NASD and NYSE Seek Comment on Proposed Guidance Relating to the Review and Supervision of Electronic Communications
[21289]
June 19, 2007
TO: SEC RULES COMMITTEE No. 52-07TECHNOLOGY ADVISORY COMMITTEE No. 17-07
COMPLIANCE ADVISORY COMMITTEE No. 11-07
CHIEF COMPLIANCE OFFICER COMMITTEE No. 14-07
BROKER/DEALER ADVISORY COMMITTEE No. 26-07
SMALL FUNDS COMMITTEE No. 23-07 RE: NASD AND NYSE SEEK COMMENT ON PROPOSED GUIDANCE RELATING TO THE REVIEW AND SUPERVISION OF ELECTRONIC COMMUNICATIONS
The NASD and NYSE are soliciting comments on proposed guidance regarding a member’s responsibility for reviewing and supervising electronic communications. [1] The proposal is briefly summarized below.
Comments on the proposal are due to the NASD and NYSE by Friday, July 13th. The Institute will hold a conference call on Tuesday, June 26th at 4 p.m. Eastern to discuss the letter. If you plan to participate on the call, please let Anna Richter know by email (arichter@ici.org) as soon as possible, but no later than Monday, June 25th. Ms. Richter, in turn, will provide you the call-in information. If you are unable to participate in the call but have comments on the draft letter, please provide them to Tami Salmon prior to the call by phone (202-326-5825) or email (tamara@ici.org).
I. Overview
The proposed guidance is divided into six substantive areas relating to the review of e-communications. These are: the written policies and procedures governing the review; the types of e-communications [2] requiring review; identification of the person(s) responsible for the review; the review method; the frequency of review; and documenting the review. Before discussing each of these areas in detail, the proposed guidance reaffirms the flexibility currently provided to members to design their supervisory procedures applicable to communications with the public in a way that is appropriate to the individual member’s business model. According to the guidance, members generally may use risk-based principles to determine both which external and internal communications should be reviewed and the extent of such review. An exception to this, however, are those communications that are expressly required by rule of the NASD or NYSE to be reviewed. [3] In employing risk-based principals, members should consider how effectively to:
- “Flag” those electronic communications that may raise or evidence compliance, regulatory, reputational, financial, or litigation concerns;
- Identify business areas that warrant supervisory review; and
- Educate employees about the member’s policies and procedures relating to e-communications.
As part of this process, members should be aware of existing interpretive material published by the NASD or NYSE that directs them, among other things, to:
- Identify the types of correspondence that will be pre- or post- reviewed;
- Identify the organizational positions responsible for conducting reviews of the different types of correspondence;
- Monitor compliance with the member’s supervisory procedures;
- Periodically re-evaluate the effectiveness of the member’s policies and procedures;
- Ensure that all customer complaints, regardless of how received, are reported as required by the NASD’s or NYSE’s rules;
- Prohibit employees from using e-media that are not subject to the member’s supervision and review; and
- Conduct necessary and appropriate training and education.
Overall, the Notice reminds members that, when a member permits the use of any technology, the member’s system of supervision should be reasonably designed to achieve compliance with the applicable laws, rules, and regulations.
II. Written Policies and Procedures
Generally speaking, members’ policies and procedures governing e-communications should be clear and updated to address new technologies. According to the Notice, members should provide their employees with the following:
- Quick and easy access to their e-communication policies and procedures – for example, through the member’s intranet system.
- A clear list of permissible e-communication mechanisms and a clear statement that all other mechanisms are prohibited.
- Specific language explaining the potential consequences of non-compliance.
- Training on both a regular and as-needed basis. In some instances, the training should be tailored to the employee’s specific business function.
III. Types of E-Communications Requiring Review
A. External Communications
As discussed above, members must have reasonable policies and procedures governing the review of both those communications that are specifically required to be reviewed by the NASD’s or NYSE’s rules and additional communications that may be determined using a risk-based approach. In addition to establishing policies and procedures in this area, the Notice advises members to take reasonable steps to monitor for compliance with such policies and procedures. So, for example, if the member prohibits certain types of communication media, the member may want to consider blocking or otherwise regulating their use (both internally and externally). Some of the particular external communication media the Notice addresses include:
Non-Member E-Mail Platforms – According to the Notice, if a member permits employees to use these platforms, the member is required to supervise and retain those communications. If members elect to block access to these platforms through their networks, they should periodically test the blocking functionality to ensure that it is working as designed or intended. Along these same lines, the NASD and NYSE expect members to prohibit, through policies and procedures, employees communicating with the public through their own electronic devices unless the member can supervise, receive, and retain such communications. Absent a prohibition on using such devices, the member may want to require pre-approval for the business-related use of such personal electronic communication devices. In addition, members may want to consider obtaining agreements from employees that provide the member access to those personal electronic devices employees are permitted to use. Members may also want to ban the use of personal electronic devices in certain sensitive firm locations (e.g., where material non-public information could be accessed).
