Financial Services: Review of electronic communications

By James J. Eccleston
Shaheen, Novoselsky, Staat, Filipowski & Eccleston

INRA (the Financial Industry Regulatory Authority) has issued Regulatory Notice 07-59 relating to electronic communications, such as e-mail, instant ­messaging, text messaging, weblogs, and podcasting, which financial services firms and their employees may use to conduct business. Let’s examine the key points of the notice.

Preliminarily, firms must establish, maintain, and enforce electronic communication supervisory systems and procedures reasonably designed to achieve compliance with ­securities laws and rules. FINRA recognizes that technological innovations have brought and will continue to bring new challenges in supervising electronic communications.

FINRA also recognizes that supervisory systems and procedures may differ among firms, depending on their size and the type of business that they conduct. And, with some exceptions for mandatory ­reviews, firms “generally may decide by employing risk-based principles the extent to which the review of incoming, outgoing and internal electronic communications is necessary in accordance with the supervision of their business.”

In Notice 07-59, FINRA divides its guidance into six categories. These are: (1) written policies and procedures; (2) types of communications requiring review; (3) identification of the persons responsible for the review; (4) method of review; (5) frequency of the review; and (6) documentation of the review.

First, regarding written policies and procedures, FINRA recommends that firms allow employees quick and easy access to their ­policies and procedures. Firms should state what forms of electronic communication are permissible, and which are not permissible. Firms should specify the consequences for non-compliance with those policies and ­procedures, and should conduct training on a regular and as-needed basis.

Second, FINRA notes that, regardless of what technology is used, if a firm permits its use, then it must have systems and procedures in place reasonably designed to supervise those communications.

As technologies now extend beyond office network servers and firm e-mail addresses to other e-mail platforms (such as AOL or Yahoo mail), message boards, and E-faxes, FINRA notes that some firms choose simply to block access, prohibit use, and require compliance certifications by employees.

FINRA expects firms “to prohibit, through policies and procedures, communications with the public for business purposes from employees’ own electronic ­devices unless the member is capable of ­supervising, receiving and retaining such communications.”

Third, a firm’s procedures must clearly ­ident­ify the person responsible for performing the reviews. While the reviewer may ­delegate ­certain functions, all reviewers must have “sufficient knowledge, experience and training to ­adequately perform the reviews.” ­Finally, an individual must not ­conduct ­super­visory ­reviews of his or her own electronic ­com­munications (unless there is no reasonable alternative, as with a sole ­proprietor).

Fourth, regarding the method of review, FINRA discusses lexicon-based reviews, ­random reviews and a combination of both methods. Lexicon-based reviews should contain a meaningful list of phrases, words, and industry jargon based on the type of business that the firm conducts and its customer base.

The list should be able to yield a meaningful sample of “flagged” communications. The system should be able to read attachments.

When firms select the random review method, they can choose to review either a certain percentage of electronic communications based on a branch, ­department, or business unit, or a certain percentage for each individual in the branch, department, or business unit.

FINRA recommends that firms use a combination of both methods - lexicon-based ­reviews and random reviews.

Additionally, no matter what method firms choose, they must “alert their reviewers as to the issues to be raised and the material to be examined, including acceptable content.” Likewise, firms must “incorporate ongoing evaluation procedures to identify and address any ‘loopholes’ or other issues that may arise as the means of transmitting sensitive information ‘under the regulatory radar’ become more sophisticated and difficult to capture.”

Fifth, FINRA states that the frequency of the review will vary depending on the type of business conducted, the type of customers involved, the scope of the activities, the ­geographical location of the activities, the ­disciplinary record of those involved, and the volume of communications subject to review.

FINRA also recommends that firms prescribe reasonable time frames for supervisors to complete their ­reviews.

Finally, firms must document their reviews. FINRA recommends that, at a minimum, firms must evidence the date of the review and any steps taken as a result of the review. FINRA cautions that reviewers do not satisfy this ­requirement merely by opening the electronic communication.

In conclusion, FINRA’s guidance should assist firms navigate through the difficult and ever-changing waters of supervising ­electronic communications.