Streamlining Email and Content
Supervision in an Increasingly
Regulated Electronic World
Federal compliance requirements, particularly those that address registered
representative communication archiving and content supervision, can feel like moving targets. At the same time, the way financial professionals interact continues to undergo a massive shift toward electronic and mobile channels. All this can make compliance officers feel as if they’re no longer standing on solid ground.
This paper explores the implications of current regulations, lays out solid best practices for compliant processes, and presents a solution that can provide audit-proof* supervision that fulfills federal, industry, and internal requirements.
The Realities of Capturing and Monitoring
Electronic Communications
Just a few years ago, employees tended to have one company-supplied email address with which to communicate electronically. Today, that’s definitely not the case. From instant messages and personal web-based email accounts to myriad mobile devices, the variety of communication channels that must be monitored has grown dramatically. In fact, a 2012 survey found that more than half of all financial services firms allow iPhones, iPads and Android devices on their corporate networks.1
The need to retain and monitor information sent across these platforms has made compliance activities significantly more complicated, and federal regulators have expressed that the guidelines apply to all messages, regardless of how they are carried.
As more new ways to communicate emerge, application of security laws and self-regulatory organization (SRO) rules must also evolve. Compliance officers have to be nimble, acting quickly to mitigate risk as scrutiny and enforcement by federal regulators is on the rise. In the first half of 2012, FINRA fined financial services firms more than $39.4 million—15 percent more than the year prior. Some of these penalties exceeded $1 million, and that doesn’t begin to measure costs to the firms’ reputations, given the public arena in which these sanctions play out.2
It’s no surprise that, given the sheer volume of information requiring oversight and the fragmented archiving systems many companies rely on, even firms with systems in place are failing to identify potential violations and are incurring fines.
ING Firms Fined for Review Failure
In February 2013, FINRA fined five ING affiliates $1.2 million for failing to capture millions of emails, and for failing to review nearly six million messages flagged by their review software.13
Interestingly, some of the most recent violations point to inefficiency and lack of reliability in the supervision process itself, rather than dubious broker behavior. It’s no surprise that, given the sheer volume of information requiring oversight and the fragmented archiving systems many companies rely on, even firms with systems in place are failing to identify potential violations and are incurring fines. These failures suggest that the answer to reliably supervising vast numbers of messages with limited resources lies in advancing technology. Until recently, however, technology solutions tended to focus on the archiving portion of the requirement—even Gartner analysts were just beginning to address the potential for electronic communication supervision within archiving frameworks in their most recent Magic Quadrant report.3
Interpreting Regulatory Rules and Guidance
The goal of any email supervision program should be to demonstrate that adequate review is being performed. Regulators know that firms can’t read every email and instant message sent. Rather, a consistent process must be in place, and reviews should be performed by knowledgeable personnel who can recognize issues and escalate them as needed.
There is no free pass for new communication platforms, no matter how challenging. FINRA requires firms to establish policies regarding just what forms of communication can be used.4 Then, according to the FINRA and SEC guidelines, the rules are based on the “content and audience of the message” rather than the form of communication.5,6 “Consequently...FINRA expects a firm to have supervisory policies and procedures to monitor all electronic communications technology used by the firm and its associated persons to conduct the firm’s business.”7 Just as important, firms must ensure that they have processes in place to keep records of these communications, as required by previous SEC, NASD, and NYSE rules. Some channels, including instant messages, online message boards, e-faxes, personal email, and websites have been specifically called out within the regulations, but the rules have been written to apply to platforms we can’t yet envision, referring to “any existing and future electronic communications technology that this guidance may not address.”8
The SEC position on this was written long before email was imagined and still sums up the attitude toward SRO compliance today. The Investment Advisers Act of 1940 states that
...no person shall be deemed to have failed reasonably to supervise any person, if:
Citigroup Pays for Not Saving Email
FINRA levied a $750,000 fine on a Citigroup unit in 2011 for not retaining millions of emails during an archive upgrade.14
a) there have been established procedures, and a system for applying such procedures, which would reasonably be expected to prevent and detect, insofar as practicable, any such violation by such other person, and b) such person has reasonably discharged the duties and obligations incumbent upon him by reason of such procedures and system without reasonable cause to believe that such procedures and system were not being complied with.9
Simply put, complying with subparagraph A requires that adequate policies and procedures are in place. Of course, subparagraph B is more difficult to satisfy. Demonstrating that these duties have been “reasonably discharged” requires showing that the procedures have been put into practice and carefully adhered to. This adherence requires establishing workflows and maintaining full audit trails detailing what steps were taken and how decisions were made.
