Top 10 Best Practices for Electronic Communications Compliance

Regulators are increasingly focused on electronic communications and the use of unapproved personal devices. After several firms were fined, other firms have begun questioning whether or not their programs are robust enough to withstand that kind of scrutiny.  

In today’s podcast, Oyster Consulting’s experts Ed Wegener, Candy Palugi and Evan Rosser discuss challenges and best practices around these policies.

Transcript

Transcript provided by TEMI

Libby Hall:  Hi, and welcome to the Oyster Stew podcast. I’m Libby Hall, Director of Communications for Oyster Consulting. Regulators are increasingly focused on electronic communications and the use of unapproved personal devices. After several firms were fined, other firms have begun questioning whether or not their programs are robust enough to withstand that kind of scrutiny.  In today’s podcast, Oyster Consulting’s experts discuss the challenges and offer some best practices around these policies.  Let’s get started.

Ed Wegener:  Well, thank you, Libby, and welcome everyone. I’m Ed Wegner, and I am Managing Director in charge of Governance, Risk and Compliance at Oyster Consulting. I’m sure that you’re all aware that the SEC is in the process of conducting a review of the use of electronic communications and the use of unapproved personal devices. The review has already resulted in very significant fines at a few large investment banks. And this has gotten the attention of compliance professionals who are wondering how their firm’s policies and controls would fare under similar regulatory spotlight. As we’re going to discuss, this is an extremely challenging area for compliance where simply having strong policies and procedures in place isn’t enough.  As we’ll see in these cases that have been brought recently, the real challenge is not just having the policies and procedures, but being able to enforce those policies procedures, and in a lot of cases, prohibitions.  To help me in discussing these challenges and possible solutions, I’m really fortunate to have with me, two of our Oyster consultants, Candy Palugi and Evan Rosser.  Candy has a great deal of experience working with large compliance departments. And Evan has spent a number of years working with FINRA as a regulator. So this conversation will bring both the perspectives of a former regulator and a former compliance professional. So why don’t we dive right in.  Evan, with respect to electronics generally, what do the rules require?

Evan Rosser:  Well, there’s several rules that govern this, and I suppose the baseline rules requiring this capturing retention and supervision of electronic communications are in SEC Rule 17A4, which requires the record keeping and retention of communications. You have FINRA Rule 31-10 for supervision, which requires again capturing and supervision of those communications with customers. And even the advertising rule, FINRA Rule 2210 requires a certain retention and review of communications with the public. And I think a lot of the rules recently reflect this, but communication is any sort of communication. It doesn’t distinguish between electronic or handwritten. I mean, it’s all communications and interpretation of these rules – 17A4, 3110 and  2210. FINRA’s issued quite a bit of guidance around these rules – frequently asked questions and a lot of guidance on how firms should operate.

And a lot of the reason for this guidance is because it’s becoming more difficult to operate in this electronic communication environment.  We have for years now worked pretty well, and gotten our arms around emails, SMS, text messages and other sorts of texting, but there are lots of new platforms. There are lots of new vendors and ways to communicate. The other thing that makes this difficult is the, the 1784 kind of business, which means firms have to keep anything that relates to their business, as such and regulators, be it the SEC or FINRA. And I’m sure the states as well take business such very broadly. They really look at the communications of firm’s associated persons as being for the most part businesses, such that means anything having to do with business. And I would recommend that firms define that in their systems as broadly as the regulators do.

Ed Wegener:  Yeah. I mean, that’s really one of the big challenges.  When we think about the evolution of how communications have happened, back when these rules were originally written, it was very easy to distinguish the types of communications that you had and the associated rules. So you were either talking with somebody in person, talking to them on the telephone, or writing them a letter that you would put a stamp on and send to them through the mail. And that’s changed so drastically since the rules were written. The guidance has really been what they’ve been using to fill in those gaps as the communications get tougher. And the big challenge with business as such is that there is a blurring in the types of communications between personal communications and firm communications.

