Financial Institutions May Need to Reconsider Their Approach to Electronic Communication Surveillance
Regulators in both the U.S. and U.K. continue to focus on electronic communication oversight programs as a form of detecting and preventing financial crime and non-compliance within financial organizations. We’ve seen the U.S. Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and the Financial Conduct Authority (FCA) increase their focus on this area over the past two years, and we anticipate this scrutiny will likely increase.
Regulator Enforcement Focus
Recent enforcement actions serve as a reminder that organizations of all sizes need to recognize the importance of and continuously enhance their electronic communications monitoring programs. FINRA fined a large investment company $2M in December 2017, alleging the firm failed to reasonably maintain an email review system and implement adequate procedures. FINRA claimed that the lexicon used to flag emails for review was not reasonably designed to detect certain misconduct, which resulted in millions of problematic emails going undetected over a nine-year period. In addition, FINRA claimed that the firm failed to periodically test the lexicon for effectiveness and did not dedicate enough staff and other resources to the email review process.
The FCA took action in March 2017, fining an investment banker for allegedly sharing confidential client information with a friend via WhatsApp. Although the FCA stated that the information was not misused, just the sharing of the information was grounds for enforcement.
Similarly, the SEC fined an investment bank in June 2018 for allegedly misleading customers about how it handled their orders. The SEC claimed that the firm’s electronic communications review program was not robust enough to meet the risk level inherent in the business conducted by the bank, nor was it reasonably designed to prevent and detect false or misleading statements sent to the firm’s customers. The SEC claimed that the program included reviews of individual communications to determine if they were a potential violation of firm policy. However, the SEC alleged that when communications were reviewed as a group revolving around a specific transaction, they collectively contained false and misleading information that were not detected when they were reviewed individually. The SEC also claimed that the firm had an insufficient amount of staff dedicated to electronic reviews, and that only 1% of each group’s communications were able to be reviewed each day.
The SEC also fined an investment bank $2M in February 2018, alleging the traders and sales people made false and misleading statements. In many instances, the SEC alleged, these statements were made via electronic communications such as instant messages and trading platform-based chat programs. This violation could have been detected and avoided had there been an effective electronic communications surveillance program in place.
Last year, the SEC conducted a limited sweep of investment advisers that focused specifically on firm and employee use of electronic communications. Since then, the number of Registered Investment Advisers (RIAs) being examined overall is rising, and electronic communications (as well as documentation around compliance review of electronic communications) have become a more substantial part of the materials requested by the regulator.
Meeting Supervisory Expectations
Traditional policy-based approaches to managing employee use of electronic communications, which historically have limited employees to the exclusive use of corporate email for any business purposes, may no longer be practical. Advisers and their employees want to be able to leverage the wide range of communication methods available to talk to their clients. This includes text, social media platforms such as LinkedIn, trading platform-based chats, mobile applications, and other software services such as Skype. Employees also want to be able to use these same methods to communicate with each other, for example when out of the office or working from home. A general prohibition of these communication platforms may no longer be effective.
Chief Compliance Officers (CCOs) should review compliance policies, procedures, and practices and update the firm’s compliance program as necessary to allow for and appropriately reflect employee use of the whole range of forms of electronic communications being utilized for business purposes. Key areas CCOs may want to consider include:
- Implementing employee questionnaires or attestations – This process can be managed easily through software. CCOs may consider asking employees to disclose any electronic communications methods they are using to conduct firm business. This puts an onus on employees to proactively think about what platforms they are using.
- Archiving all electronic communications – Once a firm decides to permit a broader use of electronic communications for business purposes, it needs to archive any such electronic communications accounts effectively. There are a range of providers who are able to do this for financial institutions.
- Train and educate – Employees should be made aware of the various risks electronic communications pose and should be reminded that conversations which evolve to discuss business matters should be shifted to an approved, archived messaging platform.
- Conducting effective electronic communications reviews – Conducting electronic communications reviews appropriately has never been more important. As the recent enforcement cases highlighted above demonstrate, it’s essential to search for appropriate phrases to identify potential misconduct and develop a program that adequately addresses firm-specific risks. For example, to detect employees seeking to move a conversation to a non-monitored form of communication, the CCO could search for phrases such as “text me,” “on messenger,” or “on gchat.” This type of forensic testing should be done on a regular basis.
Incorporating some or all of these recommendations will go a long way in demonstrating to the SEC that a firm is taking its approach to monitoring employee electronic communications seriously. As technology evolves and the scope of electronic communications widens, having a general prohibition in place as a policy may no longer be enough.
About the Authors
Sean McKeveny rejoined ACA in September 2014 to support the launch of the Analysis and Review Center (“ARC”) in Pittsburgh. Sean had previously worked as a Compliance Analyst in ACA’s Morristown, New Jersey office. After spending three and a half years in Pittsburgh, Sean returned to Morristown, where, as a Consultant, he oversees select ARC projects, provides support during mock exams, and serves as a practice specialist supporting sales and business development initiatives for ACA’s Business Process Outsourcing segment.
Molly Yakubian is a Senior Principal Consultant at ACA Compliance Group. Molly provides asset managers with various levels of tailored regulatory support services, and ensures that all client policies and procedures are keeping up with the ever-changing regulatory landscape. At ACA, Molly assists advisers in developing and implementing effective email review procedures, leads a team of reviewers trained to identify potential issues in electronic communications, and assists advisers in resolving any potential issues related to such reviews. Previously, Molly worked as part of the compliance team at an accomplished private equity firm in Boston, administering their in-house compliance program. Molly has practical expertise in the day-to-day compliance operations, and seeks to assist her clients in developing, implementing, and maintaining a practical, effective, and comprehensive compliance program.