If you follow best practices in establishing your electronic content supervision procedures, it will be difficult to charge your organization with “failure to supervise.”
Should a misleading or questionable email surface, one of two things can happen. You can either produce evidence of adequate email review, making it much more difficult to bring action against your firm, or you can pay the high price tag associated with inadequately monitoring employee communications. But it helps to know that, if you follow best practices in establishing your electronic content supervision procedures, it will be difficult to charge your organization with “failure to supervise.”
Guidance Regarding Review and Supervision of Electronic
Communications and Content
As FINRA acknowledges, technological innovation has dramatically changed how firms deliver, receive, and store communications. Fortunately, the organization has issued clear guidance for developing systems and procedures for reviewing and supervising electronic communications.
Piper Jaffray: Retention and Disclosure Violations
In 2010, Piper Jaffray was fined $700,000 for issues with email retention, as well as failure to inform FINRA of the problem.15
Any technology solution designed to automate electronic content supervision must be structured enough to demonstrate compliance, yet flexible enough to adapt to changing inputs and guidelines.
1. Lexicon-based search technology to flag messages. Automated search tools can identify content that might contain evidence of improper conduct, customer complaints, errors, and other content as required by SRO and internal policies. However, an effective system should provide the ability to
• Customize the list of trigger words and phrases to your policies, clients, product set, and so forth, and update it regularly.
• Include jargon, slang, misspellings and common errors.
• Review images and identify attachments designed to thwart review. • Exclude disclaimers and email template text, such as “having trouble
viewing this email?” or “the firm does not guarantee,” which might appear in every email.
• Review foreign-language and encrypted messages. • Restrict access to the list of terms.
2. Additional random sampling of content. Certainly, no system can detect highly sophisticated codes or carefully worded infractions. But by combining lexicon-based search with random sampling, firms can monitor a percentage of communications containing unstructured information files (JPG, JPEG, BMP, GIF, TIFF, PDF, etc) and attachments to check for policy or rule violations. This approach will increase the chance of finding emails written including unstructured content specifically to avoid triggering the lexicon search flagging. While random review is required, there’s no specific percentage recommended for random review, although this option offers an opportunity to keep closer watch on specific offices or business units, or even individuals with a disciplinary history.
3. Secure access and administration. Security is essential to a supervision system—starting with control of the keyword list. After all, if employees know what terms will trigger a flag, they can easily craft messages that will sail through.
4. Well-defined reviewers and responsibilities. Not only must procedures be clearly delineated, firms must also clearly identify who is responsible for performing the reviews. FINRA requires all reviewers to have sufficient knowledge, experience, and training to adequately perform reviews. In addition, firms must be able to demonstrate that their reviewers meet these criteria.
5. An audit log of all reviews and actions taken. This piece of the puzzle is key to demonstrating adequate policies and procedures are being followed. FINRA requires that “Members must evidence their reviews, whether electronically or on paper, and be able to reasonably demonstrate that such reviews were conducted.”10
“The evidence of review should at a minimum, clearly identify the reviewer, the communication that was reviewed, the date of the review and the steps taken as a result of any significant regulatory issues that were identified during the course of the review.”10
6. Timely search and review. Federal regulations suggest that reviews should occur within “reasonable timeframes,” but they also ask that firms recognize how hard it can be to solve a problem if it isn’t addressed quickly. Daily review is the most efficient approach, because a backlog of flagged content can easily become overwhelming.
7. Archiving according to internal and industry guidelines. Archiving is the one practice most financial services firms already observe, holding on to business-related electronic communications for three years in a non-rewriteable, non-erasable format.11 But it’s no longer enough to merely retain content. Archive systems must also support e-discovery, because these requests can be time consuming and expensive, placing an undue burden on the firm to identify and provide nonprivileged documents in a timely manner.
Ultimately, any technology solution designed to automate electronic content supervision must be structured enough to demonstrate compliance, yet flexible enough to adapt to changing inputs and guidelines.