And I think that causes a lot of the challenges that some of these firms have had and which gives rise to the recent review that the SEC has conducted and some of the lessons that have been learned from these recent cases. And so, if you could help identify some of the key takeaways from these recent cases and what are some of the things that you learned in terms of the difficulties firms have, what regulators expectations are, et cetera.

Evan Rosser:  Well, in some of these cases, first of all, I think the fines themselves are sending a message that in the SEC cases, that the SEC takes this very seriously. These have been very large fines for cases which means you’re not going to get away with the slap on the wrist if you have serious retention email or any kind of electronic communication retention. And in some of these cases, they’re very standard sorts of problems. People, employees, registered associated persons using their personal devices, personal accounts, social media platforms for firm business, and they’re not being captured. And that’s a rather simple one, in the sense, that you must capture these, and you are required to capture no matter where you send them, what platform they’re on. If they’re a firm business, they have to be captured. And some of these other cases also have brought out the fact that this isn’t just a question of – well, I need to keep emails in electronic communications to satisfy supervision.

I need to go through them. Well, there’s a reason you need to go through them. For example, a lot of electronic communications may be advertising, subject to the advertising rule that might be subject to pre-use review, perhaps even pre-use filing with FINRA. There might be in those electronic communications recommendations subject to reg BI in one of the cases from the SEC, when the SEC requested documents for an exam or an investigation, they did not have all the responsive documents because they couldn’t capture them. They didn’t have them all which presents a problem just as far as complying with SEC requests and subpoenas. So this isn’t just a question of capturing these and subjecting them to your routine review. You have to look at these things, because as I said, there are communications that may very well require filing pre-use review. They might implicate rule Reg BI, so it’s important that you capture these. And as I said, the SEC’s sanctions in these cases speak to the seriousness with which they look at violations.

Ed Wegener:  Yeah. It’s clear they were trying to get the attention of firms and compliance departments. And in reading through the language, I was trying to get a sense of what’s really behind just the size of these fines and why is it that the regulators are trying to send this message? And there were a couple of things that I found interesting.  One, first and foremost is these things really seem to be a function of not having policies and procedures. It’s really enforcing those and the regulators early on in providing some of the guidance that you talked about, had said that with respect to this capture, maintain and supervise.  That if you can’t do it with a particular type of communication, you need to prohibit that type of communication, which makes sense, but the challenge is prohibiting something that people want to use.

And it’s enforcing those prohibitions that the SEC really seems to be focused on in these cases.  Especially when they noted in a couple where senior executives were routinely using prohibited types of communications. And in some cases, some of the people who were charged with writing these policies and procedures, and enforcing the policies and procedures, themselves were using prohibited communication methods. And it seems like in addition to being an issue of writing policies and procedures and monitoring, it really came down to  the culture of compliance when you talk about doing this. So I think that too is where the big challenge is because it’s really about changing behavior, or trying to get people to behave in a particular way. And the enforcing of these things is tough when you really don’t know what’s being used and how, and you have to rely on both communicating the policies and procedures and enforcing them in such a way and monitoring.  So that, what’s going on. And Candy, that just kind of gives rise to some of the major challenges that firms have in complying with these rules. Can you maybe talk about, as a compliance professional, some of the challenges that firms face in complying with these difficult regulations?

Candy Palugi (11:36):

Yeah sure, Ed. I think one of the biggest things is that social media platforms, and the different places and types of communication, are ever growing and ever changing. And so that’s probably one of the biggest issues is just keeping up with what’s out there.  Unfortunately, some of us more seasoned compliance officers aren’t up on all of the information of all the new social media platforms and things that are out there now. So it takes a little bit of actual sit down, looking, trying to find what’s out there to really know another thing is I think a lot of firms utilize, bring your own device.  Usage of personal mobile devices, even if that’s just for email and or texting even when it’s prohibited creates a different layer of difficulty in seeing what’s actually on these devices, if they aren’t a part of the firm’s equipment. The other thing is, once you identify the basic apps, the texting happens and things like that, is not having the proper resources or software to capture those communications.

