The Securities Exchange Act requires broker-dealers to create certain records, retain them for various lengths of time, and keep them in specified formats.
In addition, FINRA has its own recordkeeping rules and serves as an enforcement body for its member companies, as well as for the SEC andMunicipal Securities Rulemaking Board. For example, FINRA Rules 3110 and 3120 govern supervisory systems and supervisory procedures as they relate to, among other things, electronic communications. These rules require the documentation and on-going review, testing, and validation of these systems and procedures.
Violations of FINRA rules can result in fines and other disciplinary actions against member companies and personnel. In 2018, approximately $96 million in fines were assessed by FINRA to member firms.
Common enforcement themes were related to Anti-Money Laundering, Books and Records, and Sales Practice Supervision. In analyzing the enforcement associated with electronic communications under Books and Records, three top trends emerge for which firms should implement best practices:
- Written supervisory procedures
- Relevant lexicons
- Testing supervisory controls
Written Supervisory Procedures
In 2018 several firms were fined for inadequate written supervisory procedures (WSPs) for electronic communication supervision. Specifically, the WSPs did not document the specific expectations or requirements for not only the overall process but also the individuals responsible for it.
For example, WSPs did not outline the percentage of messages to be reviewed or the frequency of reviews. In addition, they did not specify who was responsible for conducting reviews and the documentation required to evidence them.
The inadequate WSPs resulted in messages not being reviewed or not reviewed timely, and only a very limited sample set of messages eligible for review were reviewed. Furthermore, reviews were not clearly documented to evidence any type of questionable activity that was detected, investigated and handled accordingly.
It is important for firms to have WSPs for any process in place, which need to clearly outline the expectations and requirements of the process. This will ensure that everyone involved knows and understands their roles and responsibilities.
With respect to WSPs for Electronic Communication Supervision, they should include:
- An overview of a firm’s digital communication supervision process:
- Individuals being supervised
- Message types being supervised (directionality should be outlined)
- Methodology for message selection: lexicon-based, random sampling, combination
- Percentage of messages to be reviewed
- Frequency of reviews
- Well-defined responsibilities for all parties involved with the process.
- Clear and concise requirements for the expectations of documenting of reviews and a clear escalation path for issues that arise.
Penalized firms using a lexicon-based approached to the supervision of electronic communication did not ensure or evaluate the lexicons being used were relevant to the business being conducted by the firm or the specific risks of the firm.
As a result, specific risks associated with firm business were not identified, investigated and addressed. These firms did not have a process in place to periodically review lexicons to update them based on new regulations or specific risks to the firm, such as, advisors experiencing financial difficulty, borrowing or lending money to customers or sales practices strictly prohibited by the firm.
Whether firms develop their own lexicons or use those developed by third-party vendors, it is extremely important to address the regulatory activity and internal risks specific to the firm and its business. Ensure the lexicons being used have context around them rather than using standalone words, such as, guarantee, cash or complain. This will ensure they are targeted and focused on the risk activity trying to be detected. Having context around lexicons will also help minimize false-positives and unnecessary reviews which place a considerable burden on time and resources.
Lastly, firms should develop a plan to revisit lexicons at a minimum annually to ensure they are current and specific to the risk activity of the business.
Testing Supervisory Controls
Regular testing of the digital communication supervision process was not conducted by the fined firms to confirm WSPs were being followed. Based on the lack of process testing, penalized firms were not conducting reviews, investigating or handling regulatory violations and, most importantly, not proactively detecting whether their overall process was deficient.
All firms should have regularly scheduled formal testing plans for all WSPs and their overall processes. Testing will ensure processes are being followed and gaps are quickly identified and addressed.
A formal testing plan for digital communication should include WSPs and the following:
- Measurement of overall flagging rates. Gauge that the rate is not too high:
- A very high rate could result in a backlog review and missing issues requiring investigation and corrective actions.
- A high rate usually lends itself to the need for lexicon refinements.
- Sampling flagged and random messages to ensure:
- Lexicons accuracy.
- Detect messages that did not flag but should have flagged for review.
By outlining formal WSPs with well-defined roles and responsibilities, the application of specific business risk lexicons and a well-thought-out testing strategy could have easily averted many of the 2018 enforcement cases associated with the supervision of electronic communication.
For FINRA regulated broker-dealers and other firms, it is imperative to comply with FINRA Rules 3110 and 3120, which govern supervisory systems and supervisory control procedures. Adopting the best practices outlined here will help in meeting these requirements and reduce the potential for fines and/or other disciplinary actions by FINRA.
Proofpoint can help you in these efforts through our Compliance and Supervision Professional Services Team which has industry expertise in the overall supervision of electronic communication. For more information, please contact us here.
Subscribe to the Proofpoint Blog