Automated, Intelligent Content Supervision:
iZon Compliance
Designed to meet the demands of the financial services industry and built on the IBM ECM platform, iZon Compliance provides a single integrated solution for review and audit-proof supervision of post-archival content such as email, documents and instant messages.
The iZon Compliance solution searches archives daily for potential infractions, based on the organization’s policies and trigger keywords and phrases. Flagged content is sent to legal, human resources, or compliance reviewers as appropriate, along with a message about why the message triggered review. Auditors can view MetLife Suffers Supervision Failure
MetLife Securities and three affiliates were fined a total of $1.2 million in 2009 for failing to establish adequate review procedures.16
the documents in question in an intuitive interface, enter comments, and document that the review has been completed. Their actions and notes are preserved in an audit trail to demonstrate adherence to procedures and comply with FINRA recommendations.12
In fact, iZon Compliance provides detailed audit trails of the complete supervision and referral process. All activities—including versions and changes, reason codes, and escalation of message review—are captured to provide the necessary auditable proof of adequate, consistent supervision.
The iZon Compliance solution is unique in its ability to integrate with other departmental systems to provide functionality beyond basic archiving and content review. For example, iZon Compliance can integrate with human resource systems to act as a central repository for certifications and employee data that can assist a reviewer in making a decision about questionable content. Or it can integrate with legal and compliance case management databases to cross-reference pending litigation, prior warnings, or past violations. This additional detail can save reviewers significant time by ensuring that the most complete, up-to-date information is available at their fingertips.
Fewer false positives and duplicate messages help reviewers stay on top of the volume of communications that require their attention.
While ensuring compliance is the first priority, iZon Compliance also delivers exceptional efficiency, reducing the time and costs associated with content supervision. For example:
• Industry-leading, lexicon-based search combined with meaning-based searches substantially reduces false positives while pinpointing more likely violations, compared to other solutions.
• Adaptable, automated referral processes direct flagged content into workflows based on reason codes, eliminating the need for manual escalation and review.
• Bulk review capabilities allow multiple items to be reviewed and annotated at one time, minimizing duplication of effort.
• Custom warnings and notifications are easily generated and delivered to appropriate parties with a click of the mouse.
• A reliable language-translation option is available and ideal for global organizations.
Being presented with fewer false positives and duplicate messages helps reviewers stay on top of the volume of communications that require their attention and allows them to complete more reviews in a more timely manner. Complemented by detailed reporting that document the review process, iZon Compliance helps ensure that the supervision process has been consistently accomplished.
Prevent the Unnecessary Costs of Noncompliance
Electronic communication isn’t going anywhere—it’s only going to keep growing, with new channels and new devices making supervision even more of a challenge. Your organization can constantly add resources, risk noncompliance or find a reliable way to increase the efficiency of your supervisory processes. Compared to the costs of the first two options, iZon Compliance, with its smarter combination of meaning and lexicon-based search technologies and robust archiving, is a forward-thinking, economical solution.
Customer Story: Financial Services Company with Approximately 40,000 Licensed Securities Representatives Challenge: This organization supervises the email of 40,000 licensed securities representatives. Traditionally, this content was searched using simple word-based lexicon lists that resulted in an enormous amount of false positives and junk messages. On average, the legacy system returned more than 15,000 messages for review each day. Naturally, reviewers were extremely overtaxed and unable to review 100% of the flagged messages, exposing the company to risk.
The iZon Compliance Solution: In a head-to-head review of the same pool of messages over 15 days, iZon Compliance flagged about 85% fewer messages. However, the iZon Compliance system identified 25% more violations.
What’s more, iZon Compliance accelerated review time through its automation and integration capabilities. In a single click, reviewers had access to certification dates and prior legal case histories of licensed representatives, and they could issue automated warning letters for minor first-time offenses. They could also highlight messages with the same subject line and bulk review messages. Unlike the legacy system, emails that were flagged for referral were given reason codes and comments and were tracked through the entire workflow. Conversely, referrals in the legacy system resulted in messages being printed out and added to folders. Finally, iZon Compliance
was able to help spot trends and identify reporting and supervisory training issues within lines of business and clusters of representatives.
The bottom line: Ultimately, the customer • Reviewed fewer flagged emails. • Identified more violations. • Saved more than an hour for each
violation by not having to seek additional information in other departmental systems. • Had no need to print messages or create
an additional paper trail.