So with that instance, they may be forced to prohibit a lot of things that their staff really would like to use, but because they can’t capture it, the firm can’t allow it.  So if you do that enforcement, you do that prohibition, then you have to figure out how to enforce those prohibitions and make sure that you are not just turning a blind eye to – well, they’re not supposed to be using it and you don’t do anything to really check and see if those rules are being followed. And I think too, that firms haven’t sat down and asked their employees, what kind of social media platforms are you using, or where are you communicating with your clients? I think they might be surprised to hear the answers and the broad variety of places that communication is happening,

Ed Wegener:  You know, that really seems to be the crux of what we’re seeing here. When you look at these cases more often than not, it’s dealing with situations where a firm has prohibited the use of certain types and the fact that they weren’t able to enforce those prohibitions. And really gets to the challenges that you have in enforcing those prohibitions. I think firms think – if I simply prohibit that I’m taking the more conservative approach.  But you actually might be introducing more risk as a result of those prohibitions. So what would you say are some of the major challenges associated with having those types of prohibitions and enforcing them?

Candy Palugi:  Yes. I agree with you, Ed.  You may think you’re taking a conservative approach, but you’re really opening yourself up to more challenges. If it’s something like a text message that everyone uses. So, people are communicating over text and through social media apps all the time.  It’s just a fact, they’re at least doing it in their personal lives. And so clients are doing it and they want to text the advisors. That’s just how they communicate now. So I think at this point in 2022 regulators probably expect that all firms by now should have the ability to capture at least text messages. I know a lot of firms still like to prohibit that, but I think it’s so common at this point, regulators may really look down on that and think that you probably are turning in a blind eye.

If you aren’t capturing text messages by now, the other social media apps present even more of a challenge on how can you capture those, but senior management, as you mentioned earlier too,  sophisticated people, they are communicating often. They participate in a lot of outside activities, nonprofits, things like that. They communicate with a lot of people. And so I think a lot of times they may not even realize that –  Hey, I’m doing these very behaviors that our firm’s not allowing. So I think that’s the challenge.  How do we make sure what we’ve prohibited is not being used? How do we follow up on that? How do we follow through with that?

Ed Wegener:  And I think that gets to what Evan was talking about earlier, which is the blurring line between what is personal communications and what is business related communications. It sounds like it’s fairly a stark difference, but when you’re using your mobile app and you’re communicating with people, the same way that you’re communicating personally, it’s really difficult to be able to segregate how they’re doing, especially where clients are.  They are likely to be the ones initiating these communications.  When we’ve done email reviews and stuff, you’ll see an email that comes through where a rep is going to a client saying – Hey, you texted me. I’m responding to you by email because this is the way, we’re supposed to communicate.  And that’s always a good thing, but how many times are you not catching that type of thing?  In terms of best practices, and maybe I’ll throw this out to the both of you, what are some of the best practices that you’ve either employed or seen employed by firms to address these challenges?

Evan Rosser:

Well, the challenge that I’m seeing now, and I’m working with a few firms on these questions, it’s not just electronic communications with customers or potential customers.  A lot of advisors and reps now want to use what they call ephemeral messaging platforms that are closed systems that don’t really allow for capture and archiving. As a matter of fact, I believe that TikTok prohibited vendors from downloading and archiving their content. Now, I don’t know if that’s still the case, but I know very well that a lot of advisors, a lot of reps will work to make videos, presentations for TikTok, WhatsApp, Signal, WeChat.  And these because they are closed systems are, if not difficult, possibly impossible to capture. And in those instances, if you simply cannot, you can capture them. You can allow their use of the other ones, which is much more mundane, but it’s Zoom, Microsoft Teams ,WebEx.  They are tbeing captured.

And, and I think that’s an issue.  That everyone uses them, but if you’re using them with customers, if you’re using those with prospective customers, those collaboration tools, those white boards screen shares, polls, I think regulators have said likely that is electronic communication.  That needs to be captured and reviewed regularly. So I think the real challenges, as Candy said, there are new platforms all the time.  And I think there are lots of marketings. If you want to capture a niche, if you want to capture a demographic you’re going to use, or you’re going to want to use one of these tools that I am sure they’re going to be.  Some people have no idea if you can capture them. And if you were even allowed to, do you want them to?  That’s the challenge that I’m dealing with right now with firms.

