Reasonable. How is a US broker-dealer’s compliance manager supposed to interpret that word when it comes to overseeing the firm’s e-mail correspondence.
With some difficulty and much deliberation on quantity and quality as shown by the Financial Industry Regulatory Authority’s recent US$32,000 fine and censure of Utah-based broker-dealer Wilson-Davis which specializes in microcap stocks. The broker-dealer watchdog says the firm, a member since 1968, didn’t do the right job monitoring incoming and outgoing emails from January to August 2013.
The case against Wilson-Davis isn’t the first time FINRA has cracked down against broker-dealers for poor e-mail oversight. The fine is also miniscule, likely reflecting the size of the firm and the short time-period in question. In 2013 FINRA fined LPL a whopping US$7.5 million for 35 significant failures in e-mail oversight over a five year period and in 2017 Raymond James was hit with a US$2 million fine for failures over a nine year period.
What the fine against Wilson-Davis shows is that broker-dealers aren’t learning their lessons despite FINRA’s continued warnings. They apparently either think they won’t be caught or don’t know what to do.
The goal of reviewing email correspondence is to make certain employees and C-level executives aren’t committing any wrondoing. Chances are that they might have either confessed to violating a regulation or suggest they will do so through the company e-mail system. Two key examples of red flags: guaranteeing a rate of return and engaging in undisclosed external activities.
FINRA wants broker-dealers to store e-mail correspondence and have written policies and procedures in place about their oversight process appropriate to their size, structure and customers.
Complying with such a requirement isn’t as easy as it sounds, legal experts tell FinOps Report, because there is no one size-fits-all approach broker-dealers can take in deciding the number of emails they review or the number of words they use to sift through emails received by the firm and sent by the firm.
When fining Wilson-Davis, FINRA also doesn’t offer any quantitative guidance. Nor does it specify the required frequency of the review. The regulatory agency just says that Wilson-Davis’s sampling of e-mails during the period in question was not “not reasonable.”
Wilson-Davis’ president and chief compliance officer identified by FINRA only as “JS” reviewed 100 e-mails every other week during the 2013 timespan. He also picked 24 words to search. Wilson-Davis’ website lists its current president and chief compliance officer as James Snow. Snow’s Linked-in account also lists his employment at the firm. He did not return calls seeking comment.
It’s left for other compliance managers to interpret what “JS” should have done by reading between the lines of FINRA’s settlement. “The randomly selected messages did not constitute a reasonable amount of the firm’s overall electronic communications and did not take into account the individuals, branch offices, departments or business units generating the correspondence,” says FINRA. Wilson-Davis has only 36 registered representatives and FINRA never quantifies the total number of e-mails that were not reviewed.
When it came to the 24 words Wilson-Davis chose, FINRA says that “they were not comprehensive enough to yield a meaningful sample of flagged communications.” In addition the Lexicon was not based on an assessment of risk areas nor was it “reasonably tailored” to the firm’s size, structure and business mode. Therefore, the search words resulted in too few e-mails flagged for review or too many in the case of two words.
What does FINRA’s stance mean, practically speaking? Wilson-Davis’ chief compliance officer and president should have reviewed far more emails and more Lexicon words. FINRA also says that Wilson-Davis should have known that the Lexicon review wasnt good enough based on its results and subsequently tweaked the number or types of words to ensure the right combination.
Given that FINRA offers no quantitative guidance on the percentage of emails to review or the number of Lexicon words to use, compliance managers at US broker-dealers have good reason to worry whether they will be second-guessed by the regulatory agency no matter what they do. Therefore, the best course of action, say legal experts, is to come up with one’s own defensible definition of reasonable.
“FINRA is more concerned about the brokerage firm being able to justify its thought process.,” says Glen Barrentine, a regulatory compliance attorney specializing in broker-dealers. What that means is creating a percentage of email searches, frequency or searches and words to be searched and words that reflects the types of business activities and the responsibilities of the employees involved.
“Employees who conduct portfolio management transactions will need to be more closely overseen than those with administrative functions,” says Bob Frize, a director at New York-based regulatory compliance consultancy Alaric Compliance. “Likewise, employees with access to material non-public information or employees who have previously received write-ups or warnings for misconduct need to have their emails reviewed more frequently.” What about C-level executives? Their emails also need to be more closely monitored than those of other employees.
