U.S. Securities and Exchange Commission (SEC) enforcement for failure to maintain and preserve adequate records of electronic communications and for failure to adequately supervise the use of off-channel communications is at the top of compliance professionals' minds right now. The size and scope of the firms involved and the staggering $2.5 billion plus in penalties assessed have made the actions a hot topic in the news and across the financial services industry.
Much has been made of the SEC sweep. However, there are other regulations that firms must adhere to, depending on industry, geography, and communication channels.
Get the message. Preserve eComms or Face Steep Regulatory Consequences
A myriad of agencies and regulations govern the use of employee communication channels, including email, voice, and other digital platforms, and mandate requirements for record retention. Other regulatory standards also apply to firm communication practices depending on jurisdiction and context.
Firms should be aware of the specific requirements and expectations of the authorities that regulate their activities and keep abreast of the latest developments and regulatory trends.
The U.S. Securities and Exchange Commission
SEC Rules 17a-3 and 17a-4 require broker-dealers to make and keep current certain records relating to their business, including records of all communications received and sent that relate to firm operations. The rules also specify the records' format, medium, and retention period and the manner of their production in case of examination or investigation. SEC rules also require firms to capture, supervise and retain electronic communications.
In addition, SEC Rule 204-2(a)(7) requires registered persons to make and keep originals of all communications received and sent by relating to recommendation and advice, receipt, disbursement or delivery of funds or securities, the placing or execution of purchase and sale orders and the performance managed accounts or securities recommendations.
The U.S. Financial Industry Regulatory Authority (FINRA) Rule 3110
FINRA Rule 3110 requires member firms to establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations with FINRA rules. The rule also requires member firms to review the incoming and outgoing written (including electronic) and oral communications of their associated persons relating to their securities business.
The 2024 Surveillance Benchmarking Survey & Report from 1LoD and co-sponsored by MCO features in-depth analysis from 30+ leading global banks on the state of trade and communications surveillance in financial services today.
The U.S. Commodity Futures Trading Commission (CFTC) Rule 1.31
CFTC Rule 1.31 requires futures commission merchants, retail foreign exchange dealers, introducing brokers, and certain other registrants to keep full, complete, and systematic records of all transactions relating to their business, including all oral and written communications provided or received concerning quotes, solicitations, bids, offers, instructions, trading, and prices that lead to the execution of transactions. The rule also specifies the records' format, medium, and retention period, as well as the manner of their production in case of inspection or investigation.
The U.S. Federal Trade Commission (FTC) Act
The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce, including those involving false or misleading statements or omissions of material facts in advertising, marketing, or other communications. The FTC has the authority to investigate and enforce violations of the act and issue rules and guidance to prevent such violations.
The U.S. Consumer Financial Protection Bureau (CFPB) Rules and Regulations
These rules and regulations implement and enforce various consumer financial protection laws, such as the Truth in Lending Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Real Estate Settlement Procedures Act, that may apply to the use of employee communication channels in the provision of consumer financial products or services. The CFPB has the authority to supervise, investigate, and take action against violations of these rules and regulations and issue rules and guidance to prevent such violations.
The E.U. Markets in Financial Instruments Directive (MiFID) II and Regulation (MiFIR)
The E.U. Markets in Financial Instruments Directive (MiFID) II and Regulation (MiFIR) rules apply to investment firms, credit institutions, market operators, and data reporting service providers that operate in the E.U. The rules require them to record telephone conversations and electronic communications that relate to the reception, transmission, and execution of orders, or to the provision of client order services that relate to the reception, transmission, and execution of orders. The rules also specify the records' format, medium, and retention period and the manner of their disclosure to clients and competent authorities.
Any communications channels approved for use by firm employees, for both internal and external messages, must meet the privacy and data protection requirements of the firm’s jurisdiction.
The E.U. General Data Protection Regulation (GDPR)
The GDPR applies to any company that processes the personal data of individuals in the E.U., regardless of where the firm is located. The regulation grants individuals rights over their personal information including the right to access, rectify, erase, restrict, or object to the processing of their data, and the right to data portability. The regulation also imposes obligations on organizations to ensure the lawfulness, fairness, transparency, accuracy, security, and accountability of their data processing activities.
The E.U. ePrivacy Directive
The E.U. ePrivacy Directive complements the GDPR regarding the processing of personal data in the electronic communications sector. The directive regulates the confidentiality, security, and consent of electronic communications, such as email, voice, and text messages, and the use of cookies and other tracking technologies. The directive also requires member states to ensure that national authorities have the power to monitor and enforce compliance with the directive.
The UK Data Protection Act 2018
UK Data Protection Act supplements and tailors the GDPR to the U.K. context and also regulates the processing of personal data for law enforcement and national security purposes. The act grants individuals certain rights over their personal data, such as the right to be informed, the right to access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right not to be subject to automated decision-making. The act also imposes obligations on organizations to ensure the lawfulness, fairness, transparency, accuracy, security, and accountability of their data processing activities.
The U.K. Financial Conduct Authority (FCA) Handbook
The FCA Handbook contains the rules and guidance applicable to firms and individuals authorized or registered by the FCA or otherwise subject to its regulation. The handbook covers various aspects of business conduct, including the recording, retention, and supervision of communications related to the firm's designated investment business. The handbook also specifies the records' format, medium, and retention period, as well as the manner of their disclosure to clients and the FCA.
The U.K. Prudential Regulation Authority (PRA) Rules and Guidance
PRA Rules and Guidance apply to firms and individuals authorized or regulated by the PRA, such as banks, building societies, credit unions, insurers, and investment firms. The rules and guidance cover various aspects of prudential regulation, such as capital, liquidity, governance, risk management, and reporting. The PRA has the authority to supervise, investigate, and take action against violations of these rules and guidance, and to issue rules and guidance to promote the safety and soundness of the firms and the stability of the financial system.
What to do in an environment of increasing regulation and active enforcement?
The volume of regulators and regulation is daunting. However, the themes and imperatives are consistent across regions and regulators.
Communications compliance requires strong governance bolstered by comprehensive technology.
To stay compliant, firms must implement technology that can both monitor and identify risk from employee communications and archive communications in conjunction with company policy and required regulations.
