FINRA Provides Guidance Regarding the Review and Supervision of Electronic Communications
This Notice was updated on 12/13/07 to reflect non-substantive changes.
|Referenced Rules & Notices
NASD Rule 2210
NASD Rule 2211
NASD Rule 3010
NASD Rule 3110
NYSE Information Memo 98-3
NYSE Information Memo 07-54
NYSE Rule 342
NYSE Rule 410
NYSE Rule 440
Supervision of Electronic Communications
In June 2007, FINRA (then NASD and NYSE Member Regulation)1 issued for comment proposed guidance regarding the review and supervision of electronic communications. FINRA received 16 comment letters, with a majority of commenters supporting the guidance. FINRA is now issuing the final guidance, which is set forth in Attachment A.
Questions concerning this Notice should be directed to:
Background and Discussion
In June 2007, FINRA issued for comment proposed guidance setting forth principles for member firms to consider when developing supervisory systems and procedures for electronic communications that are reasonably designed to achieve compliance with applicable federal securities laws and self-regulatory organization (SRO) rules.2 FINRA received 16 comment letters in response to the proposal.3 After carefully considering these comments, FINRA is now issuing final guidance in substantially the form set forth in the proposal.
A majority of commenters supported the proposed principle-based guidance,4 with many considering it to be balanced, flexible and technologically neutral.5 One commenter further noted that the proposed guidance reflected, in large measure, best practices already integrated within many firms' supervisory practices and procedures.6
Another commenter that favored the principles-based aspect of the proposed guidance nonetheless raised concerns regarding the scope of communications subject to supervision.7 In particular, the commenter disagreed with the classification of text messaging as a form of electronic communication requiring supervision, citing the general inability of firms' electronic surveillance systems to capture text messages. The commenter stated that each firm should be entitled to apply a risk-based principled approach to determine whether communications such as text messaging need to be included in its supervisory system.
FINRA appreciates the supervisory challenges firms face given the ever-increasing pace of change in electronic communications technology. However, as FINRA noted in the context of addressing the supervision and recordkeeping requirements for text messaging, a member firm's obligations to supervise electronic communications are based on the content and audience of the message, rather than the electronic form of the communication.8 Consequently, as indicated in the proposed and final guidance, FINRA expects a firm to have supervisory policies and procedures to monitor all electronic communications technology used by the firm and its associated persons to conduct the firm's business. To that end, a firm should consider, prior to implementing new or different methods of communication, the impact on the firm's supervisory system, particularly any updates or changes to the firm's supervisory policies and procedures that might be necessary.9 In this way, firms can identify and timely address any issues that may accompany the adoption of new electronic communications technologies. Finally, firms are reminded that they have a separate, but equally important, obligation to ensure that their use of electronic communications media enables them to make and keep records, as required by SEC Rules 17a-3 and 17a-4, NASD Rule 3110 and NYSE Rule 440.10
Several commenters questioned whether the proposed guidance imposes new supervision requirements.11 In this regard, one commenter interpreted the guidance as potentially requiring firms to review all internal electronic communications.12 The guidance neither creates new supervisory requirements nor requires the review of every communication. Rather, it sets forth principles that firms should consider in developing supervisory systems and procedures for electronic communications to aid in accomplishing that they are reasonably designed to achieve compliance with applicable federal securities laws and SRO rules. With respect to the review of internal electronic communications, the guidance states that—with the exception of the enumerated areas requiring review by a supervisor—a firm may use risk-based principles, including an examination of existing review processes, to determine the extent to which review of any internal communications is necessary.
Other commenters noted that some firms, especially small firms with limited resources, might find it difficult to implement all aspects of the guidance (e.g., firms with insufficient funds may not be able to purchase lexicon-based or random sampling review programs).13 However, the principles-based guidance generally allows firms the flexibility to design supervisory review procedures for electronic communications that are appropriate to each firm's business model (including whether the manner of review will be automated, manual review or a combination of various methods).
The final guidance regarding the review and supervision of electronic communications is set forth in Attachment A.
