SEC Encourages Self-Reporting of Recordkeeping Violations Resulting From Employees’ Use of Personal Devices for Business Communications

FINRA’s Focus on Off-Channel Communications

The Financial Industry Regulatory Authority (FINRA) has also brought enforcement actions involving the supervision and retention of off-channel digital communications. FINRA has prioritized the issue for more than 10 years, and the 2021 Report on FINRA’s Examination and Risk Monitoring Program highlighted the importance of firm procedures for review for red flags that may indicate that a registered representative is communicating through unapproved communication channels.

While the FINRA Enforcement Department has generally focused on bringing settled actions against registered representatives for off-channel digital communications, FINRA has brought cases of more limited scope under the same theory as the SEC’s December 17 enforcement action. Retention failures that FINRA views as hindering investigations have resulted in aggravated sanctions — although they have remained low in comparison to the SEC sanctions assessed last month.

The SEC action may embolden FINRA Enforcement in two ways. First, firms may see increased inquiries for off-channel communications in investigations to test retention practices. Second, the size of the fine in the SEC’s recent enforcement action — where there was no readily identifiable customer or market harm — may cause FINRA to consider taking a more aggressive approach in its own sanctions analyses. 

Recordkeeping Requirements

Although the recordkeeping obligations for registrants vary depending on the entity and record type, in general those obligations generally include the following:

• Rule 17a-4 under the Securities Exchange Act of 1934 requires broker-dealers to maintain a broad range of records for a period of not less than six or three years, depending on the category. The rule enumerates many categories of records that are subject to the recordkeeping obligation. For business communications, Rule 17a-4(b)(4) requires that “[o]riginals of all communications received and copies of all communications sent (and any approvals thereof) by the member, broker or dealer (including inter-office memoranda and communications) relating to its business” must be “preserved for a period of not less than three years, the first two years in an easily accessible place.”
• Rule 204-2 under the Investment Advisers Act of 1940 requires registered investment advisers to maintain over a dozen categories of records relating to its advisory business for a period of five years from the end of the fiscal year during which the last entry was made on such record, or three years after termination of the enterprise, depending on the category. With respect to written communications, the Rule generally requires the adviser to maintain the originals of specific categories, such as recommendations or advice, the receipt, disbursement or delivery of funds or securities, the placing or execution or orders, and performance or rate of return for managed accounts, among other items.

SEC Encourages Self-Reporting of Recordkeeping Violations

In connection with the recent December 17 enforcement action, the SEC announced it has commenced additional investigations concerning record preservation practices at financial firms and encouraged firms to self-report to the Division if they believe their practices do not comply with the securities laws. The SEC doesn’t require self-reporting as a general matter, and it has not indicated whether it will offer any form of amnesty or cooperation credit — such as forbearance of or reduced fines — for self-reporting, as it has done in prior self-report initiatives. 

Unlike the SEC, FINRA does require self-reporting where a member has concluded there has been a violation of securities regulations that is widespread, or has potential widespread impact to the member, its customers or the markets, or involves conduct that arises from a material failure of the member’s systems, policies or practices involving numerous customers, multiple errors or significant dollar amounts.

Registrants can consider taking the following proactive steps to address this priority issue for the Division:

• conduct a review of the firm’s policies and procedures related to recordkeeping obligations — specifically focused on allowable and prohibited modes of business-related communications — to determine whether they are reasonably designed to prevent violations of the federal securities laws
• conduct a review of how the firm implements such policies and procedures, assesses compliance and reviews red flags
• conduct a review of employees’ communications to determine whether there are indications that employees are engaged in business communications using unapproved or unpreserved channels and whether those communications are permissible under the firm’s policies and procedures and consistent with statutory requirements
• consider appropriate disciplinary steps for employee infractions related to off-channel communications policies
• provide updated training and a compliance alert reminding employees about the firm’s communications and retention policies
• evaluate the various options for employee devices, including issuing firm devices or allowing employees to use personal devices, based on facts and circumstances specific to the firm; firms with a “bring your own device” practice can consider adopting and implementing a mobile device management solution policy
• discuss with legal counsel whether any identified concerns rise to the level of a securities law violation and whether self-reporting is recommended