NEW YORK(Thomson Reuters Regulatory Intelligence) - In Financial Industry Regulatory Authority’s (FINRA’s) most recent disciplinary report, a case involving a registered representative’s use of unauthorized electronic communications leads to a fine and temporary suspension.
Jermain Phillips of Illinois used his personal email account to correspond with a customer in an attempt to prevent his brokerage firm from discovering emails relating to a customer loan he accepted.
A case of this nature stresses the need for all firms to ensure their supervision and surveillance programs encompass the use of unauthorized electronic communications. It may be impossible to guarantee that firm representatives will not use forbidden communications like personal email for business, but firms can take steps to reduce the risk.
A firm that institutes surveillance techniques, establishes a comprehensive and continuing training program and shifts away from a “bring your own device” policy may be better prepared to identify situations of prohibited electronic communication.
In August, without admitting or denying the findings, Phillips consented to a deferred fine of $10,000 and a suspension from association with any FINRA member in all capacities for five months. The suspension is in effect from August 6, 2018 through January 5, 2019.
During his association with member firms, Phillips accepted two loans from a firm customer totaling $70,000, while according to the firm’s written supervisory procedures its financial advisors may not, under any circumstances, borrow money or securities from clients.
The findings stated that the borrowed funds were withdrawn from the customer’s checking account held at a third-party bank. Phillips never disclosed these loans to his firm. In fact, he used his personal email account to correspond with the customer.
The firm strictly prohibited its registered representatives from using personal email addresses to conduct business and even required all written communication to be approved prior to sending.
Phillips completed two annual compliance certifications, attesting that he had provided a supervisor or delegate with copies of all communications for pre-approval. He also attested that he had not borrowed money from a current or former client.
A firm will never be able to completely stop representatives using prohibited forms of electronic communication with clients, but certain surveillance steps can be taken to alleviate the risk.
Many firms use an automated lexicon system to perform surveillance of communications. The system is often accompanied with a standard list of risky keywords or phrases that may indicate misconduct, however just like a firm’s policies and procedures, it can be customized.
Therefore, a firm can enter certain phrases in the system, the names of third-party applications and common acronyms to help identify prohibited communications. For example, phrases such as “text me,” “let’s take this offline,” “call me on my cell” or “send to my Gmail.”
A firm may also search for the names of other communication platforms such as “WhatsApp” or “Facebook” in representative communications.
Identifying acronyms are also a tool to find suspicious conversations that are being taken offline. Examples such as “TOL” (talk offline) or “TXT” (text message).
A firm can also block certain websites on business networks and mobile devices. This strategy will make the use of outside or unauthorized electronic communications more difficult. A firm utilizing this blocking functionality should periodically conduct tests to ensure that it is functioning as designed or intended.
Lastly, there are third-party companies that offer software tools that can capture and archive a firm’s incoming, outgoing and internal electronic communications. In many cases this includes social media, mobile messaging and website content.
Training programs can supplement the supervision and surveillance of electronic communication.
All individuals should be trained initially and then on a regular schedule throughout the year. For more complex firms and systems, a monthly or quarterly training session would be recommended.
Training should include the firm’s policy on approved electronic communications. The training should be in an easily understood and accessible format. The awareness training should also include the types of risks and vulnerabilities that an employee might face when using electronic communications. It’s also suggested to include examples of enforcement cases of individuals that were found using prohibited communications and the consequences.
In addition, a firm may consider including an attestation of understanding when it comes to electronic communication policies. An attestation of certification may not stop malicious intent of an individual as seen in the Phillips case, but it does give an individual the knowledge to do the right thing while exhibiting a firm’s commitment to compliance.
A “bring your own device” (BYOD) policy simply means the firm will allow the use of a personal mobile device, such as a smartphone or tablet computer, to access firm files and data. The BYOD trend has become popular as the personal smartphone and tablets went mainstream.
Shifting away from a BYOD policy may help combat the use of prohibited methods of communication. A separation of devices would allow the business device to be limited and allow for better tracking. For example, a firm could disable Apple iMessage or Gmail on a work phone.
(Jason Wallace is a senior editor for Thomson Reuters Regulatory Intelligence.)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Dec. 10. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters