NASD and NYSE Request Comment on Proposed Joint Guidance Regarding the Review and Supervision of Electronic Communications
JOINT REQUEST FOR COMMENT
|Legal & Compliance
Rule 2210 (Communications with the Public)
Rule 2211 (Institutional Sales Material and Correspondence)
Rule 3010 (Supervision) Supervision
Supervision of Electronic Communications
Given the pace of technological innovations in electronic communications, and the breadth of possible communications subject to review, NASD and NYSE are issuing this Joint Request for Comment to solicit comments from members and other interested parties on proposed Joint Guidance regarding the review and supervision of electronic communications. The proposed Joint Guidance sets forth principles for members to consider when developing supervisory systems and procedures for electronic communications that are reasonably designed to achieve compliance with applicable federal securities laws and self-regulatory organization rules.
Attachment A sets forth the proposed Joint Guidance on the review and supervision of electronic communications.
Comment on the proposed Joint Guidance. Comments must be received by July 13, 2007. Members and other interested persons can submit their comments using the following methods:
Barbara Z. Sweeney
Office of the Corporate Secretary
1735 K Street, NW
Washington, D.C. 20006-1506
|Important Notes:||The only comments that will be considered are those submitted pursuant to the methods set forth above (or submitted pursuant to NYSE's stated methods). All comments received by NASD in response to this Joint Request for Comment will be made available to the public on the NASD Web site. Generally, comments will be posted on the NASD Web site one week following the expiration of the comment period.1|
Questions concerning this Joint Request for Comment should be directed to Donald K. Lopezi, Deputy Director, Examinations Program, at (202) 728-8132; or Patricia Albrecht, Assistant General Counsel, Office of General Counsel, at (202) 728-8026.
1See NASD Notice to Members 03-73 (November 2003) (NASD Announces Online Availability of Comments). Personal identifying information, such as names or email addresses, will not be edited from submissions. Submit only information that you wish to make publicly available.
ATTACHMENT A—PROPOSED JOINT GUIDANCE
REVIEW AND SUPERVISION OF ELECTRONIC COMMUNICATIONS
Technological innovations in the area of electronic communications1 have altered how people deliver, receive, and store communications. These innovations have brought, and continue to bring, new challenges to members2 in the establishment of supervisory systems and procedures for electronic communications that are reasonably designed to achieve compliance with applicable federal securities laws and self-regulatory organization rules.3
With these challenges in mind, the NYSE and NASD (the "SROs") are issuing this guidance for members to consider when developing such systems and procedures. In the course of formulating this guidance, the SROs have consulted with industry experts in addition to drawing on their own experience in the area of electronic communication supervision. This guidance does not specifically address every regulatory issue that may arise in connection with the supervision of electronic communications. Further, the SROs recognize that policies and procedures may differ among members depending on their business model (e.g., size, structure, customer base, and product mix).4
At one time, the SROs required that members review all correspondence of their registered representatives pertaining to the solicitation or execution of any securities transactions. In 1998, recognizing that the growing use of electronic communications such as e-mail made adherence to this requirement difficult, the SROs amended their rules to allow members the flexibility to design supervisory review procedures for correspondence with the public that are appropriate to the individual member's business model.5
In considering this Joint Guidance, members generally may decide by employing risk-based principles the extent to which the review of electronic communications, both internal and external, is necessary in accordance with the supervision of their business. However, members must have policies and procedures for the review by a supervisor of employees' 6 incoming and outgoing electronic communications that are of a subject matter that require review under SRO rules and federal securities laws. For example (without limitation):
The growth of electronic communications has raised the need for further interpretative guidance. For ease of use, the guidance that follows is divided into six categories:
The path towards an effective supervisory system starts with clear policies and procedures for the general use and supervision of electronic communications, both internal and external, which are updated to address new technologies. For example, a general electronic communications policy written five years ago may well not include policies to regulate employees' use of technologies such as weblogs14 and podcasting15 to communicate with the public.
