LiveOffice Newsroom
online press kit

The Future of E-compliance

By Matt Smith, Securities Industry News

February 25, 2008

Electronic communications encompass much more than just e-mail in this day and age. Employees use a variety of options to communicate on the job, whether they are sitting at their desks inside the office, sharing information remotely via the Web or accessing messages on the go with a mobile device. E-communications include instant messaging, text messaging, blogs, Web meetings, podcasts and e-faxes. If financial services employees are using these modes of communication for business purposes, they must adhere to applicable federal securities and self-regulatory organization rules.

The Financial Industry Regulatory Authority (FINRA) issued final guidance on the proper review and supervision of electronic communications--Regulatory Notice 07-59--in December to help member firms comply with pertinent laws and regulations. While the guidance does not mandate any hard-and-fast rules, it does present principles that member firms should consider when establishing supervisory policies and procedures to ensure the proper handling of such communications.

FINRA recommends that members first determine what guidelines specifically apply to their business models--e.g., size, structure, customer base, product mix, etc.--before establishing and implementing appropriate policies and procedures.

With so many forms of communication available--and new technologies continually being developed--firms must decide what methods are and are not appropriate for their business. FINRA expects its members to have policies and procedures in place to "monitor all electronic communications technology used by the firm and its associated persons to conduct the firm's business." Policies and procedures must be clearly defined and readily available for employees' reference. Employees must understand that they are required to comply during their term of employment and what potential consequences they face for noncompliance.

Meeting FINRA's guidelines for e-communications should not cause companies any significant hardship. The guidelines simply help clarify what constitutes "electronic communications" for regulations firms are likely already following. The bulk of the guidance covers key areas of concern for meeting FINRA rules--comprised of NASD and NYSE rules--and other federal securities laws.

FINRA members must have policies and procedures in place for supervisory review of employees' incoming, outgoing and internal e-communications that fall under specific subject matters requiring review under FINRA rules and federal securities laws.

Depending on individual organizations' business models, administrators may choose to use risk-based principles to meet compliance requirements. When employing such procedures to review electronic communications, FINRA members should consider how to effectively:

  • "Flag" e-communications that may indicate or contain customer complaints, problems, errors, orders or other instructions for an account; or demonstrate conduct inconsistent with FINRA rules, federal securities laws and other matters of importance to the member's ability to adequately supervise its business and manage the member's reputational, financial and litigation risk;
  • Identify other business areas that may warrant supervisory review; and
  • Educate employees to ensure they understand and comply with the organization's policies and procedures pertaining to e-communications.
Electronic communications related to a member's business are subject to its overall supervisory and review procedures as well as FINRA requirements specifically addressing communications with the public. When determining supervisory review procedures, administrators should:

  • Identify the types of correspondence that will be pre- or post-reviewed;
  • Identify the organizational position(s) responsible for conducting reviews of the different types of correspondence;
  • Monitor the implementation of, and compliance with, procedures for reviewing public correspondence;
  • Periodically reevaluate the effectiveness of procedures for reviewing public correspondence and consider any necessary revisions;
  • Ensure that all customer complaints, whether received via e-mail or in other written form, are reported to FINRA in compliance with the FINRA reporting requirements;
  • Prohibit employees from the use of e-communications unless such communications are subject to supervisory and review procedures; and
  • Conduct necessary and appropriate training and education.
Firms must have clear policies and procedures for the general use and supervision of electronic communications, both internal and external. Policies should be updated as needed to address new technologies--e.g., text messaging--and any updates should be communicated and made available to employees in a timely manner.

Firms must have reasonable policies and procedures for e-communications that require review under FINRA rules and federal securities laws--specifically for the forms of communication they permit employees to use when conducting business with the public. In addition, companies must take reasonable steps to monitor communications for compliance with their clearly defined policies and procedures. If certain modes are prohibited, firms should consider taking technological steps to block or otherwise regulate their external and internal use.

When a firm permits the use of any technology, its system of supervision should be reasonably designed to achieve compliance with applicable laws, rules and regulations.

If a firm allows employees to communicate with customers through Internet e-mail platforms like AOL or Yahoo mail, third-party communication systems such as Bloomberg and Reuters, or through other non-member e-mail addresses, they are required to supervise and retain those communications. FINRA also expects its members to prohibit business communications with the public from employees' personal electronic devices unless they are capable of supervising, receiving and retaining such communications. Members should also consider prohibiting, where appropriate, the use of such devices in certain sensitive locations, where non-public information could be accessed.

Firms may determine the extent to which review of internal communications is necessary in accordance with the supervision of their business. In doing so, they should consider how to detect when information barriers are not working to protect customer or issuer information; how to protect against undue influence on research personnel contrary to FINRA rules; and how to segregate proprietary trading desk activity from all or part of the other operations.

Firms' procedures for review of electronic communications--internal and external--should address the following issues.

