Theta Lake Blog

FINRA and SEC Set Out Supervisory Expectations on Communications Compliance

Written by Susannah Hammond | Jan 24, 2024 5:30:00 PM

2024 isn’t even a month old and already two U.S. regulators have updated their expectations on communications compliance. Firms need to be under no illusions - recordkeeping is, and will remain, a key regulatory focus.


Against a backdrop of $2.6bn+ fines and continuing enforcement action against both firms and individuals, U.S. regulatory expectations on communications compliance are continuing to evolve. Both the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) have updated their stance, approach and expectations as to good and better practice when it comes to communications compliance. U.S. firms in all sectors of financial services would be well advised to review and consider the updated supervisory approach.

FINRA Annual Regulatory Oversight Report 

The FINRA annual regulatory oversight report provides a comprehensive assessment of FINRA’s planned approach to supervision in 2024. Digital communications and associated compliance are a thread throughout the report with ‘off-channel’ communications a key supervisory focus. FINRA has defined the term “off-channel communications” as, in general, referring to business related messages sent and received through applications on personal devices or through other platforms outside of the member firm’s control, including using personal email, chats, or text-messaging applications for business purposes.

Off-Channel Communications

FINRA uses a risk-based approach to review how firms capture, surveil and maintain business-related communications. Off-channel communications occur on non-firm platforms or devices with an increased risk that they are not maintained and preserved as part of the firm’s books and records.

FINRA has collated helpful observations or effective practices from its risk-based reviews of member firms’ practices related to off-channel communications. Firms may also find it helpful to consider the guiding questions below when assessing whether their supervisory systems and compliance programs are reasonably designed to capture, supervise and maintain off-channel communications. 

Does your firm’s electronic communication policy include:

  • procedures and controls to maintain, preserve and monitor all business-related correspondence by staff, including that which is conducted via off-channel communication methods; 
  • processes and procedures to monitor for new electronic communication channels available to customers and associated persons; and
  • required training and guidance that your firm’s associated persons must complete before they are permitted access to firm-approved electronic communication channels?

How does your firm communicate to its associated persons, and monitor and surveil for compliance with, the prohibition against using unapproved off-channel communication methods for business communications? For example, does your firm surveil:

  • approved communication channels and customer complaints for indicia of communications occurring through off-channel text or encrypted messaging channels (e.g., email chains that copy a registered representative’s email address from an off-channel domain, references in emails to electronic communications that occurred outside firm-approved channels or customer complaints mentioning such communications); and 
  • approved communication channels for signs of underutilization (that could present a red flag that an associated person is utilizing an unapproved channel for business communications)?

What corrective or disciplinary measures has your firm implemented to deter its associated persons from circumventing supervisory controls related to off-channel communications?



FINRA Recordkeeping Obligations Across Modalities 

Firms are subject to a series of minimum requirements with respect to recordkeeping in terms of capture and how long those records and other documents must be kept and in what format.  FINRA member firms are required to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to, among other things, create and preserve, in an easily accessible place, originals of all communications received and sent relating to their “business as such”. 

FINRA has stated that this specifically applies to emails, instant messages, text messages, chat messages, interactive blogs.

FINRA member firms are also required to establish, maintain and enforce written procedures to supervise the types of business in which they engage and the activities of their associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules.

Surveillance of Communications Channels

As part of the overarching approach to regulatory event reporting compliance, firms are expected to ensure that their surveillance of firm-approved communications channels (e.g., email, messaging apps) can identify unreported written customer complaints (by, for example, including complaint-related words in their keyword lexicons, reviewing for unknown email addresses and conducting random email checks).