From a general procedural perspective, members should provide their employees with the following:
As discussed above, members must have reasonable policies and procedures for the supervisory review of electronic communications that require review under SRO rules16 and federal securities laws. Members may employ risk-based principles to determine the extent to which additional supervisory policies and procedures are required to adequately supervise their business and manage the member's reputational, financial, and litigation risk.
Members also are required to establish policies and procedures regarding the forms of electronic communications that they permit employees to use when conducting business with the public and to take reasonable steps to monitor for compliance with such policies and procedures.
Traditionally, members have limited employees' electronic communications with customers to a member-supplied e-mail address that is connected to the member's communication network. However, as technology has evolved, employees now have a myriad of ways to communicate electronically with the public. To the extent members prohibit certain types of communication media, consideration should be given to taking technological steps to block or otherwise regulate their external and internal use. In particular, members should consider the following options:
Non-Member E-Mail Platforms—Employees have the ability to communicate via e-mail through means other than their member-issued e-mail address by accessing e-mail platforms through the Internet (e.g., through AOL or Yahoo mail) and through third-party communication systems such as Bloomberg and Reuters. If a member permits employees to communicate with customers through these systems or through other non-member e-mail addresses, the member is required to supervise and retain those communications. Some members prohibit, through policies and procedures, employees from accessing non-member e-mail platforms for business purposes, and require employees to certify on an annual or more frequent basis that they are acting consistent with such policies and procedures. Where possible, some members have chosen to block access to these e-mail platforms through their networks. Thus, an employee would be able to access the Internet but not the e-mail functionality. Members utilizing this blocking functionality should periodically conduct tests to ensure that it is functioning as designed or intended.
Similarly, the SROs expect members to prohibit, through policies and procedures, communications with the public for business purposes from employees' own electronic devices unless the member is capable of supervising, receiving, and retaining such communications.17 Absent a prohibition, members should consider requiring pre-approval for the business-related use of any personal electronic communications device. The approval process might require a detailed business justification for using the personal device and an annual re-certification of the approval that includes a re-evaluation of the business justification for its use. In addition, members should consider obtaining agreements from employees authorizing the member to access any such personal electronic communications devices. Members should also consider prohibiting, where appropriate, the use of personal electronic communication devices in certain sensitive firm locations (e.g., where material non-public information could be accessed).
Message Boards—There are various publicly accessible message boards related to the securities industry. Members may consider blocking access by their employees to these message boards18 to prevent them from communicating through these boards for business purposes.
E-Faxes—The use of traditional facsimile machines has started to decline as E-fax software has developed. The SROs view E-faxes as electronic communications and, thus, members should supervise them accordingly.19
As stated above, with the exception of the enumerated areas requiring review by a supervisor, members may decide, employing risk-based principles, the extent to which review of any internal communications is necessary in accordance with the supervision of their business.
Subject to any such specific rule requirement mandating reviews, in reaching a risk-based assessment regarding the review of internal communications, consideration should be given to, for instance: detecting when a member's information barriers are not working to protect customer or issuer information; protecting against undue influence on research personnel contrary to SRO rules; and segregating the member's proprietary trading desk activity from all or part of the other operating areas of the member.20
In addition, members may consider various relevant existing processes, such as:
Members' procedures for review of electronic communications (internal and external) should address the following:
Members should develop review procedures that are both reasonably designed to achieve compliance with applicable securities laws, regulations, and SRO rules and appropriate for their business and structure, consistent with the principles set forth in this Joint Guidance. In addition, members should monitor for compliance with their supervisory procedures' prescribed frequency, timeliness, and quantity parameters.
Regardless of the method utilized, members should alert their reviewers as to the issues to be raised and material to be examined, including acceptable content. For example, members should make reference to the content standards in NYSE Rule 472 and NASD Rule 2210 and provide guidance concerning other applicable areas of concern (e.g., the use of confidential, proprietary, and inside information; anti-money laundering issues; gifts and gratuities; private securities transactions; customer complaints; front-running; and rumor spreading). When reviewing customer complaints, members should look for indicia that a customer has received a communication that is not in conformance with the member's policies and procedures.