1 The Financial Industry Regulatory Authority (FINRA) was created in July 2007 through the consolidation of NASD and the member regulation, enforcement and arbitration functions of the NYSE. The FINRA rulebook currently consists of both NASD Rules and certain NYSE Rules that FINRA has incorporated (Incorporated NYSE Rules).
2See NASD Notice to Members 07-30 (June 2007); NYSE Information Memo 07-54 (June 14, 2007).
3 James L. Harris, Chief Operating Officer, Libertas Capital, Inc. (June 22, 2007) (Libertas Letter); Charles D. Weeden, Managing Partner, 17a-4, LLC (June 27, 2007) (17a-4 Letter); Judith A. Wilson, Compliance Attorney, 1st Global (July 3, 2007) (1st Global Letter); Peter J. Chepucavage, General Counsel, Plexus Consulting (on behalf of the International Association of Small Broker Dealers and Advisors) (July 9, 2007) (IASBDA Letter); Bill Singer (July 10, 2007) (Singer Letter); Robert L. Tuch, Officer and Managing Counsel, Nationwide Financial Services, Inc. (July 11, 2007) (Nationwide Letter); Neville Golvala, Chief Executive Officer, ChoiceTrade (July 11, 2007); Ira D. Hammerman, Senior Managing Director & General Counsel, Securities Industry and Financial Markets Association (July 12, 2007) (SIFMA Letter); Tamara K. Salman, Senior Associate Counsel, Investment Company Institute (July 12, 2007) (ICI Letter); David Cohen, Senior Vice President, Orchestria Corp. (July 13, 2007) (Orchestria Letter); Marleen Scheffy, Chief Compliance Officer, Perlinski & Associates (July 13, 2007); E. Anthony Reguero, Chairman, ACTIONS, Inc. (July 13, 2007) (ACTIONS Letter); Lisa Roth, Chairman, National Association of Independent Broker-Dealers (July 16, 2007) (NAIBD Letter); Jill W. Ostergaard, Managing Director, Morgan Stanley (July 16, 2007) (Morgan Stanley Letter); Robert Pease, Vice President, MessageGate, Inc. (July 20, 2007) (MessageGate Letter); Elaine Mandelbaum, Managing Director & Deputy General Counsel, Citigroup Global Markets, Inc. (July 30, 2007) (CGMI Letter).
4See, e.g., Libertas Letter; IASBDA Letter; Nationwide Letter; SIFMA Letter; ICI Letter; Orchestria Letter; NAIBD Letter; Morgan Stanley Letter; CGMI Letter.
5See, e.g., Nationwide Letter; SIFMA Letter; ICI Letter; Morgan Stanley Letter; CGMI Letter.
6See SIFMA Letter.
7 NAIBD Letter.
8See NASD Notice to Members 03-33 (July 2003) (citing Exchange Act Release No. 37182 (May 9, 1996), 61 FR 24643 (May 15, 1996) (Use of Electronic Media by Broker-Dealers, Transfer Agents, and Investment Advisers for Delivery of Information) and Exchange Act Release No. 38245 (January 31, 1997), 67 FR 6469 (February 12, 1997) (Reporting Requirements for Brokers or Dealers Under the Securities Exchange Act of 1934)).
9See also NASD Notice to Members 05-49 (July 2005) (Safeguarding Confidential Customer Information).
10See NASD Notice to Members 03-33 (July 2003).
11See, e.g., ChoiceTrade Letter; ACTIONS Letter.
12See ACTIONS Letter.
13See IASBDA Letter; Singer Letter; NAIBD Letter.
