Exchange Act Rules 17a-3 and 17a-4, as well as FINRA Rule 3110(b)(4) (Review of Correspondence and Internal Communications) and FINRA Rule Series 4510 (Books and Records Requirements) require a firm to, among other things, create and preserve, in an easily accessible place, originals of all communications received and sent relating to its “business as such.” If a firm permits its associated persons to use a particular application—for example, an app-based messaging service or a collaboration platform—the firm must preserve records of business-related communications and supervise the activities and communications of those persons on the application. Firms remain responsible for conducting due diligence to comply with the securities laws and FINRA rules and follow up on red flags of potentially violative activity and may, in some cases, use services provided by the relevant digital channel or third-party vendors.
Noteworthy Examination Findings
FINRA has noted that some firms encountered challenges complying with supervision and recordkeeping requirements for various digital communications tools, technologies and services (collectively, “digital channels”).
- Use of Prohibited Digital Channels – In some instances, firms prohibited the use of texting, messaging, social media or collaboration applications (e.g., WhatsApp, WeChat, Facebook, Slack or HipChat) for business-related communication with customers, but did not maintain a process to reasonably identify and respond to red flags that registered representatives were using impermissible personal digital channel communications in connection with firm business. Red flags could be detected through, for example, customer complaints, representatives’ email, outside business activity reviews or advertising reviews.
- Prohibited Electronic Sales Seminars – Some registered representatives conducted “electronic sales seminars” in a chatroom or on digital channels that were not permitted by their firms and were outside of supervision or recordkeeping programs.
Firms implemented a number of effective practices to manage registered representatives’ use of digital channels.
- Establishing Comprehensive Governance – Some firms maintained governance processes to manage firm decisions and develop compliance processes for each new digital channel, as well as new features of existing channels. Such firms worked closely with their marketing, compliance and information technology departments, as well as their third-party vendors, to monitor the rapidly evolving array of communication methods available to their associated persons and customers.
- Defining and Controlling Permissible Digital Channels – Firms with holistic supervision and record retention programs and policies clearly defined permissible (as well as prohibited) digital channels; blocked prohibited digital channels (or prohibited features of permitted channels); restricted the use of messaging and collaboration apps that limit the firm’s ability to comply with its recordkeeping requirements (such as apps with end-to-end encryption or self-destructing messages); established how permitted communications will be stored in a compliant manner; and implemented supervisory review procedures for communication and recordkeeping that are appropriate for the firm’s business model and tailored to each digital channel.
- Managing Video Content – Some firms implemented WSPs to manage the lifecycle of video content, which could include, for example, live-streamed public appearances, scripted commercials or video blogs.
- Training – Some firms implemented mandatory training programs prior to providing registered representatives access to firm-approved digital channels. The training clarified the firms’ expectations for business and personal digital communications, and assisted personnel with using all permitted features of each channel in a compliant manner.
- Disciplining Misuse of Digital Communications – Some firms temporarily suspended or permanently blocked from certain digital channels those registered representatives who did not comply with the firm’s digital channel policies and required additional digital communications training.
- Regulatory Notice 19-31 (Disclosure Innovations in Advertising and Other Communications with the Public)
- Regulatory Notice 17-18 (Guidance on Social Networking Websites and Business Communications)
- Broker-Dealer Books and Records: New and Amended Recordkeeping Requirements Checklist
- Social Media Topic Page
- Books and Records Topic Page