For financial services firms, the production of electronic communications records and evidence of message supervision is a big part of FINRA and SEC examinations.
However, there’s confusion about preparation. How do you begin? What types of electronic messages need to be saved for review? What communications policies will regulators want to see? Will you need help from external resources to manage the actual exam process?
Also, many firms can’t always predict when they’ll be examined. They may know the general timing of reviews, but it’s difficult to foretell when regulators will come knocking at the door…which can cause added anxiety.
While audits and exams vary by regulator, company, and exam type, one thing is clear: Regulators now request the production of multiple types of electronic communications records, with supporting compliance program documentation.
Here are some basic steps you can take to help start preparations for the electronic communications data production component of an exam or audit:
- Know what to archive.
The types of messages that regulators request continue to expand every year.According to the Smarsh 2013 Electronics Communications Compliance Survey, 81 percent of firms examined in the past year were asked to produce email records, followed by website pages (41 percent), instant messages (25 percent), Bloomberg/Reuters messages (19 percent) and social media (17 percent). While email is still the most common type of data requested, you can anticipate your firm will be asked to produce an array of electronic communications records, at what can feel like a moment’s notice. Today, it’s the content that counts—not the medium that broadcasts the content. The content is what makes a message a business record, and drives the requirement for content archival.The increased attention on social media records can be daunting, too. For instance, in 2013 FINRA announced social media spot checks for member firms. FINRA can search for and review your firm’s social media pages and posts in your offices during a spot check or an exam. The regulator also stresses the importance of developing social media policies and procedures and checks to ensure firms have these in place. - Know what supporting documentation must accompany your archive records.
The 2013 Electronics Communications Compliance Survey also showed requests for almost every type of supporting documentation related to electronic communications compliance increased, compared to 2012. Among those examined in the previous 12 months, requests for evidence of supervision and written supervisory procedures increased 25 and 11 percent, respectively.The takeaway is that, along with your archive records, your compliance team must be able to show evidence of supervisory systems that monitor your firm’s electronic communications for compliance with corporate policy. It’s not enough to just have the messages available. - Know how to archive
Do you have an archiving solution that lets your firm capture, archive, search, supervise and produce many different types of messages on varying platforms, including email, web, instant messaging, public social media, and enterprise social media? Since regulators can be expected to ask for records of all of these types of communication, simplicity is of the essence for the compliance team.Look for an archiving and compliance solution that can handle the internal and external communications tools your firm uses, and where records can be managed under one platform. The last thing you’ll want to do during an exam is splash around in a sea of records in multiple, disparate archives. - Know why it’s important to archive
A comprehensive archiving solution is the tool that gives your firm the ability to produce data upon request for examiners. As noted above, without an archive you’ll likely have a difficult time finding specific records. What if a regulator asks you to produce Facebook records for two of your reps, from the dates of January 20, 2013 through February 15, 2013—along with all emails exchanged between the reps? Could you find those records quickly, within 24 hours? You’d also have to show the regulators your compliance team supervised these conversations on Facebook and email. It’s not enough to let the data sit in storage; compliance has to review the communication as part of its written supervisory procedures. Regarding supervision, regulators are known to ask for:
- Written supervisory procedures.
Regulators look at how firms retain and capture messages, and the firm’s process for review and evidence of policy enforcement. Written supervisory procedures show regulators what actions your firm takes to identify risk and enforce compliance policy. - Proof of supervision.
Documented records of supervisory procedures—often seen with detailed audit trails—can help demonstrate policy enforcement and evaluation. - Disaster recovery or business continuity plan.
FINRA requires member firms to create and maintain a written business continuity plan identifying procedures related to a potential emergency or significant business disruption. The procedures must be reasonably designed, and enable the firm to meet its existing obligations to customers. The procedures must also address the firm’s existing relationships with other broker-dealers and counter-parties. - Archiving vendor solution contract and/or evidence of services provided.
Regulators may ask for evidence of an electronic communications archiving/supervision system via a vendor contract—to meet requirements for rules SEC 17a-4. The solution must allow for immediate search and production/export of messages requested by a regulator, whether for email, a Facebook post, or an instant message, etc. - Third-party attestation letter.
SEC 17a-4 requires firms to have a letter attesting an independent third-party downloader can provide access to the firm’s electronic records if the firm is unable to do so.
It doesn’t matter if your firm uses email, Facebook, Twitter, instant messaging or even an enterprise social network like Microsoft Yammer or Salesforce Chatter to get work done and communicate. All of these are now fair game for inspection.
- Are Pre-approved Social Media Posts Necessary? - March 24, 2015
- 7 Social Media Risk Management Practices for Mortgage Lenders - October 22, 2014
- Do Regulators Now Have Their Eye on the Mortgage Lending Industry? - October 1, 2014