E-mail Review Oversight Could Result in Severe Sanctions
Posted by Legalease Solutions on 5 Dec, 2019
The Financial Industry Regulatory Authority has been intensifying efforts to crack down strongly on broker-dealers for poor e-mail oversight. In 2013, FINRA fined a financial advisory firm a whopping US$7.5 million for 35 significant failures in e-mail oversight over a five-year period and in 2017 a Broker-Dealer was fined $2 million for failing to properly supervise email messages. FINRA found that during a nine-year review period, the firm’s email review system was significantly flawed, allowing millions of emails to evade meaningful review. This created the unacceptable risk of such misconduct by firm employees going undetected.
What is FINRA’s e-mail oversight mandate?
The 2019 Report on Examination Findings and Observations released by FINRA brings to light the rapidly growing compliance challenges and risks for financial institutions in their increasing use of unified communication and collaboration tools. The report states, "If a firm permits its associated persons to use a particular application — for example, an app-based messaging service or a collaboration platform — the firm must preserve records of business-related communications and supervise the activities and communications of those persons on the application."
Thus, it creates a mandate on broker-dealers to store e-mail correspondence and to form written policies and procedures regarding the e-mail review process considering the establishment’s size, structure, and customers.
What is the purpose of this mandate?
The objective behind email surveillance is to make certain that the employees and C-level executives are not indulging in any transgression. Sometimes employees are found guaranteeing a rate of return and engaging in undisclosed external activities resulting in breach of SEC and FINRA regulations.
Email surveillance provides an opportunity to monitor employees’ adherence to the firm’s written communications policy but email surveillance can also serve as a tool to effectively ensure that they are not indulging in unlawful activities, including insider trading, sharing of proprietary information, distribution of unapproved and non-compliant marketing materials, and potentially fraudulent statements.
What constitutes a red flag in the correspondences?
Since employees would know they are being watched, they are very unlikely to use obvious words. Therefore, compliance directors should prepare a list of words or phrases based on their discussions with business line managers and their other industry peers that they believe could be used by employees to game the email monitoring system.
For instance, checking e-mails for phrases such as “Let’s take this offline or let’s use my personal email’ are red flags that the employee could be engaged in an illegal activity.
What can you do to stay compliant with the FINRA mandates?
The first step to the right compliance program is to use the right technology to ensure comprehensive and customizable reporting. There are some effective regulatory compliance programs in the market that offer Anti-Money Laundering (AML) screening software solutions and email archiving products to securely archive your business emails.
While choosing a service provider caution must be exercised to ensure the vendor has supervisory capabilities to automatically flag emails containing words or phrases that are likely to warrant a review. It is also important to note that regardless of the provider selected, it is the broker-dealers alone who are responsible for implementing an annual review of e-mails and storing the results. The review can be conducted either internally or through a third-party expert.
A review of the entire email oversight process should be done if the firm has been sanctioned, fined or being investigated for any other wrongdoing. FINRA will be checking into e-mail correspondence to determine whether the firm has violated any other regulations.
Best Practices Guide for Email Surveillance
Here’s a checklist to ensure you are on the right side of regulatory compliances:
- Policy Requirement: It is vital to develop a policy that requires business communications to be transmitted only through approved devices or through emails as opposed to text messages or social media platforms. It must strictly prohibit the use of personal email accounts for business purposes.
- Frequency: Weekly reviews should be conducted to ensure compliance with email review procedures.
- Sample Size: There is no proscribed number of emails to be reviewed, however, email sample sizes generally range between 3% – 5% of all emails.
- Keywords: List of keywords and key-phrases should be periodically reviewed as the business changes or new risks emerge. The configuration and effectiveness of your lexicon-based email surveillance system also needs to be regularly tested.
- Recordkeeping: Emails must be captured and retained for a period of not less than five years pursuant to the SEC’s recordkeeping requirement.
- Documentation of Reviews: Email reviews should be documented to indicate the number of emails reviewed, the number of emails flagged for further review, the number of emails that resulted in a violation of the written communications policy or other company policy, and how issues were resolved. Email retention software should be capable of producing reports documenting email reviews. Regulators will focus on two aspects of your email system: the quality of your archiving software, and your surveillance process.
LegalEase Solutions offers corporate legal departments and law firms innovative support with Regulatory Compliance, Contract Lifecycle Management, Legal Analytics and more. Our email review services have saved financial companies 120 hours and resulted in 60% cost savings, not to mention the additional mind space, to focus on other compliance policies. Our team is designed to function as an extension to your legal practice/department, providing you the capabilities and resources to stay up to date with your needs. If you have a project you need a hand with, feel free to reach out to us at firstname.lastname@example.org. Our team is happy to assist.