Guest contributor: Jimmy Douglas, Director of Alliances and Industry Relations at Smarsh.
For financial services firms, policies governing the use of electronic communications, the preservation and production of electronic communications records, and evidence of message supervision procedures are a big part of FINRA and SEC examinations.
According to an annual analysis of FINRA disciplinary actions released by law firm Sutherland Asbill & Brennan LLP, violations stemming from electronic communications transgressions generated the highest amount of fines for the self-regulatory organization in 2013. FINRA reported a whopping $15.1 million in fines from 66 cases involving alleged electronic communications violations, a 132% increase compared to fines of $6.5 million in 2012.
The SEC is also stepping up examinations. In its annual exam priorities letter this year, the SEC announced it will target firms that have not yet been examined, particularly those that have been registered for three or more years. The exams will focus on compliance programs (among other things) and examiners will look to determine the effectiveness of compliance programs by evaluating whether advisors are properly identifying conflicts of interest and compliance risks, whether policies are in place and being managed, and whether compliance officers are empowered to establish these programs.
Against this backdrop, preparation for the exams can be daunting. Where do you begin? What types of electronic messages need to be stored for review? Which communications policies will regulators want to see?
To top it all off, you can’t always predict when you’ll be examined. You might know the general timing of reviews, but it’s difficult to discern when regulators will be knocking at your door…which can cause added anxiety.
While audits and exams vary by regulator, company, and exam type, one thing is certain: Regulators now request the production of multiple types of electronic communications records, with supporting compliance program documentation during exams.
Here are some basic steps you can take to help start preparations for the electronic communications data production component of an exam or audit.
1. Know what to archive.
The types of messages that regulators request continue to expand every year. According to the Smarsh 2014 Electronic Communications Compliance Survey, the number of electronic messaging channels firms allow employees to use for business purposes has nearly doubled in the past three years, from an average of 3.6 channels in 2011 to 6.7 in 2014, and message supervision is more complex than ever before. In addition, firms examined in the past year were asked to produce records for email, website pages, instant messages, Bloomberg/Reuters messages, social media, email marketing, and text/SMS messages. While email is still the most common message type requested (by a large margin), you can anticipate your firm will be asked to produce an array of electronic communications records. Today, it’s the content that counts—not the medium that broadcasts the content. The content is what makes a message a business record, and drives the requirement for content archival.
The increased attention on social media records can be daunting, too. For instance, in 2013 FINRA announced social media spot checks for member firms. FINRA can search for and review your firm’s social media pages and posts in your offices during a spot check or an exam.
2. Know what supporting documentation must accompany your archive records.
The 2014 Electronic Communications Compliance Survey also showed requests for several types of supporting documentation related to electronic communications compliance. Among survey respondents who were examined in the past year, 70% said ‘written supervisory procedures’ was the most requested document during the exam, which emphasizes the importance of having solid policies and supervisory processes in place. Along with your archive records, your compliance team must be able to show evidence of supervisory systems that monitor your firm’s electronic communications for compliance with corporate policy. It’s not enough to just have the messages available.
3. Know how to archive.
If you don’t have an archiving solution already, now is the time to put one in place that lets your firm capture, archive, search, supervise and produce the many different types of electronic messaging channels in use at your firm. Since regulators can be expected to ask for records of all of these types of communication, look for an archiving and compliance solution that can handle the internal and external communications channels your firm uses, and where records can be managed under one platform—so you can quickly and easily find all relevant and related messages during an exam, no matter if they originated in email, an instant message, or a text.
4. Know why it’s important to archive.
A comprehensive archiving solution is the tool that gives your firm the ability to produce data upon request for examiners. As noted above, without an archive you’ll likely have a difficult time finding specific records. What if a regulator asks you to produce Facebook records for two of your reps, from the dates of January 20, 2013 through February 15, 2013—along with all emails exchanged between the reps? Could you find the complete set of these records, and find them quickly? You’d also have to demonstrate to regulators that your compliance team supervised these conversations on Facebook and email. It’s not enough to let the data sit in storage; compliance has to review the communication as part of its written supervisory procedures.
Regarding supervision, regulators are known to ask for:
- Written supervisory procedures.
Regulators look at how firms retain and capture messages, and the firm’s process for review and evidence of policy enforcement. Written supervisory procedures show regulators what actions your firm takes to identify risk and enforce compliance policy.
- Proof of supervision.
Documented records of supervisory procedures—often seen with detailed audit trails—can help demonstrate policy enforcement and evaluation.
- Disaster recovery or business continuity plan.
FINRA requires member firms to create and maintain a written business continuity plan identifying procedures related to a potential emergency or significant business disruption. The procedures must be reasonably designed, and enable a firm to meet its existing obligations to customers. The procedures must also address a firm’s existing relationships with other broker-dealers and counter-parties.
- Archiving vendor solution contract and/or evidence of services provided.
Regulators may ask for evidence of an electronic communications archiving/supervision system via a vendor contract—to meet requirements for rules SEC 17a-4. The solution needs to allow for immediate search and production/export of messages requested by a regulator, whether for email, a Facebook post, or an instant message, etc.
- Third-party attestation letter.
SEC 17a-4 requires firms to have a letter attesting an independent third-party downloader can provide access to the firm’s electronic records if the firm is unable to do so.
To sum it up: It doesn’t matter if your firm uses email, Facebook, Twitter, text messages, instant messaging or even an enterprise social network to communicate and get work done. All of these are now fair game for inspection!
Find out more about social media compliance and hear directly from Jimmy at SMAC on September 18th in NYC.