Retaining and Supervising Electronic Communications for Regulatory Compliance Brian L. Rubin Susan Krawczyk Andrew McCormick Mike Pagani April 14, 2015
Jul 31, 2015
Retaining and Supervising Electronic Communications for Regulatory Compliance
Brian L. RubinSusan KrawczykAndrew McCormickMike PaganiApril 14, 2015
©2014 Sutherland Asbill & Brennan LLP
2014 FINRA ACTIONS
Number of 2014 Cases Filed: 1,397 1,535 cases filed in 2013
9% decrease in 2014
The number of cases has declined three straight years 30% increase in the number of cases since 2008
©2014 Sutherland Asbill & Brennan LLP
2014 FINRA ACTIONS
Approximately $135M of fines reported in 2014
This is the most FINRA fines reported since 2005 ($149M); 382% increase in fines since 2008
©2014 Sutherland Asbill & Brennan LLP
2014 FINRA ACTIONS
Approximately $52M of restitution reported in 2014
This is a new FINRA record.
©2014 Sutherland Asbill & Brennan LLP
2014 FINRA ACTIONS
Firms Expelled: The number of firms expelled by FINRA declined from 24 in 2013 to
18 in 2014, a decrease of 25% (following a 20% decrease in the number of firms expelled during the prior year).
Individuals Barred/Suspended: The number of individuals suspended increased from 670 in 2013 to
705 in 2014, an increase of 5%, and the number of individuals barred jumped from 429 in 2013 to 481 in 2014, an increase of 12%.
This is the second year in a row where the number of firms that were expelled decreased significantly, but the number of individuals suspended or barred increased.
©2014 Sutherland Asbill & Brennan LLP
2014 TOP FINRA ENFORCEMENT ISSUES (by total fines)
1. Research Reports/Analysts: $59 million, 19 cases
2. Advertising: $17 million, 31 cases
3. Best Execution: $14 million, 83 cases
4. Anti-Money Laundering: $13 million, 34 cases
5. Trade Reporting: $11 million, 176 cases
2014 FINRA ACTIONS
©2014 Sutherland Asbill & Brennan LLP
Electronic Communications: FINRA Case Statistics
Fines
ReportedPercentage
Change
Percentage of Total
FINRA Fines
Cases Reported
Percentage Change
2008 $2.7M - 10% 24 -2009 $3.5M 30% 7% 24 0%2010 $2.4M (31%) 6% 35 46%2011 $3.3M 38% 5% 57 63%2012 $6.5M 97% 9% 63 11%2013 $19.8M 204% 33% 68 8%2014 $2.7M (86%) 2% 54 (21%)
©2014 Sutherland Asbill & Brennan LLP
Retaining Electronic Communications
Regulatory Requirements SEC Rule 17a-4(b): “…shall preserve for a period of not less than three
years, the first two years in an easily accessible place…[o]riginals of all communications received and copies of all communications sent…”
SEC Rule 17a-4(f): if a firm uses electronic storage media, must notify SEC and the retention system must be WORM compliant
FINRA Rule 3110.09: “Each member shall retain the internal communications and correspondence of associated persons relating to the member's investment banking or securities business for period of time and accessibility specified in . . . Rule 17a-4”
FINRA Rule 2210: “members must maintain all retail communications and institutional communications for the retention period required by” Rule 17a-4 and in format and media that comply with the rule
©2014 Sutherland Asbill & Brennan LLP
Retaining Electronic Communications
Types of electronic communications that must be retained:
internal and external emails emails from DBAs alternative email addresses distribution lists BCC emails encrypted emails third-party system emails IMs, Bloomberg messages, text messages, firm
social media posts websites
©2014 Sutherland Asbill & Brennan LLP
Retaining Electronic Communications
Technology Best Practices Archiving solution should feature automation – don’t rely on manual
processes that allow for missing or deleted information Solution should support multiple message/content types: Email,
instant messaging, text messaging, websites and social media Solution should capture/index and render each message type in its
original native format – especially important for social media No silos – your archiving solution should feature a consolidated
indexing scheme and search/processing interface across all the content/content types being archived
©2014 Sutherland Asbill & Brennan LLP
Retaining Electronic Communications
Other types of electronic communications supervision essentials that must be retained
©2014 Sutherland Asbill & Brennan LLP
Retaining Electronic Communications
Most commonly requested content types
1. Email
2. Website pages
3. Instant messages
4. Bloomberg or Reuters messages
5. Social media
6. Email marketing
7. Text/SMS messages
©2014 Sutherland Asbill & Brennan LLP
Retaining Electronic Communications: Lessons from Enforcement Actions
Mobile devices should be configured properly. A 2014 FINRA case resulted in a $275,000 fine for allegations that emails sent from
Blackberry devices to recipients outside the firm were not retained. FINRA also alleged that no Blackberry messages were retained.
Firms must also retain instant messages. A 2013 FINRA case resulted in a $3.75M fine for allegations that the firm did not retain
electronic records in a WORM format over a 10-year period, including trade confirmations, email attachments, and 3.3 million Bloomberg instant messages.
©2014 Sutherland Asbill & Brennan LLP
Retaining Electronic Communications: Lessons from Enforcement Actions
Retention failures can lead to significant fines. A 2013 FINRA case resulted in a $7.5M fine for systemic email retention failures.
