating in light of the current environment. Policies and procedures should address not only text messaging but use of messaging features in popular social media applications including Facebook, Instagram and SnapChat. To the extent firms are allowing use of personal devices for communications of any kind, policies and procedures should explain the specific circumstances in which such communications will be allowed and how the firm will allow such use consistent with its supervisory and record-keeping obligations. FINRA has explained that “every firm that intends to communicate, or permit its associated persons to communicate, with regard to its business through a text messaging app or chat service must first ensure that it can retain records of those communications as required by SEA Rules 17a-3 and 17a-4 and FINRA Rule 4511” (emphasis added; see FINRA Reg. Notice 17-18).
Some firms may have changed their policies and procedures to accommodate the new work-from-home environment. These firms should take the opportunity to review their policies and procedures to ensure that they reflect any updates and that they both note the prohibition on using unsupervised communications channels and detail how supervision is conducted to reasonably ensure there is no such use.
B. Conduct Training or Otherwise Specifically Address Personal Device Use
FINRA’s 2011 Regulatory Notice explained that “a firm’s policies and procedures must include training and education of its associated persons regarding the differences between business and non-business communications and the measures required to ensure that any business communication made by associated persons is retained, retrievable and supervised.” Accordingly, firms should consider targeted training and alerts to their associated persons regarding firm policy on personal device use. Training should emphasize that social media and text messaging are not proper channels through which to communicate with clients regarding business matters. Indeed, evidence of specific training and communications to associated persons serves as compelling evidence of the firm’s compliance efforts in the event of a FINRA examination.
C. Conduct Email Surveillance for Indicia of Unmonitored Communications
Firms would benefit from reassessing their lexicons for surveilling emails in light of their expanded remote workforce. Different terms may be more likely to identify potential issues in a remote environment. Firms should ensure that their email surveillance tools capture for key words indicating an associated person may be contacting a client outside of firm-monitored email. Phrases such as “I’ll text you” or references to “my gmail,” along with other common email addresses, should be flagged for review. Similarly, firms should consider including “WhatsApp,” “WeChat,” “SnapChat,” and other commonly used messaging and social media applications in their surveillance lexicons.
D. Update Compliance Reviews and Branch Exam Procedures
Firms face challenges in conducting compliance and branch exams when associated persons are working, and conducting business, remotely. Exam procedures may need be updated to include specific steps to check that associated persons are not using unsupervised communications channels. In on-site branch examinations during the pandemic, some firms may have conducted physical reviews of personal devices, asking the advisor to log on to the device and allow the examiner to review text messages or other communication applications. Physical inspection of devices may not be practical or possible in a virtual exam. Firms may wish to consider asking a specific question that each associated person must answer on examination questionnaires regarding their use of personal devices. Other exam approaches may include remote computer inspections, conducting web searches to identify potential issues such as unapproved outside business activity, or conducting audits via Zoom or other virtual “live” platforms. This latter approach introduces the component of real-time conversation, which presents an opportunity to reinforce the importance of compliance with firm procedures and identify potential red flags for follow-up. Another option is to adopt an annual requirement that advisors certify their understanding of, and compliance with, firm policies regarding use of personal devices.
E. Weigh Other Risk Factors Suggesting Unmonitored Communications
Firms should also stay alert to red flags suggesting a financial advisor may be using a personal device to conduct business. Traditional supervision that indicates problematic conduct may also suggest unmonitored communications to engage in that conduct. For example, discovery that a financial advisor is conducting an unapproved outside business activity should also lead to investigation into whether the advisor was conducting that business, along with firm business, through his personal device.
III. Expect FINRA to Focus on Personal Device Use in 2021
FINRA has already brought an increasing number of actions against firms and associated persons related to use of personal devices prior to the pandemic. For example, a review of FINRA enforcement actions shows FINRA brought 19 of 35 cases citing unmonitored text messaging within the last two years. Given the increased likelihood that associated persons use personal devices while working from home, expect the number of cases involving this conduct only to ramp up in the near future.
To date, FINRA enforcement has principally brought actions against individuals for using personal devices to contact clients, finding that these individuals violated the good faith and fair dealing standard of Rule 2010 and impeded proper record keeping under Rule 4511. One might expect, however, that widespread work-from-home arrangements will lead FINRA to examine, and bring cases regarding, member firms’ supervision systems related to personal device use. FINRA may focus both on failure to supervise for personal device use under Rule 3010 and on failure to ensure retention of records under Rule 4511.
However, the facts and circumstances of specific cases can lead to additional issues that may serve as the basis for additional charges. For example, a financial advisor that settles with a customer through text messages to avoid escalation of a dispute causes the firm to fail to timely report a complaint. Additionally, use of a personal device may implicate information security issues. A financial advisor may inadvertently text sensitive client information to the wrong person or have her phone hacked, causing a potential violation of Regulation S-P. While information security is a key concern for broker-dealers, the remote work environment presents additional risks and challenges that should be proactively identified and mitigated. Expect these and other types of issues to arise as more enforcement cases are brought concerning personal device use.
FINRA’s rules and guidance regarding use of personal devices to conduct business are not new. But the unprecedented circumstances the pandemic has imposed on firms, with many stretching into the 10th month of working from home, warrant revisiting and carefully reviewing their controls for ensuring compliance.