Candy Palugi:  Yeah. And I think, Ed, speaking to best practices, one thing that I’ve seen and that I’ve employed in the past with the firms that I’ve been with is the use of interns.  Especially in the summertime, a lot of firms get interns, whether it’s their employees high school and college age children, or other interns.  But projects like this are good for an intern just to sit down and do a simple internet search and see what’s out there for your employees. It’s very manual. It’s very time consuming. But your staff generally doesn’t have that kind of time to commit to it. And so the use of interns is a good thing. And then the other thing is, I think if you’re prohibiting it, you have to number one, determine can I actually prohibit it? And like I said earlier, I think text messaging, it’s probably impossible to prohibit. It’s just a form of communication as much as the telephone now. And so therefore when you do prohibit things like say a TikTok as Evan mentioned, things that cannot be archived, I think you do have to prohibit those. And then I think you just have to continually train about that have your employees attestations that they understand the rule and continue monitoring it. I think you just have to keep reminders in front of employees that it’s not allowed and ensure that all of your new employees know that.

Evan Rosser:  Yes.

Ed Wegener:  Candy, you mentioned something about the interns and going back to something that you said earlier, is just doing an inventory of what people are using. Evan, you mentioned things are changing so quickly and there’s all these different channels for communicating. And I deal with this here at home with my son and when I was putting together trying to compile a list of the things that I thought I knew were out there and I showed it to him and asked, do you think there’s anything more I can add? He chuckled and said, there’s a lot, you can add <laugh> and that it’s just difficult to keep up with. And as soon as you have your arms around something, by the time you do, it seems like it’s already changed and people have moved on to something new.

So, Evan, to your point, with all these different features of these types of communications, it’s really important to a)know what people are using, and b) know the particulars about those communications. You know, if there’s a communication method that like Snapchat, where it just disappeared after a certain amount of time. You’ve got to know that if you’re using collaboration tools and you’re using it for video conferencing, which might be a video, which arguably night might not need to be captured, but if it has a chat feature associated, which most do, those are clearly written communications, and you should be collecting those. And so, unless all those features, it’s hard to know how you’re going to comply, if you’re going to allow them. And then, if you simply can’t allow them, you have to prohibit, but I would caution against just the knee jerk reaction to be prohibiting these things.

Because at the end of the day, this is how people communicate.  Candy, you mentioned texting and I was talking to some people.  They were saying how these days, that’s typically how people communicate. If they get a phone call, they think there’s a problem because nobody calls me, everybody just texts. Right. So that’s right. If that’s the way everybody’s communicating and you say you can’t do it, I think you’re going to have a very hard time enforcing that. So figuring out how to do it in a compliant way is really key. But if you’re going to have those prohibitions, it’s critical to, like you said, make sure people understand what your policy is, what you prohibit.  Make sure you’re getting them on record, testing and then monitoring.  One great way to monitor is through email reviews, because I’ve seen that often where you’re doing an email review and somebody says – Hey, text me, or let’s take this offline. And those are the kind of things that you need to follow up on. So with respect to the training, you mentioned training, are there key things that you think that people need to be trained on when you’re talking about electronic communications? And again, I’ll throw that to either of you, because I think you both probably have some thoughts.

Evan Rosser:  I think it’s important for people to know, when you conduct training, why you review these communications, the implications, what are you looking for when you review them?  I do know some firms that their review of emails, text electronic communications can be a bit perfunctory, but as you said, I have uncovered problems in reviewing emails that I would not have otherwise known about. So it’s important to let people know why it’s important that these communications are captured and reviewed.  The other thing, you asked me about some of the things we’ve seen in these cases, and I’ve seen this in a lot of cases – Everybody at the firm has a problem, at the highest level of managers and supervisors and executives, are using personal accounts. They’re using platforms that may not be getting captured.

