Email supervision is a key instrument in any compliance officer’s tool box. FINRA’s enforcement shows that having a supervisory system isn’t enough…it’s how you use it.

In April 2019, a broker-dealer submitted a Letter of Acceptance, Waiver, and Consent (AWC) to FINRA after the regulator found the firm had failed to establish, maintain, and enforce its supervisory system relating to reviews of electronic correspondence. In settling the case with FINRA, the firm accepted the findings without admitting guilt. As part of the settlement, it paid a fine of $32,500.

This case highlights FINRA’s focus on how broker-dealers conduct effective reviews of their electronic correspondence to meet their supervision requirements.

FINRA found that, during an eight-month period in 2013, the firm failed to conduct adequate supervision in relation to its review of emails. The firm’s email review process consisted of the chief compliance officer (CCO) conducting reviews every week. The reviews alternated between:

• 100 emails randomly selected by the firm’s email archive vendor; and
• messages flagged by the email system as containing a suspicious word or phrase from a lexicon of 24 search terms created by the firm.

FINRA found that the firm did not take into account relevant factors of its structure and business when developing its email review process insofar as:

• in determining the number of emails reviewed, as well as the frequency of the reviews, the firm did not take into account particular aspects of its business, such as:
  • branch offices;
  • registered representatives; and
  • business units.
• in determining its lexicon of search terms, the firm did not customize terms based on its risk factors. Further, it did not assess whether the terms it used would produce results that would effectively supervise the firm’s business.
• in addition, the firm’s written supervisory procedures (WSPs) did not sufficiently describe how the broker-dealer would set up and conduct the supervisory review of electronic communications. Specifically, the WSPs failed to detail:
  • the type or scope of the electronic communication reviews;
  • how often the reviews would occur; or
  • the person at the firm responsible for conducting the reviews.

Previously, many enforcement actions regarding emails focused on archiving records pursuant to regulatory requirements. However, in 2018, FINRA settled two enforcement actions for inadequate supervisory systems related to reviews of email correspondence, followed by two more actions in 2019, including the case detailed above. FINRA also settled another two cases involving deficient supervisory systems over email reviews in 2018.

Many FINRA enforcement actions include citations for inadequate supervisory systems and other underlying violations. The findings typically assert that an underlying violation may not have occurred if the firm had established an effective supervisory process. In the case above, the underlying violations were related to potentially fraudulent activity by a registered representative, which FINRA discovered in a review of the representative’s emails. This discovery led FINRA to investigate why the firm had not found the same issues during its email reviews.

Based on this case and the media attention it attracted, firms need to re-examine whether their current process for reviewing communications with the public is effective. Firms should focus on making the review process more meaningful in relation to their business.

In the highlighted case, FINRA suggested that reviews must be “comprehensive enough to yield a meaningful sample of flagged communications.” For many firms, current methodologies that review a large number of emails based upon a lexicon of search terms and a random selection of emails generally yield very few findings. More targeted reviews of specific employees and/or time periods would produce better results. In addition, some firms have found that filtering out “junk” emails provides a better population and quality of emails for their review.

Electronic communications have continued to evolve since 2013, when the activity noted in the AWC took place. In addition to emails, many firms also review the following communications:

• instant messaging;
• text messaging;
• social media communication.

Firms frequently conduct these reviews using several different systems. As a result, reviews of electronic communications have become more complex and challenging for broker-dealers.

Over the past few years, FINRA has provided guidance regarding reviews of email activity and social media activity. FINRA continues to focus on the process firms use to conduct email reviews. This contrasts markedly with previous guidance, which had placed a greater emphasis on the percentage of emails reviewed as opposed to a qualitative, risk-based approach. This shift further underscores the need for firms to develop an effective review of their communications with the public.

Firms have many options available to them when developing effective supervisory systems for the review of electronic correspondence. While the following items do not represent an exhaustive list, they offer some suggestions for the ways that firms can more effectively supervise their communications with the public.

Permitted communications with the public

Firms should consider the following when deciding which communication methods they will permit registered representatives to use with the public:

• ability to archive the communications;
• ability to supervise the activity;
• risk to the firm of the types of communications permitted;
• for social media:
  • what social media sites will be permitted?
  • what activity on social media sites will be permitted.

This is not an exhaustive list. Firms should consider all the activities they see from their employees. FINRA has also offered additional guidance on the above-noted areas over the years.

