2024 isn’t even a month old and already two U.S. regulators have updated their expectations on communications compliance. Firms need to be under no illusions - recordkeeping is, and will remain, a key regulatory focus.
Against a backdrop of $2.6bn+ fines and continuing enforcement action against both firms and individuals, U.S. regulatory expectations on communications compliance are continuing to evolve. Both the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) have updated their stance, approach and expectations as to good and better practice when it comes to communications compliance. U.S. firms in all sectors of financial services would be well advised to review and consider the updated supervisory approach.
The FINRA annual regulatory oversight report provides a comprehensive assessment of FINRA’s planned approach to supervision in 2024. Digital communications and associated compliance are a thread throughout the report with ‘off-channel’ communications a key supervisory focus. FINRA has defined the term “off-channel communications” as, in general, referring to business related messages sent and received through applications on personal devices or through other platforms outside of the member firm’s control, including using personal email, chats, or text-messaging applications for business purposes.
FINRA uses a risk-based approach to review how firms capture, surveil and maintain business-related communications. Off-channel communications occur on non-firm platforms or devices with an increased risk that they are not maintained and preserved as part of the firm’s books and records.
FINRA has collated helpful observations or effective practices from its risk-based reviews of member firms’ practices related to off-channel communications. Firms may also find it helpful to consider the guiding questions below when assessing whether their supervisory systems and compliance programs are reasonably designed to capture, supervise and maintain off-channel communications.
Does your firm’s electronic communication policy include:
How does your firm communicate to its associated persons, and monitor and surveil for compliance with, the prohibition against using unapproved off-channel communication methods for business communications? For example, does your firm surveil:
What corrective or disciplinary measures has your firm implemented to deter its associated persons from circumventing supervisory controls related to off-channel communications?
Firms are subject to a series of minimum requirements with respect to recordkeeping in terms of capture and how long those records and other documents must be kept and in what format. FINRA member firms are required to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to, among other things, create and preserve, in an easily accessible place, originals of all communications received and sent relating to their “business as such”.
FINRA has stated that this specifically applies to emails, instant messages, text messages, chat messages, interactive blogs.
FINRA member firms are also required to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules.
As part of the overarching approach to regulatory event reporting compliance, firms are expected to ensure that their surveillance of firm-approved communications channels (e.g., email, messaging apps) can identify unreported written customer complaints (by, for example, including complaint-related words in their keyword lexicons, reviewing for unknown email addresses and conducting random email checks).
As part of the expected approach to ‘reasonably designed’ procedures with regard to establishing, maintaining and enforcing procedures for supervision of digital communication channels, firms should include:
In October 2023, the SEC’s exam priorities focused on a firm’s ability to evidence compliance.
In January 2024, a SEC risk alert again reiterated the need to capture and review relevant communications and gave more detail on expectations for security-based swap dealers with regard to supervision. Specifically:
"Procedures for review by a supervisor of incoming and outgoing written (including electronic) correspondence with counterparties or potential counterparties and internal written communications relating to the security-based swap dealer's business involving security-based swaps that were not reasonably designed and did not address the types of security-based swap business in which a security-based swap dealer and its associated persons engaged (e.g., failed to account for recorded telephone conversations of associated persons or used generic search terms to identify communications for review);"
Of particular note is that the use of generic search terms as part of a firm’s approach to surveillance would be considered a supervisory fail by the SEC.
FINRA has also highlighted artificial intelligence as an emerging risk. The regulator has warned that as member firms continue to consider the use of new technologies, including generative AI tools, they should be mindful of how these technologies may impact compliance with their regulatory obligations. The use of AI tools could implicate virtually every aspect of a member firm’s regulatory obligations, and firms should consider these broad implications before deploying such technologies. When considering the use of AI, FINRA has included several areas which may require particular focus from firms including specifically books and records, communications with the public, customer information protection and supervision.
Backed by the investment arms of Cisco, RingCentral, Salesforce, and Zoom, Theta Lake’s multi-award winning product suite provides patented compliance and security for modern collaboration platforms, utilizing hundreds of frictionless partner integrations including RingCentral, Webex by Cisco, Microsoft 365 and Teams, Slack, Zoom, Movius, Box, Mural, Asana and more.
Theta Lake empowers organizations to safely, compliantly, and cost-effectively expand their use of unified communication platforms by enabling capture, compliant archives, and acting as an archive connector for existing archives of record across video, voice, and chat collaboration systems. Customers benefit from: