What constitutes an electronic communication under SEC and FINRA rules has evolved beyond the traditional written, person-to-person interaction such as email, says Marc Gilman, general counsel of Theta Lake. Collaboration platforms, modern chat systems, and video marketing apps now trigger many of the same regulatory compliance obligations, he says.
Gurbir Grewal, the Securities and Exchange Commission’s newly minted director of Enforcement Divsion, gave a wide-ranging speech in October outlining his views on compliance, and touching on topics from Reg BI to electronic communications recordkeeping. A few days later, news of the SEC’s horizontal sweep of broker-dealers’ digital communications channels compliance broke, providing an exclamation point on the director’s presentation.
The persistent business criticality of electronic messaging systems coupled with the SEC’s sweep presents a perfect opportunity to revisit compliance best practices for digital communications. A refresher is also timely given the rapid adoption of new collaboration tools like Zoom, Microsoft Teams, Slack, and Cisco WebEx during the pandemic.
The baseline rules requiring broker-dealers to capture, retain, and supervise electronic communications are found in SEC Rule 17a-4 (recordkeeping and retention in non-rewritable, non-erasable format) as well as FINRA rules 3110 (supervision) and 2210 (communications with the public). FINRA has issued several regulatory notices pertaining to the use of social media and SMS as well as a set of Covid-19 FAQs in April 2020 and updates to advertising FAQs in September 2021, which provide requirements for collaboration and online video.
A key concept to keep top of mind is that only communications pertaining to a broker-dealers’ “business as such” under SEC Rule 17a-4 require retention and oversight. This point can cause confusion when considering the relevance of employee activity on personal devices and messaging systems. However, the SEC and FINRA take a staunch view of this issue—if a communication, regardless of where it takes place, relates to firm business, it must be retained and supervised.
With these regulatory requirements in mind, below are quick summaries of how SEC and FINRA rules apply to various digital communications channels. This overview takes a historical approach to inform how firms should approach e-comms compliance frameworks to best align to regulatory expectations and prepare for the SEC’s sweep.
Email has been subject to SEC, FINRA, and essentially every other global financial services regulators’ recordkeeping requirements for over 20 years. Messages from all firm issued-email accounts must be captured, retained, and supervised. Employees cannot use personal accounts from Gmail, or AOL, or Yahoo to conduct business.
Likewise, legacy instant messaging systems such as Skype, Bloomberg, and ICE chat, have long been subject to the same compliance controls as email. Finally, rounding out the old guard, SMS, and text messaging platforms (including iMessage and Android variants) fall into the regulated category.
Collectively, FINRA and the SEC have issued millions of dollars in fines for the prohibited use of personal email, IM, and chat platforms and related supervision failures. To describe the approach to old guard compliance in a single word: “Weknowdis.”
The early aughts ascendance of social networking platforms such as Twitter, LinkedIn, and Facebook prompted soul searching from firms and regulators alike on their business value and potential regulation. Based on the three FINRA regulatory notices described above, the use of social media for business purposes falls squarely in the regulated realm.
A caveat here, however, excludes the personal use of social networking platforms to share non-business information like charitable events, job postings, and volunteer activities. FINRA stated that these non-business interactions don’t trigger recordkeeping rules, reminding firms that the content of a communication determines its compliance relevance.
In a similar sphere are “ephemeral” messaging platforms, which in their early incarnation included pre-video Snapchat, and now encompass WhatsApp, Signal, WeChat, and others. While FINRA has been clear that business as such communications on these platforms must be captured, retained, and supervised, practical compliance has proven more difficult given the closed nature of these systems, where the ability to capture and archive conversations is limited.
Finally, collaboration platforms like Zoom, Microsoft Teams, and WebEx, whose use has bloomed during pandemic, provide new compliance challenges to firms and regulators alike. Collaboration tools build on traditional text-based communications models and incorporate dynamic features like screen sharing, webcams, virtual whiteboards, audio, and file transfers.
Regulators have recently issued guidance mandating the capture, retention, and supervision of many of these features. FINRA’s September 2021 advertising FAQs clarify that, in certain circumstances, screen shares, virtual whiteboards, and polls require either pre-review or post-conversation retention and oversight.
Modern chat platforms like Slack and Microsoft Teams chat fit in here as well with compliance obligations extending to the animated gifs, reactions, and emojis shared on them.
Lastly, the growing popularity of visual voice mails and individualized sales videos created on platforms like Vidyard and Kaltura prompted FINRA to include online video compliance obligations in its advertising FAQs.
As is evident from the discussion above, the concept of what constitutes an electronic communication under SEC and FINRA rules has evolved beyond the traditional notion of a written, person-to-person interaction. The visual capabilities of collaboration platforms, dynamic features of modern chat systems, and video marketing applications now trigger many of the same regulatory compliance obligations as the old guard.
As a parting sentiment of the primacy of communications compliance regimes, keep in mind Grewal’s statement on the issue: “A proactive compliance approach requires market participants to not wait for an enforcement action to put in place appropriate policies and procedures to preserve these communications and anticipate these emerging challenges.”
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Marc Gilman is general counsel and vice president of compliance at Theta Lake Inc. He is also an adjunct professor at Fordham University School of Law. Follow him on Twitter: @marcwiki.