The fact that staff work from home poses problems for all businesses but it poses unique regulatory problems for broker-dealers whose associated persons conduct business from their homes.

Many companies that transitioned to a work-from-home environment in the early spring of 2019 may have reasonably anticipated a return to the normality of office operations by the end of the year. As the new year commences, however, remote work has become the new normal and firms can expect it to continue through the first quarter of the year, if not longer.

Broker-dealers must remain keenly attuned to the risks posed by work-from-home arrangements, including specifically the risk that registered representatives and other associated persons are going to use their personal devices or other unapproved and unmonitored channels to communicate with clients and conduct business.

Significant supervisory problems

The use of personal devices by associated persons to conduct business creates significant supervisory problems. Firms that have changed their processes and procedures this year to fit a remote work environment should have designed supervisory and surveillance systems to look for personal device use. They should also be dealing with personal device use in their policies and procedures and training people on the subject. Regulators are likely to look closely at the way in which firms stop their associated persons from using unapproved and unmonitored communication channels while working from home. Although broker-dealers may well have paid attention to this issue at the advent of this global pandemic, the onset of the New Year and the extended duration of work-from-home conditions warrant further thought.

In this article, we consider the challenges and risk that personal device use creates for firms’ supervisory structures. We outline the steps that they ought to take to offset the risk that associated persons are using personal devices to conduct business communications and we consider how FINRA might punish firms for supervisory gaps in this area in the coming year.

Always a concern, but now more than ever

The use of personal devices or other unmonitored communication channels to conduct business creates obvious supervisory problems for firms that have to obey FINRA Rule 3010 and recordkeeping problems for firms that have to obey Rule 4511. Firms have always had to have policies and procedures in place to ensure that their associated persons are not using unmonitored personal devices to conduct business. FINRA has long held that a broker-dealer’s obligations to conform to these rules depends on the content of the communication in question (that is, whether it pertains to the business of the firm) rather than the mode of communication (that is, whether the communication occurs through a firm-issued or personal device). Indeed, in a regulatory notice in 2011, FINRA noted that “new technologies” such as text messaging may “facilitate the ability of associated persons to perform their responsibilities” but that “a firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.”  (Reg Notice 11-39.)

Given FINRA’s long-standing guidance, nearly every firm’s policies and procedures probably either prohibit the use of personal devices for the conduct of business or provide strict parameters that ensure that the firm both supervises and retains business communications. However, today's remote work environment creates the terrible risk that associated persons, either intentionally or inadvertently, use personal devices for business communications. In the office, financial advisors face no obstacles to using their work phones and computers to call clients, answer emails and otherwise conduct business.  Working from home, however, causes the line between the personal and the professional to fade, if not disappear entirely. A financial advisor who already uses his or her personal cell phone may naturally be tempted to text a client or respond to a Facebook message rather than communicate through a channel that his or her firm monitors.

An associated person’s use of his or her personal device could fall into one of three categories:

• 'Innocent' use and momentary lapses. A financial advisor might text a client out of convenience or out of a desire to respond to his needs immediately, perhaps forgetting for a moment that he or she should not be using a personal device to conduct business. Similarly, a purely personal conversation with a client over a text may evolve into a discussion that could be construed as a business communication, even if the advisor does not expect or want that to happen.
• Conducting business in an unauthorised manner. A financial advisor may move past a momentary lapse in memory or judgment and begin actively conducting business through a personal device out of convenience. The financial advisor may believe it is “not a big deal” and that his or her communications, while conducted through unauthorised means, are not inappropriate.
• Intentional evasion of the firm's controls to hide misconduct. A financial advisor may intentionally use a personal device with the goal of stopping the firm from detecting his or her inappropriate business conduct. It is quite common for a financial advisor to try to settle a dispute with a customer without notifying the firm.

Firms must be aware of, and must supervise people for, each type of situation.  

A firm’s supervisory system for ensuring that associated persons use only firm-monitored communication channels may very well be “reasonable” in accordance with FINRA Rule 3010 in an office. This very same system, however, may prove to be ineffective when advisors are working from home becauset there is a greater risk than ever that they will use personal devices to conduct their firms' business. Indeed, in August last year, the SEC’s Division of Examinations (formerly known as OCIE, the Office of Compliance Inspections and Examinations) issued a risk alert detailing compliance and supervisory risks to broker-dealers and investment advisors that the pandemic had created. The risk alert specifically noted that “firms may wish to modify their practices to address...communications or transactions occurring outside the firms’ systems due to personnel working from remote locations and using personal devices.”  (Risk Alert, Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisors, at 3 (Aug 12 2020)) This advice continues to merit attention as the work-from-home environment stretches into 2021.

Risk management

Given the increased risk that associated persons may use personal devices or other unmonitored communications channels during this time, firms should consider taking proactive steps to ensure their compliance and supervision systems adequately manage this risk.  To the extent firms took steps to address personal device use at the onset of the pandemic, firms should revisit and review their efforts to determine their effectiveness and whether additional measures should be taken. Firms should consider:

• reviewing and updating policies and procedures;
• conducting specific training or issuing targeted reminders or alerts;
• ensuring that their email surveillance lexicon is tailored to capture evidence of unsupervised communications;
• asking about personal device use during compliance reviews and branch exams; and
• considering the risk factors that lead to personal device use.

We shall explore each of these topics below.

How to review and update policies and procedures

Firms should review their policies and procedures and consider whether they require revision or updating in this environment. Policies and procedures should deal not only with text messaging but the use of messaging features in popular social media applications including Facebook, Instagram and SnapChat. To the extent that firms are allowing use of personal devices for communications of any kind, policies and procedures should explain the specific circumstances in which the firm allows such communications whether it conforms to its duty to supervise and keep records as it does so. FINRA has explained that “every firm that intends to communicate, or permit its associated persons to communicate, with regard to its business through a text messaging app or chat service must first ensure that it can retain records of those communications as required by SEA Rules 17a-3 and 17a-4 and FINRA Rule 4511.” (FINRA Reg. Notice 17-18 (emphasis added).)

Some firms might have changed their policies and procedures to accommodate the new work-from-home phenomenon. These firms should take the opportunity to review their policies and procedures to ensure that they contain updates. They should also note the prohibition against the use of unsupervised communications channels and the ways in which they supervise people to stop them.

Conduct training or otherwise specifically address personal device use

FINRA’s Regulatory Notice of 2011 explained “a firm’s policies and procedures must include training and education of its associated persons regarding the differences between business and non-business communications and the measures required to ensure that any business communication made by associated persons is retained, retrievable and supervised.”  (Reg. Notice 11-39 at 3.) Accordingly, firms should consider training (and sending alerts to) their associated persons about their policies that pertain to personal device use. The training should emphasise that social media and text messaging are not proper channels through which to communicate with clients regarding business matters. Indeed, evidence of specific training of (and communications that go to) associated persons serves as compelling evidence of the firm’s compliance efforts in the event of a FINRA examination.

Evidence of unmonitored communications

Firms would benefit from reassessing the 'lexicons' (words and phrases that betray bad behaviour) that they use when scanning the emails of their workforces. They should flag up phrases such as “I’ll text you” or references to “my gmail,” along with other common email addresses, for review. They should think of including “WhatsApp,” “WeChat,” “SnapChat” and other commonly used messaging and social media applications in their surveillance lexicons.

* Alex Madrid can be reached at amadrid@mcguirewoods.com; Emily Gordy at egordy@mcgirewoods.com; Cheryl Haas at chaas@mcguirewoods.com; and co-author Chelsey Dawson at cdawson@mcguirewoods.com