• Derived more meaningful metrics from the process.
• Could manage and track requests for ad hoc searching.
• Was able to conduct a 100% review and meet all FINRA requirements.
About IBM Enterprise Content Management
Enterprise content management solutions from IBM help companies realize the strategic value of content for better insight and outcomes. IBM ECM delivers high-value solutions that can help companies transform the way they do business by enabling them to put content in motion: capturing, activating, socializing, analyzing, and governing it throughout the lifecycle. IBM can help organizations identify critical content within large information volumes and prioritize it to gain insight to inform business decisions. We help businesses put the right content in the hands of the right people at the right time while effectively managing the cost and risk of enterprise content from capture to disposal. IBM has provided ECM solutions to more than 13,000 companies, organizations and governments around the world, helping them remain competitive through new intelligent innovation.
For more information visit: ibm.com/software/ecm About Atlantic Software Technologies, Inc.
Atlantic Software Technologies is an IBM Enterprise Content Management partner that has been focused on high-value business process automation for more than ten years. From the company’s headquarters in New York, AST provides products, technologies, and personal service that help customers bring people, systems and processes together to create efficient and effective global solutions.
© Copyright IBM Corporation 2013 IBM Corporation
3565 Harbor Boulevard Costa Mesa, CA 92626-1420 USA
Produced in the United States of America March 2013
All Rights Reserved.
IIBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm. com/legal/copytrade.shtml. (link text)
Other company, product, or service names may be trademarks or service marks of others.
References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
While efforts were made to verify the completeness and accuracy of the information contained in this document, it is provided “as is” without warranty of any kind, express or implied. IBM is not be responsible for any damages arising out of the use of, or otherwise related to, this information. Nothing contained in this document is intended to, nor will have the effect of, creating any warranties or representations from IBM (or its suppliers or licensors), or altering the terms and conditions of the applicable license agreement governing the use of IBM software or receipt of IBM services.
Each IBM customer is responsible for ensuring its own compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Resources
We hope you find these resources helpful as you seek more information about IBM ECM and Atlantic Software Technologies.
Solution Profile
Download a quick overview of iZon Compliance by Atlantic Software Technologies.
See how iZon Compliance can benefit your organization. For more information, contact:
IBM
Kristen Meyer 703-934-1125
Atlantic Software Technologies Marjory Dury
212-682-4160 [email protected]
1 Smarsh, Electronic Communications Compliance Survey Report, (June 28, 2012). 2 Kenneth Corbin, “FINRA Broker-Dealer Penalties Soar in 2012,” Financial Planning,
(August 10, 2012).
3 Gartner, Magic Quadrant for Enterprise Information Archiving, (October 29, 2010). 4 FINRA Regulatory Notice 07-59, Supervision of Electronic Communications, (December,
2007).
5 FINRA 07-59.
6 SEC 17 CFR Part 240, Reporting Requirements for Brokers or Dealers Under the Securities and Exchange Act of 1934, (February 5, 1997).
7 FINRA 07-59. 8 FINRA 07-59.
9 SEC Investment Advisers Act of 1940, Section 203(e)-6. 10 FINRA 07-59.
11 SEC 17CFR Part 240.17a-4, Records to be Preserved by Certain Exchange Members, Brokers and Dealers.
12 FINRA 07-59.
13 FINRA, FINRA Fines Five ING Firms $1.2 Million for Email Retention and Review Violations, (February 19, 2013).
14 Reuters, Citigroup to Pay $750,000 Fine for Not Saving Emails, (December 8, 2011). 15 FINRA, FINRA Fines Piper Jaffray $700,000 for Email Retention Violations, Related
Disclosure, Supervisory and Reporting Violations, (May 24, 2010).
16 FINRA, FINRA Fines MetLife Securities and Affiliates $1.2 Million for Email Supervision Failures, (November 18, 2009).
*iZon Compliance keeps track of and can report on all communication supervision activities that have occurred, including what the search criteria, lexicon list contents were used on any given day. Our software will meet the evidencing requirement, but is no guarantee of full compliance with the regulation.
Engage with IBM ECM Online Communities ECM Blog
IBM ECM @ Facebook IBM ECM @ Twitter IBM ECM @ LinkedIn IBM ECM @ You Tube Additional Information www.izoncompliance.com