FINRA Guidance Regarding Review and Supervision of Electronic Communications
Technological innovations in the area of electronic communications1 have altered how people deliver, receive and store communications. These innovations have brought, and continue to bring, new challenges to members2 in the establishment of supervisory systems and procedures for electronic communications that are reasonably designed to achieve compliance with applicable federal securities laws and self-regulatory organization (SRO) rules.3
With these challenges in mind, FINRA is issuing this guidance for members to consider when developing such systems and procedures. This guidance does not specifically address every regulatory issue that may arise in connection with the supervision of electronic communications. Further, FINRA recognizes that policies and procedures may differ among members depending on their business model (e.g., size, structure, customer base and product mix).4
At one time, FINRA (then NASD and NYSE Member Regulation) required that members review all correspondence of their registered representatives pertaining to the solicitation or execution of any securities transactions. In 1998, recognizing that the growing use of electronic communications such as email made adherence to this requirement difficult, FINRA amended its rules to allow members the flexibility to design supervisory review procedures for correspondence with the public that are appropriate to the individual member's business model.5
In considering this guidance, members generally may decide by employing risk-based principles the extent to which the review of incoming, outgoing and internal electronic communications is necessary in accordance with the supervision of their business. However, members must have policies and procedures for the review by a supervisor of employees'6 incoming, outgoing and internal electronic communications that are of a subject matter that require review under FINRA rules and federal securities laws. For example (without limitation):
The growth of electronic communications has raised the need for further interpretative guidance. For ease of use, the guidance that follows is divided into six categories:
The path towards an effective supervisory system starts with clear policies and procedures for the general use and supervision of electronic communications, both internal and external, which are updated to address new technologies. For example, a general electronic communications policy written five years ago may well not include policies to regulate employees' use of technologies such as weblogs14 and podcasting15 to communicate with the public.
From a general procedural perspective, members should provide their employees with the following:
As discussed above, members must have reasonable policies and procedures for the supervisory review of electronic communications that require review under FINRA rules16 and federal securities laws. Members may employ risk-based principles to determine the extent to which additional supervisory policies and procedures are required to adequately supervise their business and manage the member's reputational, financial and litigation risk.
Members also are required to establish policies and procedures regarding the forms of electronic communications that they permit employees to use when conducting business with the public and to take reasonable steps to monitor for compliance with such policies and procedures.
Traditionally, members have limited employees' electronic communications with customers to a member-supplied email address that is connected to the member's communication network. However, as technology has evolved, employees now have a myriad of ways to communicate electronically with the public. To the extent members prohibit certain types of communication media, consideration should be given to taking technological steps to block or otherwise regulate their external and internal use. In particular, members should consider the following options:
Similarly, FINRA expects members to prohibit, through policies and procedures, communications with the public for business purposes from employees' own electronic devices unless the member is capable of supervising, receiving and retaining such communications.17 Absent a prohibition, members should consider requiring pre-approval for the business-related use of any personal electronic communications device. The approval process might require a detailed business justification for using the personal device and an annual re-certification of the approval that includes a re-evaluation of the business justification for its use. In addition, members should consider obtaining agreements from employees authorizing the member to access any such personal electronic communications devices. Members should also consider prohibiting, where appropriate, the use of personal electronic communication devices in certain sensitive firm locations (e.g., where material non-public information could be accessed).
As stated above, with the exception of the enumerated areas requiring review by a supervisor, members may decide, employing risk-based principles, the extent to which review of any internal communications is necessary in accordance with the supervision of their business.
Subject to any such specific rule requirement mandating reviews, in reaching a risk-based assessment regarding the review of internal communications, consideration should be given to, for instance: detecting when a member's information barriers are not working to protect customer or issuer information; protecting against undue influence on research personnel contrary to FINRA rules; and segregating the member's proprietary trading desk activity from all or part of the other operating areas of the member.20
In addition, members may consider various relevant existing processes, such as:
Members' procedures for review of electronic communications (internal and external) should address the following:
Members should develop review procedures that are both reasonably designed to achieve compliance with applicable securities laws, regulations and FINRA rules and appropriate for their business and structure, consistent with the principles set forth in this guidance. In addition, members should monitor for compliance with their supervisory procedures' prescribed frequency, timeliness and quantity parameters.
Regardless of the method utilized, members should alert their reviewers as to the issues to be raised and material to be examined, including acceptable content. For example, members should make reference to the content standards in NYSE Rule 472 and NASD Rule 2210 and provide guidance concerning other applicable areas of concern (e.g., the use of confidential, proprietary and inside information; anti-money laundering issues; gifts and gratuities; private securities transactions; customer complaints; front-running; and rumor spreading). When reviewing customer complaints, members should look for indicia that a customer has received a communication that is not in conformance with the member's policies and procedures.
