How Broker-Dealers Can Evaluate Their Supervision Of Personal Device Use
New Year, old problem
Posted on 03-01-2021, Read Time: - Min
Share:
Many companies that transitioned to a work-from-home environment in the early spring of 2020 may have reasonably anticipated a return to the normalcy of in-office operations by the end of the year. Yet as the New Year commences, remote work has become the new normal and firms can expect this arrangement to continue through the first quarter of the year, if not longer. While working from home poses challenges for all businesses, it poses unique concerns to broker-dealers whose associated persons are conducting business from their homes. Broker-dealers must remain keenly attuned to the risks posed by work-from-home arrangements, including specifically the risk that registered representatives and other associated persons use their personal devices or other unapproved and unmonitored channels to communicate with clients and conduct business.
The use of personal devices by associated persons to conduct business creates significant supervisory challenges. Firms that have changed their processes and procedures this year to account for the remote work environment should ensure that they have designed supervision and surveillance systems to monitor for personal device use, are addressing personal device use in their policies and procedures, including any changes implemented during this work-from-home time, and are conducting focused training on the issue. Regulators are likely to look closely at how firms supervised to ensure that their associated persons did not use unapproved and unmonitored communications channels while working from home. Accordingly, while broker-dealers may well have focused attention on this issue at the onset of the Covid-19 pandemic, the onset of the new year and extended duration of work-from-home conditions warrant a renewed consideration of firms’ supervision methods related to personal devices.
In this article, we consider the challenges and risks that personal device use creates for firms’ supervision structures. We further outline the specific steps that firms may take to mitigate the risk that associated persons are using personal devices to conduct business communications. Finally, we consider how FINRA may use its enforcement authority to address supervisory gaps regarding personal device use in the coming year.
Personal Device Use: Always a Concern, But Now More than Ever
The use of personal devices or other unmonitored communication channels to conduct business creates obvious supervision issues under FINRA Rule 3010 and recordkeeping problems under Rule 4511. Accordingly, firms have always had to have policies and procedures in place to ensure that their associated persons are not using unmonitored personal devices to conduct business. FINRA has long taken the position that a firm’s obligations under these Rules depends on the content of the communication (that is, whether it pertains to conducting the business of the broker-dealer) rather than the mode of communication (that is, whether the communication occurs through a firm-issued or personal device). Indeed, in a 2011 Regulatory Notice, FINRA noted that “new technologies” like text messaging may “facilitate the ability of associated persons to perform their responsibilities” but that “a firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.” (Reg. Notice 11-39 (emphasis added).)
Given FINRA’s longstanding guidance, nearly every firm’s policies and procedures, likely either prohibit outright the use of personal devices to conduct firm business or provide strict parameters to ensure that any business communications are both supervised and retained. But the current remote work environment creates a heightened risk that associated persons, either intentionally or inadvertently, utilize personal devices for business communications. In the office, financial advisors face no obstacles to using their work phones and computers to call clients, answer emails, and otherwise conduct business. Working from home, however, causes the line between the personal and the professional to fade. A financial advisor already using her personal cell phone may naturally be tempted to simply text a client or respond to a Facebook message rather than communicate through a firm-approved and monitored channel. An associated person’s use of their personal device could fall into one of three categories:
Given FINRA’s longstanding guidance, nearly every firm’s policies and procedures, likely either prohibit outright the use of personal devices to conduct firm business or provide strict parameters to ensure that any business communications are both supervised and retained. But the current remote work environment creates a heightened risk that associated persons, either intentionally or inadvertently, utilize personal devices for business communications. In the office, financial advisors face no obstacles to using their work phones and computers to call clients, answer emails, and otherwise conduct business. Working from home, however, causes the line between the personal and the professional to fade. A financial advisor already using her personal cell phone may naturally be tempted to simply text a client or respond to a Facebook message rather than communicate through a firm-approved and monitored channel. An associated person’s use of their personal device could fall into one of three categories:
- “Innocent” use and momentary lapses. A financial advisor may simply text a client out of convenience or a desire to be immediately responsive to a client, perhaps momentarily forgetting that she should not be using a personal device to conduct business. Similarly, a purely personal conversation with a client over text may evolve into a discussion that could be construed as business communication, even if the advisor does not intend or anticipate that to happen.
- Conducting business in an unauthorized manner. A financial advisor may move past a momentary lapse in memory or judgment and begin actively conducting business through a personal device out of convenience. The financial advisor may believe it is “not a big deal” and that his communications, while conducted through unauthorized means, are not inappropriate.
- Intentional evasion of firm controls to hide misconduct. A financial advisor may intentionally use a personal device with the goal of avoiding detection of inappropriate business conduct. A common case in this category is a financial advisor attempting to settle a dispute with a customer without notifying the firm.
Firms must be aware of, and supervising for, each of these types of situations. A firm’s supervision system for ensuring associated persons utilize only firm-monitored communications channels may very well be “reasonable” pursuant to FINRA Rule 3010 in an environment where financial advisors are working in their offices. This very same system, however, may prove to be ineffective when advisors are working from home given the heightened risk that they will utilize personal devices to conduct firm business.