Digital Communications

As part of the expected approach to ‘reasonably designed’ procedures with regard to establishing, maintaining and enforcing procedures for supervision of digital communication channels, firms should include:

  • Monitoring of new tools and features: Monitoring new communication channels, apps and features available to associated persons and customers; 
  • Defining and enforcing permissible and prohibited activity: Clearly defining permissible and prohibited digital communication channels, tools and features, and blocking those prohibited channels, tools and features that prevent firms from complying with their recordkeeping requirements; 
  • Supervision: Implementing supervisory review procedures tailored to each digital channel, tool and feature;
  • Video content protocols: Developing WSPs and controls for live-streamed public appearances, scripted presentations or video blogs; 
  • Training: Implementing mandatory training programs prior to providing access to firm-approved digital channels, including expectations for business and personal digital communications and guidance for using all permitted features of each channel; and
  • Disciplinary action: Temporarily suspending or permanently blocking from certain digital channels or features those registered representatives who did not comply with the policies, and requiring them to take additional digital communications training before resuming use.


SEC Focus on Evidence and Supervision

In October 2023, the SEC’s exam priorities focused on a firm’s ability to evidence compliance. 

In January 2024, a SEC risk alert again reiterated the need to capture and review relevant communications and gave more detail on expectations for security-based swap dealers with regard to supervision. Specifically:

"Procedures for review by a supervisor of incoming and outgoing written (including electronic) correspondence with counterparties or potential counterparties and internal written communications relating to the security-based swap dealer's business involving security-based swaps that were not reasonably designed and did not address the types of security-based swap business in which a security-based swap dealer and its associated persons engaged (e.g., failed to account for recorded telephone conversations of associated persons or used generic search terms to identify communications for review);"

Of particular note is that the use of generic search terms as part of a firm’s approach to surveillance would be considered a supervisory fail by the SEC. 

AI Deemed an Emerging Risk for 2024  

FINRA has also highlighted artificial intelligence as an emerging risk. The regulator has warned that as member firms continue to consider the use of new technologies, including generative AI tools, they should be mindful of how these technologies may impact compliance with their regulatory obligations. The use of AI tools could implicate virtually every aspect of a member firm’s regulatory obligations, and firms should consider these broad implications before deploying such technologies. When considering the use of AI, FINRA has included several areas which may require particular focus from firms including specifically books and records, communications with the public, customer information protection and supervision.

How Theta Lake Can Help 

Backed by the investment arms of Cisco, RingCentral, Salesforce, and Zoom, Theta Lake’s multi-award winning product suite provides patented compliance and security for modern collaboration platforms, utilizing hundreds of frictionless partner integrations including RingCentral, Webex by Cisco, Microsoft 365 and Teams, Slack, Zoom, Movius, Box, Mural, Asana and more

Theta Lake empowers organizations to safely, compliantly, and cost-effectively expand their use of unified communication platforms by enabling capture, compliant archives, and acting as an archive connector for existing archives of record across video, voice, and chat collaboration systems. Customers benefit from:

  • Searching instantly across participants, all modes of unified communication and collaboration tools, meshed conversations, and timelines in an easy to navigate search system that covers and provides full replay for voice, video, chat, email, images, emojis, files, whiteboards, and more.
  • Patented AI & ML to detect, surface, and enable actual response for regulatory, privacy, and security risks in an AI assisted review workflow with remediation and patented UCC security control integrations for protection across what is shared, shown, spoken, and typed.
  • The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors and regulators. For example, chat messages can be viewed in their native format over the entire history of the conversation, with full context retained including images, GIFs, emojis and reactions.
  • Theta Lake’s risk and compliance suite provides an advanced security and privacy architecture named STAR3 (Secure in Transit, Access, in Redaction, Remediation, and Removal), which is  SOC2 Type II certified with ISO 27001 mapping, PCI DSS certified, 17a-4 and audit trail attested, BAA supported, and undergoes regular penetration testing so our customers, partners, and regulators worldwide are confident in That Lake’s data and system security, integrity, and privacy. 

Ways to Learn More:

  • Theta Lake’s Digital Communications Governance, Compliance and Security Report 2023/24 can be downloaded here
  • Visit: ThetaLake.com | LinkedIn | X at @thetalake
  • Join a bi-weekly 30-minute demo webinar here or request a bespoke demo today from the friendly Theta Lake team here
  • Keep up to date with regulatory perspectives from Theta Lake here