Message Boards – The Notice notes that members may consider blocking their employees’ access to message boards to prevent them from communicating through these boards for business purposes.
E-faxes – The Notice advises members to supervise the use of e-faxes “accordingly.”
B. Internal Communications
According to the Notice, members may decide, employing risk-based principles, the extent to which it is necessary to review any internal communications as part of the member’s supervision of its business. In deciding this issue, members may want to consider: detecting when a member’s information barriers are not working to protect customer or issuer information; protecting against undue influence on research personnel contrary to the NASD’s or NYSE’s rules; and segregating the member’s proprietary trading desk activity from all or part of the other operating areas of the member. Members may also want to consider how regulating e-communications may be relevant to existing processes such as: managing conflicts (by, for example, preventing e-communications between certain departments); conducting branch or desk examinations, regulatory inquiries, or examinations; reviewing transactions, disciplinary matters, or customer complaints; and reviewing external e-communications.
IV. Identification of the Person(s) Responsible for Reviewing E-Communications
According to the Notice, members’ procedures relating to the review of e-communications should address the following:
- Clear identification of the person(s) responsible for performing the reviews;
- Evidence by the supervisor or principal of any required reviews;
- To the extent a function relating to the supervision of communication is delegated, the supervisor must take reasonable and appropriate action to ensure that such delegated functions are properly executed, and there must be a protocol that ensures regulatory issues come to the attention of the designated supervisor or other appropriate department; and
- Reviewers having sufficient knowledge, experience, and training to perform reviews.
V. Methods of Review for Correspondence
The longest portion of the Notice relates to the methods members may use to review communications. This section begins by noting that members should develop review procedures that are both reasonably designed to ensure compliance with the law and appropriate to the member’s business and structure. Additionally, members should monitor for compliance with the frequency, timeliness, and quantity parameters established in the member’s supervisory procedures governing the review. Members may want to consider re-reviewing communications in certain instances or as part of their standard branch office inspection program. Where members permit the use and receipt of encrypted communications or communications in a language other than English, they must be able to monitor and supervise those communications.
After discussing these general aspects of reviewing correspondence, the Notice discusses in detail lexicon-based reviews (i.e., those based on sensitive words or phrases, the presence of which may signal problematic communications), random reviews (i.e., where some percentage of communications is reviewed), and a combination of lexicon and random reviews. According to the Notice, a combination may be appropriate to address weaknesses in using just a lexicon-based review or a random sampling review. Regardless of the system used, members should incorporate ongoing evaluation procedures to identify and address any loopholes or other issues that may arise as the means of transmitting sensitive information “under the regulatory radar” become more sophisticated and difficult to capture. Also, members using automated tools or systems in their reviews “must have an understanding of the limitations of such tools or systems . . . and should consider what, if any, further supervisory review is necessary in light of such limitations.” [4]
V. Frequency of the Review of Correspondence
The Notice expressly acknowledges that the frequency of a member’s review of correspondence will vary depending upon the business. Member should prescribe reasonable timeframes within which supervisors are expected to complete their reviews, taking into consideration the type of review and review method.
VI. Documentation of the Review of Correspondence
The Notice reminds members that they must be able to evidence their reviews and reasonably demonstrate that they were conducted. The evidence of review should, at a minimum, clearly identify the reviewer, the communication reviewed, the date of review, and the steps taken to address any significant regulatory issues that were identified during the course of the review. [5] “Members should remind their reviewers that merely opening the communication will not be deemed a sufficient review.”
* * * *
The Notice cautions members that the proposed guidance
. . . is not all-inclusive and does not represent all areas of inquiry that a member should consider when establishing and maintaining a supervisory system for electronic communications, including any existing and future electronic communications technology [not addressed by the proposed guidance].
Members are also reminded that the proposed guidance “does not serve to establish a safe harbor with respect to potential supervisory or compliance deficiencies.”
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See Supervision of Electronic Communications, Notice to Members 07-30, NASD (June 2007)(the “Notice”), which is available at: http://www.nasd.com/web/groups/rules_regs/documents/notice_to_members/nasdw_019298.pdf.
[2] As used in this memo and the Notice, e-communications is broadly defined and includes, in addition to e-mail, electronic media such as podcasts and blogs.
[3] A list of these can be found on p. 3 of the NTM.
[4] Notice at p.11.
[5] According to n.8 of the Notice, the NASD and NYSE “recognize that, as appropriate evidence of review, e-mail related to members’ investment banking or securities business may be reviewed electronically and the evidence of the review may be recorded electronically.”