In addition, where members permit the use and receipt of encrypted electronic communications, they must be able to monitor and supervise those communications and must educate reviewers on how this can be accomplished. (See "Combination of Lexicon and Random Review of Electronic Correspondence" below).
Furthermore, members must be able to review electronic correspondence in all languages in which they conduct business with the public. Therefore, if the reviewer is not fluent in the language used in an e-mail, the member should require proper independent interpretation and review (i.e., not by the author/recipient of the correspondence).
Under limited circumstances, members should consider having their legal and/or compliance departments re-review e-mails that have already been reviewed by line supervisors and their delegatees in certain situations. Re-review might be advisable when specific problems have been identified at a branch office resulting, for instance, in a registered representative becoming the subject of an internal investigation. Members should also consider re-reviewing selected electronic communications as part of their standard branch office inspection program.
Against this background, members may consider the following methods of review:
Members should also consider regular periodic reviews of the lexicon system to determine whether any changes/updates are necessary, such as adding or deleting phrases and/or words. Members should periodically inquire as to the effectiveness of the system, especially if the system is that of a vendor.24 Members are responsible for ensuring that the system utilized is functioning properly. As discussed more fully below, if a member does not have confidence in the effectiveness of its lexicon system, a supplemental random review of electronic communications should be considered.
Members should consider targeted concentrated reviews of employees' e-mails when warranted (e.g., when concerns are raised in connection with regulatory examination findings, internal audits, customer complaints, or regulatory inquiries).
When assessing the effectiveness of a lexicon-based system, members should consider the following features:
As noted above, the SROs are issuing this Joint Guidance to assist members in the establishment and maintenance of supervisory systems for electronic communications that are reasonably designed to achieve compliance with the federal securities laws and self-regulatory organization rules. Members must recognize, however, that this guidance is not all-inclusive and does not represent all areas of inquiry that a member should consider when establishing and maintaining a supervisory system for electronic communications, including any existing and future electronic communications technology that this guidance may not address. In addition, members are advised that this guidance does not serve to establish a safe harbor with respect to potential supervisory or compliance deficiencies.
1 For purposes of this Joint Guidance, "electronic communications," "e-mail," and "electronic correspondence" may be used interchangeably and can include such forms of electronic communications as instant messaging and text messaging. Notwithstanding such use of terminology, as further detailed herein, the manner of application of SRO rules specifically addressing particular communications with the public (see, e.g., NASD Rules 2210 and 2211 and NYSE Rules 342 and 472) will depend on the type of communication.
2 For purposes of this Joint Guidance, the term "member" refers to NYSE member organizations and NASD members.
3See NYSE Rule 342 (Offices—Approval, Supervision and Control) and NASD Rule 3010 (Supervision).
4 The SROs have fashioned rule provisions that, where appropriate, take into account variations in members' size or business model. See, e.g., NYSE Rules 342.23 (Offices—Approval, Supervision and Control—Internal Controls) and 472(m) (Communications with the Public—Small Firm Exception). See also NASD Rules 3012 (Supervisory Control System) and 2711 (Research Analysts and Research Reports).
5See NYSE Information Memo 98-3 (January 16, 1998) and NASD Notices to Members 98-11 (January 1998) and 99-03 (January 1999). See also NYSE Rule 342.17 (Offices—Approval, Supervision and Control—Review of Communications with Public) and NASD Rule 3010 (Supervision). Additionally, NASD Rule 2211 (Institutional Sales Material and Correspondence) defines "correspondence" as any written letter or electronic mail message distributed by a member to (1) one or more existing retail customers, and (2) fewer than 25 prospective retail customers within any 30 calendar-day period. Members are not required to approve outgoing "correspondence" prior to use unless the correspondence is sent to 25 or more existing retail customers within a 30 calendar-day period and makes a financial or investment recommendation or otherwise promotes a product or service of the member. NASD Rule 2211 also allows members to adopt supervisory procedures for communications distributed only to certain institutional investors that do not require principal pre-use review and approval. See also SR-NYSE-2007-49 which proposes amendments that would generally exempt from pre-use review and approval correspondence and institutional sales material, as defined.
