The U.S. National Futures Association (NFA) has issued two fines both for failing to comply with communication recordkeeping obligations. 

An ‘unrealistic’ approach to communications compliance

A U.S. introducing broker and swap dealer was fined $140,000 in October for failing to capture the required oral pre-trade communications under relevant Commodity Futures Trading Commission and NFA regulations. While the firm was aware that its traders communicated with customers over the phone, it was claimed that these conversations were limited to market recaps, general market commentary and current economic events and ‘never consisted of quotes, solicitations, bids, offers or trade instructions’. The firm’s policy was for the traders to conduct any trade-related discussion via chat or electronic messaging to ensure the firm captured and retained those communication records.  The stated opinion of the NFA was that the firm’s expectation that traders would limit their phone discussions with customers to only general market-related matters was ‘unrealistic’. Further the firm was deemed to have utilized a ‘deficient procedure’ by instructing traders to move their discussions to a chat or other written medium once they led to pre-trade negotiations.

Additional recordkeeping failures were found as adequate oversight of the capture and retention of chat messages was lacking.  The firm did not have proper reconciliation controls in place to determine when messages were not properly captured and delivered to its messaging archive. In the opinion of the NFA, the firm should have ‘discovered the missing chat messages sooner’.  

Unrecorded personal cell phones

A UK introducing broker was fined $140,000 in November for failing to maintain all oral communication records due to its broker's use of unrecorded personal cell phones. While the NFA was attempting to reconstruct trades, the firm was unable to provide the required details surrounding pricing and interest in the trade due to the conversations being on an unrecorded personal cell phone. The NFA asked the firm to determine how widespread unrecorded cell phone usage was across all brokers and desks. The firm reported that for one desk about 25% of its trading activity was on unrecorded personal cell phones.

A failure to review 3.5m emails

In November, the Financial Industry Regulatory Authority (FINRA) fined a firm $600,000 for failing to establish and maintain a supervisory system, including written procedures, reasonably designed to achieve compliance with the firm's obligation to review correspondence and internal communications. As a result, the firm failed to review approximately 3.5 million emails related to 691 employee email accounts. It was found that the firm often failed to place the email accounts for its new employees into the electronic queue it established for email review. The firm's written procedures failed to set out the necessary steps to add accounts to the review queue, identify the departments or personnel responsible for those steps, or identify any requirements for when the steps should be taken. Due to the lack of reasonable written procedures, there were miscommunications between multiple departments about whether the email accounts had been placed into the queue and misunderstandings about which department was responsible for carrying out particular steps required to place an account into the queue. 

The firm also failed to maintain a reasonable system to verify that new employees' email accounts were being placed into the firm's electronic queue for review. Rather, the firm relied on an ad hoc and occasional practice of manually comparing a list of new hires with the names of the employees whose email accounts had been placed into the electronic queue. This practice was ‘not reasonable’ given the volume of employees the firm onboarded during the relevant period. 

In addition, the firm failed to reasonably investigate and address red flags that employee email accounts were missing from the review queue. Further, the firm did not reasonably investigate why the email accounts were missing and whether any other email accounts were missing until after FINRA commenced its investigation.

Revisiting communications compliance

The regulatory scrutiny and focus on all aspects of communications compliance continues unabated and firms need to consider their response. Theta Lake’s annual survey report found that the vast majority of financial services firms are revisiting their approach to communications compliance with only 6% being confident in their approach. Specifically, firms need to consider how to facilitate, and to be able to evidence, compliant communications. Reconciliation and oversight of workflows and other processes related to supervision must be part of any re-assessment of communications compliance.  There are clear regulatory expectations around capture, but firms also need to extend their strategic reassessment into the technical and administrative controls needed for ongoing monitoring and validation of technology and compliance practices.

In the current regulatory climate, if firms choose to do nothing and unmonitored or unsupervised communications are found by a regulatory body then significantly larger sanctions are likely. Indeed given the recent regulatory rhetoric it is entirely possible that future sanctions will include senior individual liability and accountability.

How Theta Lake can help and ways to learn more

Backed by the investment arms of Cisco, RingCentral, Salesforce, and Zoom, Theta Lake’s multi-award winning product suite provides patented compliance and security for modern collaboration platforms, utilizing hundreds of frictionless partner integrations including RingCentral, Webex by Cisco, Microsoft 365 and Teams, Slack, Zoom, Movius, Box, Mural, Asana and more. 

Theta Lake empowers organizations to safely, compliantly, and cost-effectively expand their use of unified communication platforms by enabling capture, compliant archives, and acting as an archive connector for existing archives of record across video, voice, and chat collaboration systems. Customers benefit from:

• Searching instantly across participants, all modes of unified communication and collaboration tools, meshed conversations, and timelines in an easy to navigate search system that covers and provides full replay for voice, video, chat, email, images, emojis, files, whiteboards, and more.
• Patented AI & ML to detect, surface, and enable actual response for regulatory, privacy, and security risks in an AI assisted review workflow with remediation and patented UCC security control integrations for protection across what is shared, shown, spoken, and typed.
• The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors and regulators. For example, chat messages can be viewed in their native format over the entire history of the conversation, with full context retained including images, GIFs, emojis and reactions.
• Theta Lake’s risk and compliance suite provides an advanced security and privacy architecture named STAR³ (Secure in Transit, Access, in Redaction, Remediation, and Removal), which is  SOC2 Type II certified with ISO 27001 mapping, PCI DSS certified, 17a-4 and audit trail attested, BAA supported, and undergoes regular penetration testing so our customers, partners, and regulators worldwide are confident in That Lake’s data and system security, integrity, and privacy. 

Ways to learn more:

• Theta Lake’s Digital Communications Governance, Compliance and Security Report 2023/24 can be downloaded here
• Visit: ThetaLake.com | LinkedIn | X at @thetalake
• Join a weekly 30-minute demo webinar here or request a bespoke demo today from the  friendly Theta Lake team here
• Keep up to date with regulatory perspectives from Theta Lake here