FINRA Fine for Raymond James a Timely Reminder of How to Supervise Email Communications
US regulator finds email supervision an obvious and basic compliance failure – “find it first and report it” is the experts’ advice.
The US Financial Industry Regulatory Authority (FINRA) announced on December 21 that it fined Raymond James Financial Services, Inc. $2 million for failing to maintain reasonably designed supervisory systems and procedures for reviewing email communications. In addition, Raymond James agreed to conduct a risk-based retrospective review to detect potential violations evidenced in past emails.
FINRA found that during a nineyear review period, Raymond James’ email review system was flawed in significant respects, allowing millions of emails to evade meaningful review. This created the unreasonable risk that certain misconduct by firm personnel could go undetected by the firm. The combinations of words and phrases – otherwise known as the “lexicon” – used to flag emails for review were not reasonably designed to detect certain potential misconduct that Raymond James, in light of its size, structure, business model, and experience from prior disciplinary actions, knew or should have anticipated would recur from time to time. The firm also failed to devote adequate personnel and resources to the team that reviewed emails flagged by the system, even as the number of emails increased over time.
FINRA also found that Raymond James did not periodically test the configuration and effectiveness of its lexicon-based email surveillance system. The firm’s primary focus was reducing the number of “false positives” that would need to be reviewed rather than ensuring that the system was effectively identifying all potentially problematic categories of emails.
Susan Schroeder, FINRA Executive Vice President, Department of Enforcement, said, “Firms have a clear obligation to reasonably supervise electronic communications, which includes periodically re-evaluating the effectiveness of existing procedures. They should also assess whether their e-mail review and supervisory systems are reasonably designed in light of each firm’s business model.”
In addition, FINRA found that the firm unreasonably excluded from email surveillance certain firm personnel who serviced customer brokerage accounts. Raymond James also failed to apply its entire lexicon to the emails of approximately 1,300 registered representatives who worked in branches that hosted their own email servers.
Significant facts – focus on NASd Rules 3010 and 2110; FINRA Rules 3110 and 2010.
Raymond James (RJFS) relied primarily on an automated lexicon-based system to monitor email. The primary lexicon was not suited to the sort of risks that a firm like RJFS should have expected to occur and recur; these risks included financial distress among reps, borrowing from/lending to customers, and soliciting penny stock transactions, all of which were prohibited by the firm.
RJFS did not devote adequate personnel and resource to the team that reviewed flagged emails, despite increase in the volume of alerts over time.
RJFS did not apply the system to its whole universe of reps (1300 reps in branches excluded who used their own email servers); it also excluded certain people in its HQ who serviced customer accounts.
RJFS did no regular testing of the effectiveness and configuration of the lexicon-based system and had no procedure for this – it did add and subtract keywords over time but this was done purely to reduce false positives rather than to identify existing and new problematic categories of risk.
The process of manual review of emails conducted by branch managers was done on an ‘honor system’ where supervised reps self-selected which of their emails should be reviewed with no effective means to ensure all emails were being reviewed. Electronic records of email reviews conducted by managers were not kept after the managers had left the firm.
December 2007 release of FINRA Regulatory Notice 07-59 (Supervision of Electronic Communications).
FINRA was at pains in its enforcement advisory to remind firms of its own principles-based guidance from 2007 stressing that a member firm’s obligations to supervise electronic communications are based on the content and audience for the message rather than the electronic form of the communication.
There is also a record keeping (make and keep records) requirement attached to the use of electronic communications media as required by SEC rule 17a-3 and 17a-4, FINRA Rule 3110 and NYSE rule 440.
The notice sets forth principles that firms should consider when developing supervisory systems and controls for electronic communications. With the exception of enumerated review required by a supervisor, each firm can use risk-based principles to determine the extent to which internal communication needs review. The guidance recognizes that policies and procedures may differ based on size, structure, product mix and customer base at each firm.
Broadly the guidance is divided into six distinct categories: written policies and procedures; types of e-comm requiring review; identification of the person responsible for e-comm review; method of review for correspondence; frequency of the review of correspondence; documentation of the review of correspondence.
Written policies and procedures: the path towards an effective supervisory system is clear policies and procedures for general use and supervision of e-comms, both internal and external, which are updated to address new technology. Any policy not updated in the last five years is bound to be insufficient to accommodate technological change.
There should be a clear list of permissible e-comm mechanisms and all others are prohibited. Distinction between comms systems permissible for internal and external communication may also need to be spelt out.
