Supervising Electronic Communications: An Evolutionary Lesson from the Financial Services Industry

March 4, 2008

Managing incoming, outgoing and internal electronic communications is an extreme challenge in today’s business world. Correspondence that at one time had been more easily monitored and controlled as written copy, now takes the form of emails, instant messages, text messages, blog posts, podcasts, and numerous other, ever-evolving electronic formats. Many companies and industries developed policies for the review and supervision of electronic communication in the late 1990s and early 2000s to deal with the increasing use of email messaging. However, the ongoing explosion of innovation in methods of electronic communication, as well as the increased need to be prepared for electronic discovery demands in legal proceedings, now requires that such approaches and policies be revisited in the context of today’s technological landscape.

The financial services industry provides an example of how one industry is adapting its policies to address new technologies. In December 2007, the Financial Industry Regulatory Authority (FINRA) issued Regulatory Notice 07-59 to provide guidance to member organizations (i.e., financial services firms) regarding the review and supervision of electronic communications. FINRA is a self-regulatory organization formed in early 2007 as a result of the consolidation of the member firm regulatory functions of the National Association of Securities Dealers and NYSE Member Regulation. These predecessors to FINRA acknowledged nearly a decade ago that it was no longer feasible to require that all correspondence relating to the solicitation or execution of securities transactions be reviewed by an organization. Instead, member companies were permitted to design supervisory procedures for communication with the public that were appropriate to that company’s own business model and risk-based principles. FINRA continues to allow firms the flexibility to develop practices that are reasonable, taking into account the firm’s own particular business and risk circumstances, but the latest regulatory notice on the topic provides additional guidance in light of the growth of electronic communication.

FINRA’s guidance is designed to assist financial services firms in complying with applicable federal securities laws and other industry-specific rules and regulations, and therefore represents an extreme case, where monitoring of communications is mandatory. Nevertheless, even under those requirements, there is a recognition that one size does not fit all. Companies desiring to adopt a monitoring regime for their own reasons – perhaps due to high security concerns, or to respond to a theft of trade secrets or a privacy breach – could take lessons from the concepts proposed in the FINRA notice.

1. Written Policies and Procedures. FINRA advises that clear, written policies and procedures for the use and supervision of electronic communications should exist. The policies should address internal and external communications and should be updated to address new technologies as they evolve. Companies should provide their employees easy access to the policies and a clear list of permissible electronic communications mechanisms, including a clear statement of what mechanisms are not permitted in order to avoid ambiguity. The policies should explain the consequences of non-compliance and provide for training on a regular and as-needed basis.

2. Application of Reviews to Personal Communications. FINRA notes that many organizations may choose, based on their individual risk assessments, to simply block access to or prohibit use of certain means of electronic communication, including use of personal electronic devices for communications with the public for business purposes. However, if a firm permits use of a certain type of electronic communication for business purposes and intends to adopt monitoring, then its policies and procedures should address those communications. With respect to the use of personal devices, FINRA suggests requiring a pre-approval for the business-related use of any personal electronic device, and an annual re-certification of the business justification.

3. Method of Review. Any business that adopts an electronic communications review requirement needs a strategy for how it will carry out the review mandate. The methods chosen for review will again depend on the company’s purpose in desiring to monitor communications and its own business model and individual risk considerations. FINRA, which has compliance with securities laws and protection of consumers as its primary objectives, proposes that its members use a combination of lexicon-based reviews and random sampling reviews. Lexicon-based reviews flag certain correspondence if it contains sensitive words or phrases. Because lexicon-based systems are not 100% foolproof, FINRA proposes complementing them with a random sampling based review, which would randomly select a percentage of communications generated by a particular office or individual. All review systems should incorporate some kind of ongoing evaluation and adjustment process to ensure that the review continues to achieve the purposes for which it was instituted.

4. Administration of the Reviews. Any policy on reviewing electronic communications should address key administrative elements, including the frequency of reviews, designation of the individuals responsible for the process, and documentation that the reviews occurred. How frequently a company reviews its electronic communications and how long it takes to complete a review will depend largely on the type of business at issue and the circumstances relating to the review. FINRA suggests that the following factors be considered: the type of business conducted, the type of customers involved, the scope of the activities, the geographical location of the activities, the disciplinary record of the person(s) being reviewed, and the volume of the communications being reviewed.

Advising companies on best practices in connection with electronic communications policies and procedures is one of the areas supported by the McGuireWoods Technology Transactions Practice Group. This practice group is part of the firm’s integrated Technology & Business Department, which provides legal services for business transactions driven by technology. These service areas are led by Department Co-Chair Steve Gold. For further information about this or any related topics, please contact us.