In addition, where members permit the use and receipt of encrypted electronic communications, they must be able to monitor and supervise those communications and must educate reviewers on how this can be accomplished. (See "Combination of Lexicon and Random Review of Electronic Correspondence" below.)
Furthermore, members must be able to review electronic correspondence in all languages in which they conduct business with the public. Therefore, if the reviewer is not fluent in the language used in an email, the member should require proper independent interpretation and review (i.e., not by the author/recipient of the correspondence).
Under limited circumstances, members should consider having their legal and/or compliance departments re-review emails that have already been reviewed by line supervisors and their delegatees in certain situations. Re-review might be advisable when specific problems have been identified at a branch office resulting, for instance, in a registered representative becoming the subject of an internal investigation. Members should also consider re-reviewing selected electronic communications as part of their standard branch office inspection program.
Against this background, members may consider the following methods of review:
Members should also consider regular periodic reviews of the lexicon system to determine whether any changes/updates are necessary, such as adding or deleting phrases and/or words. Members should periodically inquire as to the effectiveness of the system, especially if the system is that of a vendor.24 Members are responsible for ensuring that the system utilized is functioning properly. As discussed more fully below, if a member does not have confidence in the effectiveness of its lexicon system, a supplemental random review of electronic communications should be considered.
Members should consider targeted concentrated reviews of employees' emails when warranted (e.g., when concerns are raised in connection with regulatory examination findings, internal audits, customer complaints or regulatory inquiries).
When assessing the effectiveness of a lexicon-based system, members should consider the following features:
As noted above, FINRA is issuing this guidance to assist members in the establishment and maintenance of supervisory systems for electronic communications that are reasonably designed to achieve compliance with the federal securities laws and self-regulatory organization rules. Members must recognize, however, that this guidance is not all-inclusive and does not represent all areas of inquiry that a member should consider when establishing and maintaining a supervisory system for electronic communications, including any existing and future electronic communications technology that this guidance may not address. In addition, members are advised that this guidance does not serve to establish a safe harbor with respect to potential supervisory or compliance deficiencies.
1 For purposes of this guidance, "electronic communications," "email" and "electronic correspondence" may be used interchangeably and can include such forms of electronic communications as instant messaging and text messaging. Notwithstanding such use of terminology, as further detailed herein, the manner of application of FINRA rules specifically addressing particular communications with the public (see, e.g., NASD Rules 2210 and 2211 and NYSE Rules 342 and 472) will depend on the type of communication.
2 For purposes of this guidance, the term "member" refers to members of the Financial Industry Regulatory Authority (FINRA), which was created in July 2007 through the consolidation of NASD and NYSE Member Regulation. The FINRA rulebook currently consists of both NASD Rules and certain NYSE Rules that FINRA has incorporated (Incorporated NYSE Rules). The Incorporated NYSE Rules apply solely to dual members of FINRA and the NYSE.
3See NYSE Rule 342 (Offices—Approval, Supervision and Control) and NASD Rule 3010 (Supervision).
4 FINRA has fashioned rule provisions that, where appropriate, take into account variations in members' size or business model. See, e.g., NYSE Rules 342.23 (Offices—Approval, Supervision and Control—Internal Controls) and 472(m) (Communications with the Public —Small Firm Exception). See also NASD Rules 3012 (Supervisory Control System) and 2711 (Research Analysts and Research Reports).
5See NYSE Information Memo 98-3 (January 16, 1998) and NASD Notices to Members 98-11 (January 1998) and 99-03 (January 1999). See also NYSE Rule 342.17 (Offices—Approval, Supervision and Control—Review of Communications with Public) and NASD Rule 3010 (Supervision). Additionally, NASD Rule 2211 (Institutional Sales Material and Correspondence) defines "correspondence" as any written letter or electronic mail message distributed by a member to (1) one or more existing retail customers, and (2) fewer than 25 prospective retail customers within any 30 calendar-day period.
Members are not required to approve outgoing "correspondence" prior to use unless the correspondence is sent to 25 or more existing retail customers within a 30 calendar-day period and makes a financial or investment recommendation or otherwise promotes a product or service of the member. NASD Rule 2211 also allows members to adopt supervisory procedures for communications distributed only to certain institutional investors that do not require principal pre-use review and approval.