Allegations that the firm could not access hundreds of millions of emails, failed to review tens of millions of emails, and misled FINRA during the investigation. Firm ordered to pay $1.5M to litigants who may have been impacted by these email issues.
Unique categories of emails must also be retained. A 2013 FINRA case resulted in a $1.2M fine for five affiliated firms for allegedly failing
to retain unique categories of emails, including BCC emails, emails to distribution lists, emails to/from alternate addresses, and encrypted emails.
©2014 Sutherland Asbill & Brennan LLP
Supervising Electronic Communications: Regulatory requirements for supervision of retail and institutional communications
FINRA Rule 2210 applies Retail communications
Must be approved by qualified principal before use or filing with FINRA Institutional communications:
Must have procedures Appropriate to business, size, structure and customers For review by qualified principal Reasonably designed to ensure compliance with applicable standards
If each communication is not reviewed: Education and training of associated persons Documentation of education and training Surveillance and follow-up to ensure compliance
©2014 Sutherland Asbill & Brennan LLP
Supervising Electronic Communications: Regulatory requirements for supervision of correspondence
FINRA Rule 3110(b)(4): supervisory procedures must require: Review of incoming and outgoing written (including electronic)
correspondence to properly identify and handle in accordance with firm procedures, customer complaints, instructions, funds and securities and communications that are of a subject matter that require review under FINRA rules and federal securities laws
Review of internal communications to properly identify those communications of a subject matter requiring review under FINRA rules and federal securities laws
Review must be conducted by a registered principal Review must be evidenced in writing, either electronically or on paper
©2014 Sutherland Asbill & Brennan LLP
Supervising Electronic Communications
Risk-based approach permitted FINRA Rule 3110.06 Must consider whether to adopt additional procedures for the
review of matters outside the specified subject matter that are necessary for the firm's business and structure
Must have procedures that provide for: Education/training about correspondence procedures Documenting education/training about procedures Surveillance and follow-up to make sure procedures are
implemented and followed
©2014 Sutherland Asbill & Brennan LLP
Supervising Electronic Communications
Additional guidance on supervisory reviews of
correspondence FINRA Rule 3110.09
Name of person who prepared correspondence must be in the records FINRA Rule 3110.07
Evidence of review required must be chronicled electronically or on paper Evidence must clearly identify the reviewer, the internal communication or
correspondence that was reviewed, the date of review, and the actions taken by the member as a result of any significant regulatory issues identified during the review
“Merely opening a communication is not sufficient review.” FINRA Rule 3110.08:
Supervisor remains ultimately responsible for the performance of all necessary supervisory reviews, irrespective of whether he or she delegates functions related to the review
©2014 Sutherland Asbill & Brennan LLP
Supervisory systems commonly rely on
automated tools and systems Lexicon based reviews Random reviews Combination of methods
Ability to review attachments Need for ongoing evaluation procedures
Identify and address “loopholes” and developments Know and work around limitations
Supervising Electronic Communications
©2014 Sutherland Asbill & Brennan LLP
Technology best practices Look for regulators to expect a more sophisticated approach to
supervision beyond basic keywords, including: Flagging of messages from specific individuals or groups
deemed “high risk” Assigning points to specific types of violations (scoring)
Ensure your lexicon/keywords and groups are reviewed and updated or “fine tuned” on a regular basis to ensure you’re adequately flagging the right messages and optimizing the process
Look for a solution that will automate some of the supervision tasks Ask your provider what they can do. Many firms are not taking
full advantage of the capabilities of their archiving provider.
Supervising Electronic Communications
©2014 Sutherland Asbill & Brennan LLP
Supervisory Systems
Technology Best Practices Monitor messages with attachments and their contents Monitor and review of encrypted emails using an email
encryption service that works seamlessly with, or is an extension of your overall archiving solution
Communicate any and all changes to your firm’s email hosting or tech configuration to your archiving vendor to avoid any journaling disruption
Perform internal evaluations to ensure all supervision and enforcement activities take place – look for a solution that provides easy activity and audit trail reporting
©2014 Sutherland Asbill & Brennan LLP
Supervising Electronic Communications:Lessons from Enforcement Actions
Lexicon search terms should be robust and relevant. A 2013 FINRA case resulted in a $100,000 fine for allegations that the
surveillance software used by the firm did not flag emails containing language such as “no principal risk,” “completely liquid,” and “principal protection.”
A 2012 FINRA case resulted in a $100,000 fine for allegations that the firm did not update its email lexicon to reflect concerns about a representative who was experiencing financial troubles, which caused the firm not to review emails evidencing the representative’s misconduct.
©2014 Sutherland Asbill & Brennan LLP
Supervising Electronic Communications:Lessons from Enforcement Actions
Software must be properly configured. A 2014 FINRA case resulted in a $250,000 fine for allegations that the firm
did not subject 12.6M DBA emails to a surveillance review due to technological problems with a software update. FINRA also alleged that the firm did not perform regular testing to make sure the surveillance system was working properly.
©2014 Sutherland Asbill & Brennan LLP
Questions?
Sutherland Brian L. [email protected]
Susan [email protected]
Andrew [email protected]
@SUTHERLAND_LAW
SmarshMike Pagani@Mike_Paganihttps://www.linkedin.com/pub/mikepagani/1/229/801
@SMARSHINC