Types of e-comm to be reviewed: any non-member email platforms used to communicate with customers must be captured and reviewed as if these comms were directed through the firm’s own platform. This concept is extended to any personal device that may be used to communicate to the public. A risk-based approach can be applied to the review of internal communication; firms may consider monitoring the effective establishment of information barriers to protect customer or issuer information, as well as to ensure undue influence is not placed on research personnel and conflicts of interest are managed effectively.
Method of review: firms must monitor for compliance with their supervisory procedures’ prescribed frequency, timeliness and quantity parameters. NYSE rule 472 and NASD rule 2210 refer to issues that should be of concern and worth identifying such as: use of confidential, proprietary and inside information; AML; gifts and gratuities; private securities transactions; customer complaints; front running; rumor spreading. Any communication with a customer in a foreign language requires review by someone who understands that language. If using lexicon for review, this should be appropriate, kept confidential and evaluated periodically for efficacy. Review of every lexicon hit may not be deemed necessary but the rationale for any approach like this needs to be recorded. Regular periodic review of the lexicon list should be conducted to add or delete words and phrases. Any lack of confidence in the lexicon approach can be supplemented by a random review process. Targeted reviews can be warranted where exams, internal audits, customer complaints or regulatory inquiries justify this. The composition of a lexicon and industry jargon should be determined by the customer base, location (foreign language included), type and size of the business. The lexicon should produce a meaningful amount of flagged alerts. It should be possible to add/delete on an ongoing basis. All disclaimers and trailers need to be excluded from lexicon searches.
Random review of e-comms: firms can use a percentage sampling approach here with no set limit on maximums or minimums but must be reasonable based on the type and complexity and size of the business. The firm can apply an approach based on an office or branch, as well as on an individual basis. In cases where an individual has some disciplinary history or is under heightened supervision, this percentage may rise accordingly.
Combining lexicon and random review of e-comms: FINRA points out the limitations of any single review tool and recommends complementary review techniques. While lexicons have improved, the need to consider encrypted attachments and images as well as ‘code’ can be deployed to bypass these easily.
Standards applicable to all review systems: firms need to incorporate ongoing evaluation procedures to explore ‘loopholes’ or other issues that arise as the means for transmitting sensitive information under the regulatory radar become more sophisticated and difficult to capture. Firms using automated tools and systems must appreciate their limitations and then need to consider what extra review is required to account for these.
Frequency of review: this should be linked to the type of business conducted which relates to the market sensitivity of the activity, customer base, scope of activity, location, disciplinary record of individuals, and the volume of communication. Firms should prescribe reasonable time periods within which reviews should be conducted, accounting for type and method of review. As an example, retail business may require more frequent review than institutional.
Documenting the reviews of correspondence that were conducted: reviews must be evidenced on paper or electronically and it must be possible to demonstrate they were conducted. Minimum evidence includes identifying the reviewer, the communications reviewed, date of review, and steps taken where regulatory issues were identified. Merely opening a communication is not evidence of review.
What should firms do now?
Lexicon review: does your current lexicon of keywords and phrases reflect the type of business your firm conducts, the disciplinary history of your reps and the trends in enforcement affecting your peer firms? How long ago was the lexicon reviewed? What methodology is used to add and subtract entries to the lexicon?
Record keeping and reporting: often neglected, this is the first indicator for an examiner that there might be larger issues if it is done in an organized and methodical way on a regular basis. This is the best place to evidence quality and quantity of work done to adequately perform supervisory obligations and allows for qualification where records need to be made to explain what and why action was taken that might be raised retrospectively by internal audit or regulatory inquiry. Governance and control of data can be expedient with proper systems – new challenges like GDPR also need to be considered as these will put extra burdens on firms around the interrogation and retention of data.
Resourcing the review: do you dedicate enough resource in terms of technology, personnel and back-up for any automated system that offers a multi-dimensional approach to e-comms supervision? Is this resource linked to the volume of communication, the business complexity and the trends in discipline and enforcement linked to the firm?
Configuration and effectiveness of the system: beware simply prioritizing the reduction of false positives! All will be good if this can balanced with identification of previously unsighted true positives – this approach can be evidenced to a regulator or internal auditor as long as the methodology is clear and any automated system is not a black box. Make sure that effectiveness is enhanced by identifying and accounting for new problematic categories of risk that emerge within the organization or are prevalent in the market and at peer firms.
Universe of personnel under review: no one who is customer-facing or is committing the firm in the market or who has access to material non public information can be excluded from review. No exceptions whatever. All communications used in the conduct of business must be covered.