The Legal Perspective: Retaining and Supervising Electronic Communications for Regulatory Compliance

Retaining and Supervising Electronic Communications for Regulatory Compliance

Brian L. RubinSusan KrawczykAndrew McCormickMike PaganiApril 14, 2015

©2014 Sutherland Asbill & Brennan LLP

2014 FINRA ACTIONS

Number of 2014 Cases Filed: 1,397 1,535 cases filed in 2013

9% decrease in 2014

The number of cases has declined three straight years 30% increase in the number of cases since 2008


2014 FINRA ACTIONS

Approximately $135M of fines reported in 2014

This is the most FINRA fines reported since 2005 ($149M); 382% increase in fines since 2008


2014 FINRA ACTIONS

Approximately $52M of restitution reported in 2014

This is a new FINRA record.


2014 FINRA ACTIONS

Firms Expelled: The number of firms expelled by FINRA declined from 24 in 2013 to

18 in 2014, a decrease of 25% (following a 20% decrease in the number of firms expelled during the prior year).

Individuals Barred/Suspended: The number of individuals suspended increased from 670 in 2013 to

705 in 2014, an increase of 5%, and the number of individuals barred jumped from 429 in 2013 to 481 in 2014, an increase of 12%.

This is the second year in a row where the number of firms that were expelled decreased significantly, but the number of individuals suspended or barred increased.


2014 TOP FINRA ENFORCEMENT ISSUES (by total fines)

1. Research Reports/Analysts: $59 million, 19 cases

2. Advertising: $17 million, 31 cases

3. Best Execution: $14 million, 83 cases

4. Anti-Money Laundering: $13 million, 34 cases

5. Trade Reporting: $11 million, 176 cases

2014 FINRA ACTIONS


Electronic Communications: FINRA Case Statistics

Fines

ReportedPercentage

Change

Percentage of Total

FINRA Fines

Cases Reported

Percentage Change

2008 $2.7M - 10% 24 -2009 $3.5M 30% 7% 24 0%2010 $2.4M (31%) 6% 35 46%2011 $3.3M 38% 5% 57 63%2012 $6.5M 97% 9% 63 11%2013 $19.8M 204% 33% 68 8%2014 $2.7M (86%) 2% 54 (21%)


Retaining Electronic Communications

Regulatory Requirements SEC Rule 17a-4(b): “…shall preserve for a period of not less than three

years, the first two years in an easily accessible place…[o]riginals of all communications received and copies of all communications sent…”

SEC Rule 17a-4(f): if a firm uses electronic storage media, must notify SEC and the retention system must be WORM compliant

FINRA Rule 3110.09: “Each member shall retain the internal communications and correspondence of associated persons relating to the member's investment banking or securities business for period of time and accessibility specified in . . . Rule 17a-4”

FINRA Rule 2210: “members must maintain all retail communications and institutional communications for the retention period required by” Rule 17a-4 and in format and media that comply with the rule



Types of electronic communications that must be retained:

internal and external emails emails from DBAs alternative email addresses distribution lists BCC emails encrypted emails third-party system emails IMs, Bloomberg messages, text messages, firm

social media posts websites



Technology Best Practices Archiving solution should feature automation – don’t rely on manual

processes that allow for missing or deleted information Solution should support multiple message/content types: Email,

instant messaging, text messaging, websites and social media Solution should capture/index and render each message type in its

original native format – especially important for social media No silos – your archiving solution should feature a consolidated

indexing scheme and search/processing interface across all the content/content types being archived



Other types of electronic communications supervision essentials that must be retained



Most commonly requested content types

1. Email

2. Website pages

3. Instant messages

4. Bloomberg or Reuters messages

5. Social media

6. Email marketing

7. Text/SMS messages


Retaining Electronic Communications: Lessons from Enforcement Actions

Mobile devices should be configured properly. A 2014 FINRA case resulted in a $275,000 fine for allegations that emails sent from

Blackberry devices to recipients outside the firm were not retained. FINRA also alleged that no Blackberry messages were retained.

Firms must also retain instant messages. A 2013 FINRA case resulted in a $3.75M fine for allegations that the firm did not retain

electronic records in a WORM format over a 10-year period, including trade confirmations, email attachments, and 3.3 million Bloomberg instant messages.


Retaining Electronic Communications: Lessons from Enforcement Actions

Retention failures can lead to significant fines. A 2013 FINRA case resulted in a $7.5M fine for systemic email retention failures.

Allegations that the firm could not access hundreds of millions of emails, failed to review tens of millions of emails, and misled FINRA during the investigation. Firm ordered to pay $1.5M to litigants who may have been impacted by these email issues.

