Spooky Season Is Upon Us: Regulators Crack Down on E-Comms Retention Failures
With spooky season upon us, here is the recent regulatory update. Happy Halloween!
Failure to retain audio recording
The CFTC fined a New York-based Delaware corporation with failing to maintain audio recordings. As a registered introducing broker, the firm was required to make and keep audio recordings for at least one year.
This failure occurred when the firm moved offices and improperly installed its audio recording system by an external vendor. This resulted in inconsistent and incomplete recordings of audio calls for 25 days.
Unrecorded calls included oral communications provided or received concerning quotes, solicitations, bids, offers, instructions, trading, and/or prices that led to the execution of a transaction in a commodity interest and/or related cash or forward transactions.
It was only after the firm failed to find a specific recording did it realize that there was an error. Once the issue was discovered, the firm promptly took steps to remediate the problem.
The firm is required to pay a $500,000 civil monetary penalty and to cease and desist from any further violation of the CEA and CFTC regulations as charged.
Proper recordkeeping is vital to protecting our markets and market participants from fraud and manipulation,” said CFTC Acting Division of Enforcement Director Gretchen Lowe. “This case serves as another example of the Commission’s intent to vigorously enforce the recordkeeping obligations of its registrants.”
Misuse of unapproved applications
A firm was fined $450,000 for failing to preserve and maintain certain securities-related business communications sent and received by its representatives (CEO, AMLCO and FINOP). This is in violation of:
- Section 17(a) of the Securities Exchange Act of 1934
- Exchange Act Rule 17a-4(b)(4)
- FINRA Rules 4511 and 2010
Specifically, the firm’s registered representatives used the instant messaging service, WeChat, to communicate with each other and another FINRA member firm (Firm B) regarding securities-related firm business.
The registered representatives also used their personal email addresses to discuss securities-related firm business with Firm B. In addition, one of the firm’s registered representatives used a non-firm email address that Company A provided to him to communicate with Firm B.
The emails and instant messages with Firm B concerned the referral of prospective investors in Company A’s initial public offering to Firm B, and included emails containing applications for the investors to open new accounts at Firm B.
The firm was aware of these communications but took no steps to preserve them. In addition, the firm failed to establish and implement an anti-money laundering (AML) compliance program reasonably designed to detect and report suspicious activity.
Another firm terminated a representative for violating the Firm’s policies regarding his unapproved use of text messaging and for soliciting equity transactions without a Series 7. In connection with its investigation into the circumstances giving rise to the Form U5 filed by the firm, FINRA sent a request to the representative to produce the information and documents pursuant to FINRA Rule 8210.
As stated during a phone call with FINRA on August 3, 2022, the representative refused to produce the requested information and therefore violated FINRA Rules 8210 and 2010. He consented to be barred from associating with any FINRA member in all capacities.
In a separate case, another representative was fined $5,000 and suspended for 30 days for using WhatsApp to communicate with customers. While associated with the firm, the representative used WhatsApp to communicate with a firm customer about securities-related business.
These communications were not preserved as required by:
- Section 17(a) of the Securities Exchange Act of 1934 (the Exchange Act)
- Rule 17a-4(b)(4)
By causing the firm to maintain incomplete books and records, the rep violated FINRA Rules 4511 and 2010.
The takeaway:
The above penalties indicate a considerable uptick in recent record retention violations. Regulators are focused on ensuring that firms are retaining and monitoring business communications, including any business-related texts and chat applications on personal devices.
As the pandemic and other factors accelerated the use of electronic communications in the workforce, it’s critical that companies make an effort to keep up with advancing technology and the new messaging, audio, and video applications.
Record retention fines go beyond emails now. They're also being handed out for collaboration applications, including chat systems, audio, ephemeral messages, videoconferencing platforms with features like polls, virtual whiteboards, file transfers and tools like animated gifs and reactions. The regulatory message is clear when it comes to electronic communications – firms must ensure their recordkeeping and supervision processes and controls are keeping pace.
FINRA has issued guidance on several topics related to electronic communications. FINRA’s advertising regulation FAQ advised that even a virtual whiteboard presented in an online meeting will in some cases need to be retained and archived as a "communication." Whether a communication should be retained does not depend on the device or platform used but rather on the content and context.
“Firms need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps,” says Gurbir S. Grewal, Director of the Division of Enforcement at the SEC.
Many companies have banned the use of messaging applications such as texting, messaging, social media or collaboration applications for business-related communications. In particular, ephemeral messaging applications (e.g., Telegram, WhatsApp, Snapchat) that automatically delete messages after a certain period has passed can prevent businesses from properly preserving the communication and lead to regulatory compliance problems.
The above enforcement cases are examples of prohibition policies failing to work. Even if the firms prohibit the use of messaging applications, firms cannot ignore their employees' use of prohibited platforms.
Companies are required to monitor for compliance to mitigate the risk of recordkeeping violations. Firms must develop and maintain policies and procedures reasonably designed to prevent and detect violations of employees working for them.
There is no way of predicting which conversations will be relevant, and firms must be prepared for regulatory inquiries. That calls for implementing versatile supervision and surveillance tools that automatically capture and archive electronic communications data, while allowing compliance officers to search for crucial conversations in their proper context.
There are solutions available to retain and supervise your firm’s business communications. Firms should enlist a third-party provider to assist with the retention of channels such as audio and ephemeral messaging applications such as WhatsApp. Third-party provider solutions can be installed on an individual’s cell phone that automatically captures instant messages, including those sent via WhatsApp, and sending those records to the firm archive.
The recent investigations signal that firms should anticipate similar examinations and should consider whether they are complying with regulatory retention obligations.
Learn more about voice and audio capture here.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US