This year, we’ll get to see each other virtually at the 2021 FINRA Annual Conference. After a cancellation last year due to COVID-19, there is a lot of anticipation around getting together – even in a virtual setting – to exchange ideas and explore what is new, even as elements of our world shift in response to the global pandemic.
I’m particularly interested in attending the conference sessions on Remote Inspections, Enforcement Initiatives, Developments and Priorities and the Lifecycle of a FINRA Investigation, along with other sessions in what proved to be an interesting line-up of panel sessions.
As I mentioned in my last blog post on FINRA Audit Preparation Changes in Light of COVID-19, the SEC expects compliance, despite uncertain times. The SEC will still expect companies to maintain compliance and to provide thoughtful explanations for the actions they undertake. COVID will not be seen as a general defense for conduct that the SEC views as violating the securities laws.
As so many businesses moved to work from home policies during the pandemic, remote work has restricted the traditional ability to maintain and collect company data. This includes increased use of ephemeral messaging and personal devices for communication, as well as the inability to image or take possession of employee devices, data maintenance and collection.
As these situations unfold, everyone is trying to sort out best practices, including compliance with the rules around the use of electronic storage media (ESM) and your Designated Third Party (D3P) provider.
With COVID-19, we all had to rethink how employees can best communicate and collaborate while working remotely. An article by Wilmer Cutler Pickering Hale and Dorr LLP discusses multiple modes of communication during quarantine and how many employees embraced communication platforms more rapidly than their employers, leaving behind corporate retention and privacy policies.
For example, one registered broker-dealer violated the record-keeping provisions of Section 17(a) of the Securities Exchange Act of 1934 (Exchange Act) and SEC Rule 17a-4(b)(4) because certain employees had used text messages for business purposes and failed to preserve the messages. To compound the problem, certain senior management and compliance personnel knew about the issue. After being alerted, the broker-dealer took remedial steps, but the SEC censured and fined the company.
In another example, FINRA sanctioned a broker-dealer employee who used WhatsApp Messenger to communicate with overseas customers on his personal phone and company computer. Although employees may seek out these unauthorized communication tools in a good faith attempt to address real business needs, there can be serious implications. The article goes on to explain that although these new tools may deliver benefits in a remote working environment, companies should not underestimate the risks created by their unauthorized and unsupervised use. Unauthorized tools can limit a company’s ability to control data retention or adjust privacy settings.
To reduce a company’s risk, the law firm recommends a review of regulatory guidance and industry best practices to ensure compliance with applicable and current data retention policies. Although different industries have different requirements, they use the example of retention of broker-dealer books and records is governed by Exchange Act Section 17(a)(1), SEC Rules 17a-3 and 17a-4, and FINRA Rule 4511; for investment advisors, Rule 204-2 of the Investment Company Act of 1940 controls.
This year’s SEC Division of Examination Priorities Report echoes some of these same issues. They acknowledge market participants had to adapt to significant remote work and faced some challenges in doing so. Increased remote operations in response to the pandemic has increased concerns about endpoint security, data loss, remote access, use of third-party communication systems, and vendor management.
The report states, “EXAMS will also focus on controls surrounding online and mobile application access to investor account information, the controls surrounding the electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information.”
In conclusion, this year’s FINRA Annual Conference will be an excellent opportunity to gain guidance from the experts and engage in discussions around compliance issues. Please plan to visit the Iron Mountain virtual booth at the conference on May 18-20. I’ll be there, along with my colleagues, and look forward to the chance to catch up and help you make sure you’re fully in compliance with SEC Rule 17a-4.
NCC Group Software Resilience has acquired Iron Mountain’s Intellectual Property Management (IPM) business. For more information on the acquisition, please visit our dedicated information hub, or contact Iron Mountain IPM.