  • Procedures should clearly identify the person(s) responsible for performing reviews.
  • The supervisor/principal must document his or her supervision as required by FINRA.
  • A supervisor/principal may delegate certain e-communications' supervisory functions to persons who do not need to be registered. However, the principal remains ultimately responsible for the performance of all necessary supervisory reviews.
  • When review functions are delegated, policies and procedures must provide a protocol to escalate regulatory issues to the designated supervisor or other appropriate department.
  • All reviewers must have sufficient knowledge, experience and training to adequately perform reviews.
  • An individual may not conduct supervisory reviews of his or her own electronic communications unless an organization's size and/or structure is such that it has no other reasonable alternative.
Firms using lexicon-based reviews--those based on sensitive words or phrases to help identify potentially problematic communications--of correspondence should use an appropriate lexicon for its business, take reasonable security measures to keep the list confidential, and periodically evaluate its effectiveness. Companies should also conduct regular periodic reviews of their lexicon system to determine whether any changes are necessary, such as adding or deleting phrases or words. In addition, periodic reviews should confirm the effectiveness of the system, especially if it is provided by an outside vendor.

When assessing the effectiveness of a lexicon-based system, firms should consider the following features.

  • A meaningful list of phrases or words, including industry jargon, based on the size of the company, its type of business, its customer base and its location--including any branch offices that may require the inclusion of certain foreign language components.
  • Ability to add and delete phrases and words on an ongoing basis.
  • Ability to review attachments and identify attachments that could circumvent lexicon-based reviews.
  • Ability to restrict access to the phrases and/or words that make up the lexicon system.
  • Ability to conduct searches that exclude any trailers or disclaimers used by the company, as these standard boilerplates often contain sensitive words--such as "guarantee"--that would flag every e-mail.
Firms may choose to use a reasonable-percentage sampling technique. There is no prescribed minimum or fixed percentage that is required by regulation; however, the amount chosen for review must be reasonable given the circumstances. Firms should not necessarily limit themselves to reviewing the same percentage of e-mails for each employee. For example, an individual with disciplinary history or subject to special supervision may warrant a review encompassing a higher percentage.

Firms should consider complementary review techniques to ensure compliance with all applicable regulatory requirements. While lexicon system-tracking capabilities have become considerably more sophisticated and effective over the past few years, they are incapable of reading documents or document attachments that are password protected or encrypted.

Firms should incorporate ongoing evaluation procedures to identify and address any loopholes in their supervisory systems. Written procedures should describe any additional reviews that will be conducted when such issues are identified. Companies must also have an understanding of the limitations that automated tools or systems present and should consider what, if any, further supervisory review is necessary.

If FINRA members permit the use and receipt of encrypted e-communications, they must be able to monitor and supervise them and must educate reviewers on how this can be accomplished. In addition, members must be able to review electronic correspondence in all languages in which they conduct business with the public.

The frequency of correspondence review should be related to the type of business conducted; the type of customers involved; the scope of the activities; the geographical location of the activities; the disciplinary record of covered persons; and the volume of the communications subject to review. Firms should prescribe reasonable timeframes within which supervisors are expected to complete their reviews of correspondence, taking into consideration the type of review being conducted and the method of review being used. When determining the reasonableness of such timeframes, members should carefully consider the type of business their firm is conducting and the extent to which a review's usefulness, in the context of that business, is diminished by the passage of time.

FINRA members must document their reviews, whether electronically or on paper, and be able to reasonably demonstrate that such reviews were conducted. The evidence of review should, at a minimum, clearly identify the reviewer, the communication that was reviewed, the date of review and the steps taken as a result of any significant regulatory issues that were identified during the course of the review. Administrators should remind their reviewers that merely opening the communication is not deemed a sufficient review.

There is no question that there are a number of critical factors FINRA-registered firms must consider in managing the flow of electronic communications. However, these tips may help firms better evaluate the best path:

1. Clearly define your firm's policies and make sure they are in line with the technology and devices your employees are relying on to communicate with each other and their clients.

2. Regularly communicate with your employees about your firm's compliance policies. Also make sure you understand what technologies your employees are using and why they are important to daily business activities.

3. Ensure that the technology you deploy to archive and monitor your firm's electronic communications provides built-in workflow tools designed specifically for internal auditors. Make sure you select a system that provides comprehensive management reports that automatically demonstrate compliance with your firm's stated supervisory oversight process.

4. Consider future technologies when determining your firm's policies and the solutions you implement to meet those requirements. Make sure the monitoring and archiving system you use is scalable. In addition to e-mail, your solution should also be able to accommodate e-mail attachments, instant messages and communications sent to and from mobile devices.

5. Don't lose sight of regulations outside the financial services industry. While FINRA members adhere to some of the most stringent regulatory requirements, new guidelines--such as the amendments to the Federal Rules of Civil Procedure--mean that even employees not subject to FINRA requirements should have their e-mails and IMs archived.

Matt Smith is president and chief operating officer of California-based LiveOffice, a provider of hosted e-mail, archiving, compliance and security solutions.





Email Archiving, Email Hosting, Compliance and eDiscovery Services from LiveOffice. LiveOffice is the leading provider of email archiving, exchange hosting, email compliance and email discovery solutions delivered on-demand with the software-as-a-service model. Established in 1998, LiveOffice offers managed email archiving, hosted Exchange and email management options for companies of all sizes. Call us today at 800.374.2032 for more information regarding our email archive service and hosted Exchange 2007.
©2008 LiveOffice LLC. All Rights Reserved.