FINRA (the Financial Industry Regulatory Authority) has issued Regulatory Notice 07-59 relating to electronic communications, such as email, instant messaging, text messaging, weblogs and podcasting, which financial services firms and their employees may use to conduct business. Let’s examine the key points of the notice.
Preliminarily, firms must establish, maintain and enforce electronic communication supervisory systems and procedures reasonably designed to achieve compliance with securities laws and rules. FINRA recognizes that technological innovations have brought and will continue to bring new challenges in supervising electronic communications. FINRA also recognizes that supervisory systems and procedures may differ among financial services firms depending upon their size and the type of business that they conduct. And, with some exceptions for mandatory reviews, firms “generally may decide by employing risk-based principles the extent to which the review of incoming, outgoing and internal electronic communications is necessary in accordance with the supervision of their business.”
In Notice 07-59, FINRA divides its guidance into six categories. These are: (1) written policies and procedures; (2) types of communications requiring review; (3) identification of the person(s) responsible for the review; (4) method of review; (5) frequency of the review; and (6) documentation of the review.
First, regarding written policies and procedures, FINRA recommends that firms allow employees quick and easy access to their policies and procedures. Firms should state what forms of electronic communication are permissible, and which are not permissible. Firms should specify the consequences for non-compliance with those policies and procedures, and should conduct training on a regular and as-needed basis.
Second, regarding the types of electronic communications requiring review, FINRA notes that, regardless of what technology is used, if a firm permits its use, then it must have systems and procedures in place reasonably designed to supervise those communications. As technologies now extend beyond office network servers and firm email addresses to other email platforms (such as AOL or Yahoo mail), message boards and E-faxes, FINRA notes that some firms choose simply to block access, prohibit use and require compliance certifications by employees. FINRA also states that it expects firms “to prohibit, through policies and procedures, communications with the public for business purposes from employees’ own electronic devices unless the member is capable of supervising, receiving and retaining such communications."
Third, a firm’s procedures must clearly identify the person(s) responsible for performing the reviews. While the reviewer may delegate certain functions, ultimately the reviewer remains responsible and must ensure that all reviewers have “sufficient knowledge, experience and training to adequately perform the reviews.” Finally, an individual must not conduct supervisory reviews of his/her own electronic communications (unless there is no reasonable alternative, as with a sole proprietor-type firm).
Fourth, regarding the method of review, FINRA discusses lexicon-based reviews, random reviews and a combination of both methods. Lexicon-based reviews should contain a meaningful list of phrases, words and industry jargon based on the type of business that the firm conducts and its customer base. The list should be able to yield a meaningful sample of “flagged” communications. The system should be able to read attachments. When firms select the random review method, they may choose a reasonable percentage sampling technique. Firms can choose to review either a certain percentage of electronic communications based on a branch, department or business unit, or, in the alternative, can choose to review a certain percentage for each individual in the branch, department or business unit.
Given the strengths and weaknesses of each method, however, FINRA recommends that firms use a combination of both methods – lexicon-based reviews and random reviews. Additionally, no matter what method firms choose, they must “alert their reviewers as to the issues to be raised and the material to be examined, including acceptable content.” Likewise, firms must “incorporate ongoing evaluation procedures to identify and address any ‘loopholes’ or other issues that may arise as the means of transmitting sensitive information ‘under the regulatory radar’ become more sophisticated and difficult to capture.”
Fifth, FINRA states that the frequency of the review will vary depending upon the type of business conducted, the type of customers involved, and the scope of the activities, the geographical location of the activities, the disciplinary record of those involved, and the volume of communications subject to review. FINRA also recommends that firms prescribe reasonable timeframes within which supervisors are expected to complete their reviews, considering factors such as those set forth above.
Finally, firms must document their reviews. FINRA recommends that, at a minimum, firms must evidence the date of the review and any steps taken as a result of the review. FINRA cautions that reviewers do not satisfy this requirement merely by opening the electronic communication.
In conclusion, FINRA’s guidance should assist firms navigate through the difficult and ever-changing waters of supervising electronic communications.
Download article.