Historically, many firms have encountered issues with archiving communications other than email, leading them to prohibit those activities. Technological advances mean that many solutions are now available for archiving texts, social media, and instant messaging. At a minimum, firms need to develop a comprehensive social media policy that considers all the forms of communication that are available in the marketplace.

Tone at the top

Unfortunately, many firms regard email reviews as something they are “required” to do, as opposed to prudent business management. Supervisory reviews and approvals of electronic communications must be a collaborative effort between the individuals conducting the review, the principals approving the review, and compliance. Regardless of who conducts the reviews, the results should be provided to upper management to ensure the activity is taken seriously. As noted in the case above, had there been effective reviews the firm may have detected potentially fraudulent activity. Senior management should be aware of this business risk and take consistent remedial action to further demonstrate the importance of proper electronic communications to employees.

Who conducts the reviews?

In many firms, as in the case above, compliance conducts electronic communication reviews. Firms using this structure should develop a mechanism for communicating the results of these reviews to the business units and senior management. If firms have principals in the business units who are conducting the reviews, the business units must take this activity seriously. For firms using this methodology, compliance plays a critical oversight role in ensuring that the reviews are effective.

How the reviews are conducted

Firms need to develop an effective approach to conducting the reviews. As noted previously, many firms use multiple systems to conduct reviews. These range from tools provided by the archiving vendor to separate applications that pull in the activity from multiple sources.

Once they determine the tools they will use, firms need to design a process for conducting the reviews. Effective processes accomplish the following key tasks:

• assign the reviews to qualified persons who also receive applicable training;
• establish an appropriate frequency for conducting the reviews;
• identify and document the methodology for determining what items will be reviewed;
• document the reviews.

Note that FINRA generally expects firms to conduct reviews no less than monthly.

FINRA has indicated that the facts and circumstances of a firm’s business should play a role in determining which emails to review. Historically, although FINRA has advocated that a certain percentage be reviewed, it has not prescribed a specific number. While many firms have settled on reviewing 1%-2% of their emails by volume, firms can achieve a more effective review by using a risk based approach. Firms can adopt this as their primary methodology or use it to augment their current process. Note that many CCOs see issues arising from a risk-based approach that does not include a review of a significant volume of emails, since FINRA still expects firms to identify the quantity of emails they will review.

Firms should consider other guidance FINRA has given for more general surveillance of trading activity as they develop their correspondence review process. For example, FINRA has stated that when developing a surveillance system, firms need to ensure the parameters for the surveillance are set to yield meaningful results. Parameters that result in too many false positives, or too few results for escalation, may not be effective. Firms should consider the following as they develop their review process:

• fine tuning the auto-flagging system that uses a lexicon of search terms;
• conducting either ongoing or periodic (e.g. quarterly) deeper dives such as:
  • identifying specific employees or groups of employees (e.g. Research, Trading Desk) for review during the period;
  • identifying a specific timeframe for review (e.g. the period of time prior to the announcement of a deal).
• filtering out third-party emails such as generic research or junk mail;
• identifying certain product discussions to scrutinize further (e.g. a specific deal or variable product);
• following up on emails sent to personal email addresses of employees.

The above recommendations should help firms to develop a qualitative review based on their particular business activities and needs.

Periodic review of the lexicon

Developing an effective email review process requires firms to take the time to test and refine the parameters used to flag emails, as well as the method they use to analyze those emails. Firms should continue to enhance this process over time to ensure it continues to yield effective results.

In the above case study, the firm did not customize its lexicon of search terms to match its business activities and needs. In developing a risk-based system, firms must develop a lexicon search beyond what they receive “out of the box” from their review software. Once firms have determined the words and phrases they wish to use in their lexicon search, they must test them to ensure the system yields appropriate results. Firms should also document this entire process so they can demonstrate to FINRA how the process is relevant to their business. In addition, firms should review these risk parameters periodically to ensure they remain meaningful.

As with any supervisory activity, documentation is critical. The more evidence firms can furnish to examiners, the better chance they have of proving their electronic communication review process is part of an effective supervisory system.

Technology continues to change how firms conduct their supervision and compliance tasks. To keep up with these changes, firms must develop a comprehensive review process to ensure they use technology efficiently, supervise their business effectively, and comply with all regulatory requirements. Periodic enhancement and customization of a firm’s communications review process plays a key role in ensuring firms avoid becoming a cautionary tale.