FINRA enforcement cements focus on unauthorized comms and senior managers

In brief

– FINRA has taken action against an investment bank and two senior managers for their use of unauthorized comms

– Within the firm, the use of text messages for business operations was prohibited

– Despite ample warning from the compliance team, senior managers continued to use text messages from personal devices to conduct business operations

– The case calls into question whether the outright banning of certain communication channels is an effective and compliant solution, or whether it just allows bad activity to flourish

The Financial Industry Regulatory Authority (FINRA) has issued yet another hefty fine to a member firm for failing to preserve and supervise its employees’ business-related text messages. The case is the latest in a string of similar actions from U.S. regulators who have placed laser-like focus on the monitoring of business communications over the last year. Interestingly, while the investment bank has been ordered to pay $1.5 million for regulatory failures, two of the firm’s senior managers have similarly received fines and suspensions.

What happened?

The firm in question is a long-standing FINRA member providing investment banking services. Despite having more than 100 registered representatives, FINRA has found that the firm failed to capture, keep, and supervise its employees’ business-related communications over a prolonged period of three years.

The firm had clearly documented written supervisory procedures (WSPs), which prohibited employees from using text messages for business-related communications. However, between September 2017 and September 2020, at least 24 of its employees conducted business operations in text messages from personal phones.

This led to a number of compliance gaps, not least because – as the texts were sent from personal phones – the firm was unable to obtain and therefore preserve the messages. In turn, this acted as a significant hurdle to FINRA being able to gain all the relevant and necessary evidence in the course of two investigations. As well as this, most of the messages had been deleted before FINRA requested them.

Senior managers took advantage of unauthorized comms

Among the 24 employees who used their personal phones for business communications, two were senior managers. They included the firm’s President and Head of Investment Banking and its Director of Research at the time. These senior employees “routinely exchanged text messages about firm business with each other on their personal cellphones outside of the firm’s approved communications platforms”.

As a result, employees and senior managers routinely acted in contravention of the firm’s WSPs and FINRA rules. While the compliance team had frequently reminded employees that the use of text messaging was prohibited, the management team knew that employees were sending personal text messages about business matters and did not act to prevent it. How did they know that employees were using unauthorized comms? Because they were using them themselves.

Don’t forget about the emails

In addition to failing to preserve and supervise employee’s business-related messages, the firm also failed to supervise its employees’ email communications between March 2019 and September 2020. In that time, the firm also failed to determine the type of review that was to be conducted around email communications, as well as who at the firm would be responsible for the review or how an escalation might occur. This meant that many emails were not reviewed for more than a year after being sent or received.  

As a result of the non-compliant action, FINRA issued the firm with a $1.5 million fine and required it to revise “its supervisory systems, policies, procedures and trainings” connected to the rules violated. The two senior managers each received fines of $15,000 and have been suspended from association with any FINRA Member in all capacities for 30 days.

What does this enforcement tell us about unauthorized comms?

This enforcement is important for a number of key reasons as it shows:

1. Unauthorized comms aren’t a passing trend

As is often the case in compliance, some regulatory trends stick, and others are a flash in the pan – a month of activity and then never mentioned again. For those who thought that the regulatory focus around unauthorized comms was one such trend, think again. As the SEC’s FY 2022 Enforcement Results have shown, recordkeeping failures have dominated enforcement activity for over a year.

There is no denying that much of the action around unauthorized comms is currently rooted in the U.S., causing some to ask whether the UK will follow suit any time soon. The answer is yes, most likely. In October, the Financial Conduct Authority (FCA) said: 

“We are actively discussing personal device use with a range of UK authorized firms, not limited to those who may have been subjected to other regulatory enquiries”.

While the FCA’s action is only supervisory at this time, it is likely that these communications will lead to strengthened, stringent action from the UK regulator over the coming months. As we often see, the UK regulator is guided by the focus of its U.S. counterparts – and vice versa.

2. There’s increasing accountability for those at the top

It is undeniable that regulators from all regions have taken a far stricter approach to the accountability of senior managers. No longer are firms taking the full force of regulatory action, those at the top are paying the price too. In this instance, two senior managers were issued with significant financial penalties. We have similarly seen cases where CCOs, CEOs and others have been hit with either fines or request to carry out further training.

This ties in to wider regulatory messaging, including that from the newly appointed Department of Justice’s (DoJ) Fraud Chief who, in conversation with the Wall Street Journal, has defended new DoJ policies that require chief executives and chief compliance officers to personally certify the effectiveness of a company’s compliance program. Accountability measures are on the rise and will likely alter the significance of regulatory burden.

3. Banning communication channels isn’t a solution

The third key takeaway points to a common misconception when it comes to communication channels within financial services – banning channels is not a solution. In this instance, even though the compliance team had expressly prohibited the use of text messages for business operations, employees continued to use the channel.

In the wake of mammoth fines against J.P. Morgan for failing to monitor unauthorized WhatsApp communications, we heard rumors that many firms simply banned the use of WhatsApp. As this case perfectly demonstrates, banning is not a solution. Moreover, and more importantly, regulators will not see banned channels as a solution. As SEC Chair, Gary Gensler, noted in a recent speech – regulators want to see that firms are taking proactive action to “remediate your misconduct”. Banning isn’t remedial action, it’s inaction – and it won’t wash when the regulators come knocking.

Instead of banning communication channels, Global Relay wants to empower firms to use all communications in a compliant way – including WhatsApp. Speak to the team to WhatsApp Enable Your Business.