So this isn’t a problem just for the aggressive, new rep who wants to reach out and do a lot of marketing. This is something that is, in some instances, pervasive throughout the firm. So that training needs to let everybody know business as such means everyone who is doing any business on behalf of the firm. So the training needs to focus on those things. I’ve also known too, that it’s tough, because I’ve been speaking to firms lately about some compliance practices, communications, and they’re getting hit with 45-minute videos that they have to review. They’re getting hit with long blog posts that they want to put up on different platforms in different formats. And it is a challenge for compliance, and firms can’t really prohibit it. Certainly they can prohibit certain platforms, but in this new environment, there are going to be videos and PowerPoints and animations that are part of marketing that firms are going to have to get their arms around.

Ed Wegener:  That’s tough.

Candy Palugi:

Yeah. And I think to add to that, one of the main things to train on, which is with any type of communication, is what requires a pre-approval versus what is okay for a post approval. Some things like you mentioned recommendations earlier, Evan, some things that you may want to put on, some of these sites may require pre-approval. And so it’s important for your staff to understand that and know when to come before they actually post this information.

Ed Wegener:

You know, one of the things that was clear in the SEC’s cases is their emphasis on the monitoring aspect. If you’re going to prohibit these things, you can’t just simply prohibit something and then wish for the best.  They expect you to be proactively monitoring for compliance with those prohibitions, which is tough. We’ve seen this in the outside business activity realm where firms will say –  how do we know what we don’t know unless somebody tells us that they’re involved in it? How are we supposed to know? But the regulators say, no, you need to monitor for red flags. And I think the same holds true here. What do you think are some of the keys to effective monitoring for the use of prohibited communication channels?

Evan Rosser:  Well, I think as Candy pointed out, Google individuals every so often to see if their accounts come up.  I’ve done this and it’s quite easy on Facebook. It’s quite easy on Twitter to see if a person has an account.  People have a lot of similar names, but those systems allow you to go in and look for users. But I’m not sure if TikTok allows that. I don’t know if Snapchat and WeChat and others allow people to look to see if they have an account. And then you get into the point you made, there are too many for you to go into 20, 25, 30 accounts for 500 different reps. I mean, that’s hard to do. So I think you certainly, as part of the training, you really need to get attestations from people as to what they’re using, that they understand what they’re not allowed to use.

And to this extent you can go out on the internet and see if anything is coming up for individuals in some of these platforms that you might have prohibited. And even if you don’t prohibit the platform, you may not know what they’re using on that platform. You don’t know what they’re posting there. So you need to go in and check, even Twitter.  Most firms allow Twitter, but they also put limits as to what individuals can say on Twitter.  LinkedIn is the same thing. They can use it, but you have to make sure that they’re staying within the bounds, and I’ve had questions.  We’ll review a piece of marketing, okay. And we’ll allow this piece of marketing, and somebody will say, can I just take this paragraph from the marketing and put it on my LinkedIn or my Twitter account? And I said, well, no, because the piece was approved on the four corners of that piece. And the things that made it reasonable are in that piece, balanced, fair, and reasonable. You can’t take pieces out of it because you might be leaving behind the things that made a balance.  That had all

Ed Wegener:  The disclaimers.

Evan Rosser:  And everything, disclosures. Exactly. So I know it on one hand, it makes sense to say, well, you approved the piece.  I’m going to put it on my LinkedIn or Twitter account or Facebook, but you can’t because the marketing is approved as a whole four corners of the piece are reviewed. And as a whole, it’s okay. You can’t start plucking pieces out of it.

Candy Palugi:  I agree with all of that, Evan. And also you mentioned that earlier about the use of email review, just to see what you don’t know. And I think most of us have found if you’ve ever been involved in email review for a firm, you find out a lot of information in email that you will not otherwise know. Whether it’s something that’s intentionally being withheld, or most of the time, it’s something that an advisor or representative just hasn’t thought about.  Considered – oh, I should be reporting this. So in that instance, I think email review helps here too.  Adding to your lexicon, the names of the social media platforms that you’re aware of, and the phrase let’s take this offline. If you have someone who is maybe intentionally trying to resort to another platform to make these discussions, I think that’s one way that you could try to monitor. And then the use of software companies – outside vendors, third party vendors.   There are several that offer different or varying degrees of what they can provide for you. And perhaps there’s one out there that can take a list of all of your employees. And even if they haven’t disclosed it, if they see an account pop up, they may be able to alert you. Those may be possibilities with the vendors that are out there.

