NSCP Annual Meeting – Electronic Communications

Regulatory Compliance was well represented at the recent 2009 National Society of Compliance Professionals (NSCP) Annual Conference in Philadelphia. The event was jam-packed with seminars and round-table discussions regarding best practices for all areas of compliance. Renee Hall, Beverly Fetcko, Rich Horgan, Karen Hagan and I attended almost all of the seminars and are happy to be able to share information with you. 

The most interesting seminar I attended was a popular session on electronic communications. Panelists discussed best practices for social networking sites such as Facebook, Twitter, and Linked In. Firms should specifically state in their supervisory procedures whether registered reps can have a personal page on these social networking sites. After stating if it is permitted or prohibited, firms should clearly and specifically state what registered reps are allowed or not allowed to say on their pages. For example, are they allowed to list the name of their company? Are they allowed to just list that they are a registered rep? It was recommended that reps sign an attestation that they have read and understand the policies. Some compliance officers said they consider tweeting on Twitter to be advertising and sales literature. Another question was whether firms permit or prohibit these sites for just registered reps or if they also include non-registered personnel (including back office, lawyers, IT, etc.) in company policies?  If allowed, can they access the sites from their work computer or only from home? 

These social networking sites, in my opinion, do create exposure for companies and individuals. They can be considered either advertisements or sales literature – depending on the access the representative allows to others. Once information is posted, it is no longer private. If you can’t control the use of the sites, there are free programs available to block social networking sites from your internal IT.  The site www.OpenDNS.com was recommended by one CCO; however, he said he cannot block the registered reps’ use from home, but can only log in to view or monitor (if approved by the rep as a “friend”). Member firms should make certain their policies and procedures are updated in this area and that they address supervision and record retention.

A new software program called Vanish, developed by computer scientists at the University of Washington, uses a key-based encryption system to make data “self-destruct” and become permanently unreadable. The program works with personal email as well as the social networking sites. If your firm allows employees to use these sites, you must take reasonable steps to make certain employees do not utilize this technology to destroy any information that is required to be retained under Rule 17a-4(b)(4).

In addition to all the hype over social networking, a question was posed about smart phones (BlackBerries, iPhones, etc.) and if these are secure for work use. Firms should develop procedures relative to these devices and need to continue considering storage and supervisory responsibilities and regulations. 

Privacy and security procedures for this type of communication device should also be considered. What procedures does your firm have in place if a phone is lost?  Is there any non-public information on the phone in an email that could be accessed if the device was lost or stolen? Again, if the firm does not have the ability to monitor or retain communications, access should be blocked or disabled to those communication features.

FINRA does take the position that blogs and bulletin board posts are advertisements. As such, firms must have procedures to address the approval and retention of postings.   

All information considered to be advertising, sales literature or correspondence must be retained for three years and reps who are dually registered with a broker-dealer and an RIA must follow the longer retention requirements of five years under Rule 204-2(a)(7) under the Investment Advisors Act of 1940.

Overall, the keys to being compliant in the current electronic environment and to staying ahead of changing technologies are to have robust policies and procedures regarding such communication methods, to ensure that your reps comprehend and attest to their compliance with these procedures, and that you have tools available to retain and supervise all communications. 

Back to top

Back to Newsletter