6 For purposes of NASD rules, the term "employees" includes all associated persons.
7See NYSE Information Memo 98-3 (January 16, 1998) and NASD Notice to Members 98-11 (January 1998).
8 The SROs recognize that, as appropriate evidence of review, e-mail related to members' investment banking or securities business may be reviewed electronically and the evidence of the review may be recorded electronically (see NYSE Information Memo 98-3 and NASD Notice to Members 98-11).
9See also NYSE Rule 342 and NASD Rule 3012, requiring implementation of a supervisory control system.
10See NYSE Rule 351(d) (Reporting Requirements) and NASD Rule 3070(c) (Reporting Requirements).
11 For example, the SROs expect members to prohibit, through policies and procedures, communications with the public from employees' home computers unless the member is capable of supervising and retaining such communications.
12See NYSE Rules 342.16 and 342.17 (Offices-Approval, Supervision and Control—Supervision of Registered Representatives and Review of Communications with the Public) and NASD Rules 2210 (Communications with the Public) and 2211 (Institutional Sales Material and Correspondence). See also NASD Rule 3010 (Supervision) and NASD Rule 3010(d) (Review of Transactions and Correspondence). (NASD staff notes its intention to propose amendments to Rule 3010(d)(2) to eliminate outdated distinctions between certain hard copy and electronic communications and to reflect this Joint Guidance.)
13See NASD Rules 2210 and 2211. See also NASD Guide to the Internet for Registered Representatives, available at http://www.nasd.com/RulesRegulation/IssueCenter/Advertising/NASDW_0061 18. See also NYSE Rule 472(a), which requires pre-approval for any advertisement, market letter, sales literature, communication, or research report that is distributed or made available to a customer or the public by a member.
14 A "weblog" (often referred to as a "blog") is a web-based publication consisting primarily of periodic reports (generally in reverse chronological order). Similar to other media, blogs often focus on particular subjects (e.g., politics) and combine text, images, and links to other blogs, web pages, and other media related topics.
15 "Podcasting" is a method of distributing multimedia files (i.e., audio or video content) over the Internet for playback on mobile devices and personal computers.
16See Section II, page 1, of this Joint Guidance (page 3 of this Notice).
17 Firms should be aware that pursuant to NYSE Rule 342.10(B) and NASD Rule 3010(g)(2), employees working at their primary residences and relying on the exception from branch office registration cannot use their personal e-mail accounts to communicate with potential or existing customers from such locations; electronic communications from such locations must be made through the member's electronic system consistent with the terms of the exception. See generally NYSE Information Memos 05-74 (October 6, 2005) and 06-13 (March 22, 2006) and NASD Notice to Members 06-12 (March 2006).
18 NASD views message boards as advertisements under NASD Rule 2210, and such board postings must be approved prior to use and in writing by a registered principal. (See "Ask the Analyst About Electronic Communications," NASD Regulatory & Compliance Alert, April 1996.)
19 NASD views E-faxes sent to 25 or more prospective retail customers within a 30 calendar-day period to be sales literature under NASD Rule 2210, and they must be approved prior to use and in writing by a registered principal. NASD also requires principal pre-use approval for E-faxes sent to 25 or more existing retail customers within any 30 calendar-day period that make any financial or investment recommendation or otherwise promote a product or service of the member. See NASD Notice to Members 06-45 (August 2006).
20See NYSE Information Memo 91-22 (June 28, 1991) and NASD Notice to Members 91-45 (June 1991) (Joint NASD/NYSE Memo on Chinese Wall Policies and Procedures).
22Cf. NASD Notice to Members 99-03 (January 1999) (allowing unregistered persons who have received sufficient training to review written, non-electronic correspondence).
23See NYSE Rules 342(b) and 342.13 and NASD Rule 3010.
24See proposed NYSE Rule 340 (Outsourcing: Due Diligence in the Use of Service Providers) at SR-NYSE-2005-22 and NASD Notice to Members 05-48 (July 2005) (Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers).
25See NYSE Information Memo No. 98-3 (January 16, 1998).