Indeed, in August of 2020, the SEC’s Division of Examinations (f/k/a Office of Compliance Inspections and Examinations (OCIE)) issued a risk alert detailing compliance and supervision risks to broker-dealers and investment advisers created by the pandemic environment. The risk alert specifically noted that “firms may wish to modify their practices to address . . . communications or transactions occurring outside the firms’ systems due to personnel working from remote locations and using personal devices.” (Risk Alert, Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers, at 3 (Aug. 12, 2020) (emphasis added).) This advice continues to merit attention – especially as the work-from-home environment stretches into 2021.
Managing the Risk Posed by Potential Personal Device Use
Given the increased risk that associated persons may use personal devices or other unmonitored communications channels during this time, firms should consider taking proactive steps to ensure their compliance and supervision systems adequately manage this risk. To the extent firms took steps to address personal device use at the onset of the pandemic, firms should revisit and review their efforts to determine their effectiveness and whether additional measures should be taken. Firms should consider:
- reviewing and updating policies and procedures;
- conducting specific training or issuing targeted reminders or alerts;
- ensuring their email surveillance lexicon is tailored to capture indicia of unsupervised communications;
- asking about personal device use during compliance reviews and branch exams; and
- considering risk factors that lead to personal device use.
Guidance regarding each of these topics is set forth below.
Review and Update Policies and Procedures
Firms should review their policies and procedures and consider whether they require revision or updating in light of the current environment. Policies and procedures should address not only text messaging but the use of messaging features in popular social media applications including Facebook, Instagram, and SnapChat. To the extent firms are allowing the use of personal devices for communications of any kind, policies and procedures should explain the specific circumstances in which such communications will be allowed and how the firm will allow such use consistent with its supervisory and recordkeeping obligations. FINRA has explained that “every firm that intends to communicate, or permits its associated persons to communicate, with regard to its business through a text messaging app or chat service must first ensure that it can retain records of those communications as required by SEA Rules 17a-3 and 17a-4 and FINRA Rule 4511.” (FINRA Reg. Notice 17-18 (emphasis added).)
Some firms may have changed their policies and procedures to accommodate the new work-from-home environment. These firms should take the opportunity to review their policies and procedures to ensure that they reflect any updates and that they both note the prohibition on using unsupervised communications channels and detail how supervision is conducted to reasonably ensure there is no such use.
Some firms may have changed their policies and procedures to accommodate the new work-from-home environment. These firms should take the opportunity to review their policies and procedures to ensure that they reflect any updates and that they both note the prohibition on using unsupervised communications channels and detail how supervision is conducted to reasonably ensure there is no such use.
Conduct Training or Otherwise Specifically Address Personal Device Use
FINRA’s 2011 Regulatory Notice explained “a firm’s policies and procedures must include training and education of its associated persons regarding the differences between business and non-business communications and the measures required to ensure that any business communication made by associated persons is retained, retrievable and supervised.” (Reg. Notice 11-39 at 3.) Accordingly, firms should consider targeted training and alerts to their associated persons regarding the firm policy on personal device use. Training should emphasize that social media and text messaging are not proper channels through which to communicate with clients regarding business matters. Indeed, evidence of specific training and communications to associated persons serves as compelling evidence of the firm’s compliance efforts in the event of a FINRA examination.
Conduct Email Surveillance for Indicia of Unmonitored Communications
Firms would benefit from reassessing their lexicons for surveilling emails in light of their expanded remote workforce. Different terms in a remote environment may be more likely to identify potential issues. Firms should ensure that their email surveillance tools capture for keywords indicating an associated person may be contacting a client outside of firm-monitored email. Phrases such as “I’ll text you” or references to “my Gmail,” along with other common email addresses, should be flagged for review. Similarly, firms should consider including “WhatsApp,” “WeChat,” “SnapChat,” and other commonly used messaging and social media applications in their surveillance lexicons.
Author Bio
|
Alexander Madrid is a Partner at McGuireWoods LLP. He has a broad range of litigation and regulatory experience representing financial institutions and other corporate clients, with a specific focus on representing broker-dealers in regulatory and enforcement actions, arbitration, and litigation.
Visit https://www.mcguirewoods.com Connect Alexander Madrid |
|
| Emily Gordy is a Partner at McGuireWoods LLP. Emily advises her clients as they navigate the complexities inherent in the securities regulatory environment. Drawing on her wealth of experience as a regulator, she handles a wide range of compliance and enforcement issues affecting broker-dealers, fintech companies, investment advisers, investment companies, and municipal securities dealers. Visit www.mcguirewoods.com Connect Emily Gordy |
|
| Cheryl Haas is the Chair of Financial Services Litigation Department and is a Partner at McGuireWoods LLP. She is a go-to litigation counsel for Fortune 100 companies, investment companies and advisers, broker-dealers and private individuals in high-stakes disputes in federal and state courts and a variety of arbitration forum as well as before the U.S. Securities and Exchange Commission, the Financial Industry Regulatory Authority and state securities regulators across the United States. Visit www.mcguirewoods.com Connect Cheryl Haas |
|
| Chelsey Dawson is an Associate at McGuireWoods LLP. She concentrates her practice on transportation and complex commercial litigation. Visit www.mcguirewoods.com Connect Chelsey Dawson |
Error: No such template "/CustomCode/topleader/category"!