When it comes reviewing specific words, the kinds of words are just as important as the number. “Broker-dealer compliance directors need to figure out which words are effective and not randomly select a list of words,” says Marianna Shafir, corporate counsel with Smarsh, a Portland, Oregon-headquartered email archiving, monitoring and documentation firm.
Compliance directors can’t simply use easy words, such as crime or fraud, because employees realize they are being watched and won’t be using obvious words. The problem is that they might talk in code and knowing which phrases to select could require them to seek external help. The specific language might reflect the business activity itself or ethnic makeup of the individuals. “Compliance directors need to come up with a Lexicon to review based on their discussions with business line managers and their other industry peers,” says Shafir. “Compliance directors can also review any regulatory penalties imposed on other firms to see where they failed in their Lexicon words.”
Not only are the right words important, but so are the right phrases particularly when an employee is trying to game the email monitoring system. “Checking e-mails for phrases such as “Let’s take this offline or let’s use my personal email’ are red flags that the employee could be engaged in illegal activity, says Shafir.
Using the right technology to ensure comprehensive and customizable reporting is key to the right compliance program. “Reports are a handy tool to review the number of searches and audit history,” says Shafir. “They should provide a detailed history of how your lexicons interact with messages ingested in your archive,” The vendor, she says, should also have supervisory capabilities to audomatically flag emails that contain certain words or phrases likely to warrant review. Regardless of the provider selected, cautions Shafir, broker-dealers alone are responsible for implementing an annual review of e-mails and storing the results. The review can be conducted either internally or through a third-party expert.
What happens if an e-mail review review finds suspicious language? In the case of an employee promising investment returns or sharing non-public information, the compliance officer might monitor the customer’s trading activity, says Barrentine. If the employee is engaged in unauthorized outside activities, its time for a hard talk with the employee. Deciding what to tell FINRA, all depends on the severity of the infraction involved. Minor issues can be handled in-house while significant ones, particularly involving theft must be reported to FINRA and other authorities. Still, deciding when to disclose and what to disclose comes down to a judgment call.
Of course, the brokerage firm does need to make certain it follows its written supervisory procedures (WSPs), tests their effectiveness and changes them when appropriate. Hopefully, it has developed those WSPs. Wilson-Elser failed on all counts, so FINRA’s decision was a slam-dunk,” says Barrentine. “Not having written policies and procedures was just as bad as doing a slipshod job of reviewing e-mails.”
WSPs need to indicate the methods of review, the frequency and procedures for documenting the reviews. In case employees communicate through third-party systems, such as Bloomberg and Reuters, they also need to be reviewed, says Shafir. The WSPs don’t need to quantify a specific percentage of quantity of emails to be reviewed but if the policies and procedures call for a review of a certain percentage of emails each month, using a lower percentage is a red flag, she warns.
A review of the entire email oversight process should be done if the firm has been sanctioned, fined or being investigated for any other wrongdoing. “FINRA will be checking into e-mail correspondence to determine whether the firm has violated any other regulations,” says Barrentine. FINRA says that its investigation into Wilson-Davis’ e-mail oversight was prompted by its investigation into one of the firm’s former employees
that began in 2014 when FINRA obtained e-mail messages he sent while at the firm.
Even the best e-mail oversight won’t be perfect. While it can hopefully catch bad behavior it would be ideal if that behavior weren’t present in the first place. One ounce of prevention can go a long way to reducing potential regulatory grief. “Employees need to be trained in what they can and can’ say in an email and how to say what they mean,” says Frize.
That training goes far beyond following a Miss Manners rulebook on when to say please and thank you. “It means knowing that what you say might hit the headline of a major newspaper someday,” says Frize. Looking through a sampling of old emails and reviewing the language used might provide some guidance as determinining what should not have been said or what could have been said better, he asserts.
Last but not least, e-mail correspondence needs to be immediately reviewed if the firm has been sanctioned, fined or being investigated for any other other wrongdoing. “FINRA will be checking into email correspondence to determine whether the firm has violated any other regulations,” says Barrentine. FINRA says that its investigation into Wilson-Elser’s email oversight came as the result of an investigation into one of its former representatives that began in October 2014. FINRA obtained email messages he sent and received while at the firm.