Theta Lake’s Marc Gilman examines best practices for compliance officers after release of FINRA’s 2024 Annual Regulatory Oversight Report, which introduces new expectations for off-channel communications policies.
The Financial Industry Regulatory Authority published its 2024 Annual Regulatory Oversight Report Jan. 9, summarizing rules, oversight findings, and supplemental resources for member firms to assess and strengthen compliance programs. The report addresses core topics such as financial crime and market integrity as well as new sections on crypto assets and the market access rule.
FINRA’s report includes new guidance on retention and supervision of off-channel communications. The Securities and Exchange Commission and the Commodity Futures Trading Commission have levied over $2.6 billion in fines across more than 40 firms for lapses in communications capture and supervision, in addition to FINRA’s own fines in this area. The topic’s inclusion indicates regulators’ continued, tenacious focus on the issue.
Given this regulatory environment, compliance officers should remain aware of the report’s baseline electronic communications (e-communications) rules and emerging expectations to ensure comprehensive program design and implementation.
To quickly recap the relevant rules for broker-dealers, FINRA-regulated entities are subject to Rules 2210 regarding communications with the public, 3110 on communications supervision, and 4511 related to recordkeeping. Broker-dealers are also subject to SEC Rule 17a-4, which requires retention of communications relating to its business as such, as well as the technical controls for retention described in subsection 17a-4(f).
As a baseline under these rules, any written communications related to firm business such as emails, chats, SMS messages, social media posts, and other ad hoc, person-to-person communications must be captured, retained, and supervised.
In September 2021, FINRA issued guidance on its e-communciations recordkeeping and supervision rules in light of the rapid adoption of collaboration tools such as Zoom, Microsoft Teams, Slack, and Cisco Webex during the pandemic. FINRA’s advertising regulation FAQs were updated to include guidance that collaboration platform features such as polling, Q&A, dynamic charts, whiteboards, and file shares all could be considered business communications invoking compliance requirements.
Additionally, scattered across various public pronouncements and related litigation, FINRA, the SEC, and others have discussed use of emojis in communications and consider them to be regulated content that triggers the e-communications regulatory framework.
FINRA has now introduced new compliance expectations into this regulatory environment, stating it “uses a risk-based approach to review how firms capture, surveil, and maintain business communications.” And it flags the “increased risk” of off-channel communications because they occur on platforms or devices not controlled by a firm.
Several considerations for e-communications supervision include these questions:
- How firms communicate to associated persons, and monitor and surveil for compliance with and prohibition against using unapproved off-channel communication methods for business communications
- If firms supervise approved communication channels and customer complaints for some communications occurring through off-channel text or encrypted messaging channels—e.g., email chains copying a registered representative’s email address from an off-channel domain, references in emails to electronic communications outside firm-approved channels, and so on
- If firms monitor approved communication channels for signs of “underutilization (that could present a red flag that an associated person is utilizing an unapproved channel for business communications)”
- What corrective or disciplinary measures the firm has implemented to “deter its associated persons from circumventing supervisory controls related to off-channel communications”
Collectively, these new questions challenge compliance officers to consider refinements to policies, processes, and technologies used for continued e-communications compliance.
First, policies must unambiguously describe expectations about conducting business communications on platforms that integrate with capture, retention, and supervision processes and outright prohibit off-channel communications. That said, these policy mandates have been table stakes for years, so not much is new here.
It’s clear FINRA’s expectations around supervisory controls are evolving. Specifically, references to off-channel communications in any form, such as platform names and domains, must now be part of routine oversight. Compliance teams must ensure supervisory technologies support the identification of these off-channel allusions.
Practically speaking, compliance teams need to replace brittle lexicon-based methods and enable more accurate and effective identification of potential violations.
While legacy technologies performing pattern matches for WhatsApp may have been sufficient three years ago, compliance teams should seek out modern platforms that are more robust to manage disambiguation and handle errors to align to FINRA’s guidance in the report.
For example, machine learning-based solutions can trigger on typos such as “WhatsUp” for “WhatsApp” or highlight more opaque references to off-channel activity such as “let’s take this offline” as requiring further review. The ability to combine these detections for off-channel communications with presence of emojis, reactions, and more nuanced details about the participants is essential.
FINRA flags platform under-utilization as a key concern. Compliance teams should have robust reconciliation and reporting processes to confirm messages are being ingested and that anomalies are identified and escalated. Compliance technologies must be able to detect meaningful dips in chat or meeting activity and provide dashboards and alerts to ensure compliance teams are aware of these issues.
Finally, compliance teams must be vigilant about how they discipline employees who violate firm off-channel communications policies. A simple warning or note to file will no longer suffice as an acceptable remedy. Consistent with several recently reported scenarios, firms will likely be considering suspension, termination, bonus clawbacks, and other more meaningful personal repercussions for failures to adhere to firm policies.
Cumulatively, compliance teams tasked with managing e-comms and off-channel issues have more specific expectations outlined in the report. Increased vigilance and innovation will keep teams busy in 2024, particularly in deployment of technical processes for dynamically identifying potentially problematic behavior and monitoring conversation volumes.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Marc Gilman is general counsel and vice president of compliance at Theta Lake, and adjunct professor at Fordham University School of Law.
Reproduced with permission. Published Jan 23, 2024. Copyright 2024 Bloomberg Industry Group 800-372-1033. For further use please visit https://www.bloombergindustry.