Unique categories of emails must also be retained. A 2013 FINRA case resulted in a $1.2M fine for five affiliated firms for allegedly failing

to retain unique categories of emails, including BCC emails, emails to distribution lists, emails to/from alternate addresses, and encrypted emails.


Supervising Electronic Communications: Regulatory requirements for supervision of retail and institutional communications

FINRA Rule 2210 applies Retail communications

Must be approved by qualified principal before use or filing with FINRA Institutional communications:

Must have procedures Appropriate to business, size, structure and customers For review by qualified principal Reasonably designed to ensure compliance with applicable standards

If each communication is not reviewed: Education and training of associated persons Documentation of education and training Surveillance and follow-up to ensure compliance


Supervising Electronic Communications: Regulatory requirements for supervision of correspondence

FINRA Rule 3110(b)(4): supervisory procedures must require: Review of incoming and outgoing written (including electronic)

correspondence to properly identify and handle in accordance with firm procedures, customer complaints, instructions, funds and securities and communications that are of a subject matter that require review under FINRA rules and federal securities laws

Review of internal communications to properly identify those communications of a subject matter requiring review under FINRA rules and federal securities laws

Review must be conducted by a registered principal Review must be evidenced in writing, either electronically or on paper


Supervising Electronic Communications

Risk-based approach permitted FINRA Rule 3110.06 Must consider whether to adopt additional procedures for the

review of matters outside the specified subject matter that are necessary for the firm's business and structure

Must have procedures that provide for: Education/training about correspondence procedures Documenting education/training about procedures Surveillance and follow-up to make sure procedures are

implemented and followed



Additional guidance on supervisory reviews of

correspondence FINRA Rule 3110.09

Name of person who prepared correspondence must be in the records FINRA Rule 3110.07

Evidence of review required must be chronicled electronically or on paper Evidence must clearly identify the reviewer, the internal communication or

correspondence that was reviewed, the date of review, and the actions taken by the member as a result of any significant regulatory issues identified during the review

“Merely opening a communication is not sufficient review.” FINRA Rule 3110.08:

Supervisor remains ultimately responsible for the performance of all necessary supervisory reviews, irrespective of whether he or she delegates functions related to the review


Supervisory systems commonly rely on

automated tools and systems Lexicon based reviews Random reviews Combination of methods

Ability to review attachments Need for ongoing evaluation procedures

Identify and address “loopholes” and developments Know and work around limitations



Technology best practices Look for regulators to expect a more sophisticated approach to

supervision beyond basic keywords, including: Flagging of messages from specific individuals or groups

deemed “high risk” Assigning points to specific types of violations (scoring)

Ensure your lexicon/keywords and groups are reviewed and updated or “fine tuned” on a regular basis to ensure you’re adequately flagging the right messages and optimizing the process

Look for a solution that will automate some of the supervision tasks Ask your provider what they can do. Many firms are not taking

full advantage of the capabilities of their archiving provider.



Supervisory Systems

Technology Best Practices Monitor messages with attachments and their contents Monitor and review of encrypted emails using an email

encryption service that works seamlessly with, or is an extension of your overall archiving solution

Communicate any and all changes to your firm’s email hosting or tech configuration to your archiving vendor to avoid any journaling disruption

Perform internal evaluations to ensure all supervision and enforcement activities take place – look for a solution that provides easy activity and audit trail reporting


Supervising Electronic Communications:Lessons from Enforcement Actions

Lexicon search terms should be robust and relevant. A 2013 FINRA case resulted in a $100,000 fine for allegations that the

surveillance software used by the firm did not flag emails containing language such as “no principal risk,” “completely liquid,” and “principal protection.”

A 2012 FINRA case resulted in a $100,000 fine for allegations that the firm did not update its email lexicon to reflect concerns about a representative who was experiencing financial troubles, which caused the firm not to review emails evidencing the representative’s misconduct.


Supervising Electronic Communications:Lessons from Enforcement Actions

Software must be properly configured. A 2014 FINRA case resulted in a $250,000 fine for allegations that the firm

did not subject 12.6M DBA emails to a surveillance review due to technological problems with a software update. FINRA also alleged that the firm did not perform regular testing to make sure the surveillance system was working properly.


Questions?

Sutherland Brian L. [email protected]

Susan [email protected]

Andrew [email protected]

@SUTHERLAND_LAW

SmarshMike Pagani@Mike_Paganihttps://www.linkedin.com/pub/mikepagani/1/229/801

@SMARSHINC

https://twitter.com/Mike_Pagani

https://twitter.com/Mike_Pagani

https://www.linkedin.com/pub/mike-pagani/1/229/801

The Legal Perspective: Retaining and Supervising Electronic Communications for Regulatory Compliance

Law

Transcript of The Legal Perspective: Retaining and Supervising Electronic Communications for Regulatory Compliance