6 For purposes of NASD rules, the term "employees" includes all associated persons.
7See NYSE Information Memo 98-3 (January 16, 1998) and NASD Notice to Members 98-11 (January 1998).
8 FINRA recognizes that, as appropriate evidence of review, email related to members' investment banking or securities business may be reviewed electronically and the evidence of the review may be recorded electronically (see NYSE Information Memo 98-3 and NASD Notice to Members 98-11).
9See also NYSE Rule 342 and NASD Rule 3012, requiring implementation of a supervisory control system.
10See NYSE Rule 351(d) (Reporting Requirements) and NASD Rule 3070(c) (Reporting Requirements).
11 For example, FINRA expects members to prohibit, through policies and procedures, communications with the public from employees' home computers unless the member is capable of supervising and retaining such communications.
12See NYSE Rules 342.16 and 342.17 (Offices-Approval, Supervision and Control—Supervision of Registered Representatives and Review of Communications with the Public) and NASD Rules 2210 (Communications with the Public) and 2211 (Institutional Sales Material and Correspondence). See also NASD Rule 3010 (Supervision) and NASD Rule 3010(d) (Review of Transactions and Correspondence). (FINRA staff notes its intention to propose amendments to NASD Rule 3010(d)(2) to eliminate outdated distinctions between certain hard copy and electronic communications and to reflect this guidance.)
13See NASD Rules 2210 and 2211. See also NASD Guide to the Internet for Registered Representatives, available at www.finra.org/RulesRegulation/IssueCenter/Advertising/p006118. See also NYSE Rule 472(a), which requires pre-approval for any advertisement, market letter, sales literature, communication or research report that is distributed or made available to a customer or the public by a member.
14 A "weblog" (often referred to as a "blog") is a web-based publication consisting primarily of periodic reports (generally in reverse chronological order). Similar to other media, blogs often focus on particular subjects (e.g., politics) and combine text, images and links to other blogs, web pages and other media related topics.
15 "Podcasting" is a method of distributing multimedia files (i.e., audio or video content) over the Internet for playback on mobile devices and personal computers.
16See Section II, page 5 of this guidance.
17 Firms should be aware that pursuant to NYSE Rule 342.10(B) and NASD Rule 3010(g)(2), employees working at their primary residences and relying on the exception from branch office registration cannot use their personal email accounts to communicate with potential or existing customers from such locations; electronic communications from such locations must be made through the member's electronic system consistent with the terms of the exception. See generally NYSE Information Memos 05-74 (October 6, 2005) and 06-13 (March 22, 2006) and NASD Notice to Members 06-12 (March 2006).
18 FINRA views message boards as advertisements under NASD Rule 2210, and such board postings must be approved prior to use and in writing by a registered principal. (See "Ask the Analyst About Electronic Communications," NASD Regulatory & Compliance Alert, April 1996.)
19 FINRA views E-faxes sent to 25 or more prospective retail customers within a 30 calendar-day period to be sales literature under NASD Rule 2210, and they must be approved prior to use and in writing by a registered principal. FINRA also requires principal pre-use approval for E-faxes sent to 25 or more existing retail customers within any 30 calendar-day period that make any financial or investment recommendation or otherwise promote a product or service of the member. See NASD Notice to Members 06-45 (August 2006).
20See NYSE Information Memo 91-22 (June 28, 1991) and NASD Notice to Members 91-45 (June 1991) (Joint NASD/NYSE Memo on Chinese Wall Policies and Procedures).
22 Cf. NASD Notice to Members 99-03 (January 1999) (allowing unregistered persons who have received sufficient training to review written, non-electronic correspondence).
23See NYSE Rules 342(b) and 342.13 and NASD Rule 3010.
24 Members that outsource technical support functions related to their electronic review process (e.g., the development and/or implementation of a lexicon system) should carefully pre-evaluate the vendor as well as monitor the effectiveness of such vendor's services on an ongoing basis. See also NASD Notice to Members 05-48 (July 2005) (Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers).
25See NYSE Information Memo 98-3 (January 16, 1998).