Ed Wegener:  Yeah. There’s a lot of opportunities to work with vendors.

Evan Rosser:  I think that’s a great idea too.  If you have prohibited platforms, to add the names of those platforms to your lexicon.  Because you never know, if somebody writes a customer or someone says, hey, I saw your presentation on TikTok, or I saw your presentation on Instagram.  Or maybe someone says, hey, go look at this, my TikTok presentation, if you have any questions. So, I think that is one reasonable, good faith effort to try to find if people, your associated persons are using prohibited platforms.

Ed Wegener:  You know, one of the hard things, when you talk about this, because we’re talking about behaviors, when you’re trying to enforce a prohibition, it’s about people’s behavior, whether they’re availing themselves of those or prohibitions, or complying with those prohibitions.  And you run a little bit of a fine line because what you want to do is make sure that you’re enforcing those and that there’s consequences if you’re violating the policy.  But you also don’t want people to be so afraid of those consequences that they go to great lengths to hide what they’re doing.  And so, do you have any thoughts in terms of just how to strike that balance between what you should do when you identify non-compliance in a way that’s effective and can help shape the behavior that you’re looking for. But making sure that people understand that there are consequences to not complying.

Evan Rosser:  I suppose it would depend somewhat on the nature of the violation. I think one approach, and I think some firms do this, is you get escalating consequences so that your first violation, you might get a notice, you’ll get a letter. Maybe the second or third though, those consequences keep increasing and I think that’s appropriate and it’s fair. I mean, if you don’t learn after the first one, if you continue to have these problems, you can always require someone to revisit the training, take the piece down.   And then start moving up, ratcheting up the discipline for additional violations in the future.

Candy Palugi:  Yeah, I agree. Absolutely. I agree with all of that, Evan and start out your conversations or your first events, the first time this presents itself with someone.   If they’re not a problematic person already, where you’ve had other issues throughout the firm, I think it’s important to first start out with communicating, just having a conversation. This is what’s happened. Here’s why it can’t happen. Don’t go in with accusations or assuming that something was done intentionally. I think we’ll go a long way. And, as Evan said, revisit the training.  It never hurts to have someone redo training, or something like that. And then have your consequences, escalate from there with other violations.

Ed Wegener:  Absolutely. And, the other thing too is, as we talked about earlier, just that tone at the top.  I think it was pretty significant in these cases where they talked about senior people that were doing it. And so having a conversation with those senior people, really letting them know that they have to model that behavior. And if they’re not if they’re actively not complying with the requirements, it sets the tone, and that’s what people are going to follow. So that’s an important piece too. And I think all of those things are terrific steps that you can take to minimize the risk. I don’t think there’s any fail safe here. And it really comes down to having policies and procedures that are reasonably designed.

And then, making sure you’re taking reasonable efforts to enforce those policies and procedures, and that all is a matter of the totality of everything that you’re doing. And the more that you can show what you’re doing to go beyond just simply prohibiting something, I think will go a long way to helping regulators understand that you’re taking reasonable efforts, understanding that this is a very difficult and challenging problem that firms have. So I really appreciate your thoughts on this. I’m sure there’s going to be more to come, but I really appreciate that. And I want to thank you for your time today.

Libby Hall:  Thanks everyone for listening. If you’d like to learn more about our experts and how Oyster can help your firm visit our website@oysterllc.com. And if you like what you heard today, follow us on whatever platform you listen to and give us a review.  Reviews, make it easier for people to find us.  Have a great day.

eBook

Learn how Oyster Solutions creates an efficient, effective compliance program that protects your firm and provides value.

Download