COVID-19 and Working from Home: Enforcement Implications

COVID-19 is not just creating a health crisis around the world, it will also create a crisis for firms that get sanctioned for failing to properly consider prior disciplinary actions involving books and records, electronic communications and social media. Past is prologue – not just in the health care arena, but also in the securities industry.

Because of the COVID-19 pandemic, work environments have changed practically overnight for many firms, but FINRA’s regulations and enforcement actions relating to the supervision of these activities remain the same; firms should heed prior disciplinary actions and remain vigilant.

Past is Prologue^[1]

Focus on Overall Fines, Restitution and Disciplinary Actions

The fines reported by FINRA in 2019 decreased significantly to $44 million from $61 million in 2018, a 28 percent decrease. This continues the year-over-year trend of reductions in fines from the record-setting year in 2016, when FINRA ordered $174 million in fines. With the overall reduction in fines, the number of cases with very large fines also declined in 2019. FINRA assessed nine fines of $1 million or more (what we call “supersized” fines), totaling $27.9 million. In contrast, in 2018, FINRA assessed 13 “supersized” fines, totaling $47 million. Similarly, in 2019, FINRA assessed just one fine of $5 million or more (what we call a “yuuuge” fine). In contrast, in 2018, five cases resulted in “yuuuge” fines. Yet, the largest single fine in 2019 ($15 million) was $5 million more than the largest single fine in 2018.

In 2019, restitution ordered by FINRA decreased slightly. FINRA ordered restitution of approximately $24 million in 2019, a decrease of 8 percent from the $26 million in restitution ordered in 2018 and well below the record of $97 million ordered in 2015. As a result of these decreases in 2019, the total monetary sanctions ordered by FINRA (fines, restitution and disgorgement) were $70 million. The total sanctions ordered in recent years were significantly higher: $124 million in 2018, $150 million in 2017, $207 million in 2016 and $193 million in 2015. The number of cases reported by FINRA also decreased last year. FINRA reported 591 disciplinary actions in 2019, a decrease of 7 percent from the 638 disciplinary actions in 2018 and a decrease of 41 percent from the 1,007 cases FINRA reported in 2017. The percentage of cases against just firms (as opposed to cases against individuals or jointly against both firms and individuals) declined to 18 percent from 25 percent during 2018.

The number of individuals barred or suspended and firms expelled also decreased in 2019 compared with 2018. FINRA barred 198 individuals in 2019, a 6 percent decrease from the 211 reported in 2018. The number of firms expelled by FINRA decreased from four in 2018 to three in 2019. Finally, the number of individuals suspended decreased by 4 percent, from 254 in 2018 to 245 in 2019.

Last year, the number of fines, restitution and cases decreased from the previous year, appearing to indicate a kinder and gentler FINRA — at least temporarily. FINRA continued its focus on anti-money laundering in 2019 while also pursuing more “nuts and bolts” issues like suitability, misleading or inaccurate information and supervisory policies and procedures.

The chart below displays FINRA’s fines and the number of disciplinary actions during each of the past 10 years:

The chart below displays the restitution FINRA reported during each of the past 10 years:

Focus on Books and Records

Disciplinary actions against firms for recordkeeping violations have been declining recently, falling 33 percent in 2019 to just five cases, down from 16 cases in 2018. FINRA’s cases against individuals rose 6 percent in 2019 to 48 cases, down from 45 cases in 2018. The drop in violations against firms may have been due to a heightened focus on meeting new rules including General Data Protection Regulation (GDPR), Markets in Financial Instruments Directive II (MiFID II), California Consumer Privacy Act (CCPA) and others. Thus, while it appears that firms are becoming more proactive possibly due to heightened regulatory interest in this space, registered representatives continue to violate recordkeeping obligations, knowingly or unknowingly. Along with a drop in the number of cases, there was an even more significant reduction in the amount of fines, from $4.9 million in 2018 to $1.9 million in 2019. The chart below illustrates this decline and other statistics.

The largest recordkeeping fine in 2019 was a $700,000 fine against a firm, where the CCO was barred from association with any FINRA member in any principal or supervisory capacity and fined $100,000.[2] Among other things, FINRA found that the firm and the CCO failed to establish and maintain a reasonable supervisory system for the preparation of books and records. FINRA also found that the firm failed to establish and maintain a reasonable supervisory system for the review of electronic correspondence. The firm’s written supervisory procedures (WSPs) did not address how supervisors were to select electronic correspondence for review, how they were to review it, the frequency of such reviews and the manner in which to document reviews, nor did the firm maintain records of its supervisory review of electronic correspondence.

Focus on Electronic Communications

Cases relating to electronic communications also decreased in 2019. There were 24 cases (three against firms), down from 30 cases in 2018 (10 against firms). The number of fines was also down more than 50 percent to $1.47 million from $3.09 million in 2018. The chart below shows the complete details on electronic communications cases in 2018 and 2019.

The largest electronic communications case of 2019 resulted in a $32,500 fine.[3] The firm failed to establish, maintain and enforce a supervisory system, including WSPs reasonably designed to review email correspondence for indications of potential violations of federal securities laws or FINRA rules. The findings stated that the firm lacked any pertinent WSPs, and its methods for reviewing email messages were ineffective and unreasonable given its business, size, structure and customers. The firm’s WSPs did not include procedures describing how it would conduct its supervisory review of electronic communications sent or received by its registered individuals. In addition, the emails selected randomly by the firm’s email vendor did not constitute a reasonable amount of the firm’s overall electronic communications and the search terms that would flag an email for a principal review were not comprehensive enough to yield a meaningful sample of flagged communications.

Other notable 2019 cases involved representatives who were fined and suspended for using text messaging and personal email accounts to engage in business-related communications with customers, causing firms to fail to comply with their recordkeeping obligations. In one case, a representative was fined $20,000 for using instant messaging and text messaging in business-related communications with customers.[4]

Focus on Social Media

FINRA has not historically pursued social media cases aggressively. The numbers in 2019 were consistent with that. There were two social media cases in 2019, an increase from the one in 2018, but the fines in 2019 were down significantly, from $1.73 million in 2018 to $110,000. But after a year where FINRA filed no cases against any firms for social media violations, FINRA filed one case against a firm. The chart below illustrates the limited social media cases in 2018 and 2019.

The largest case of 2019 involving social media resulted in a $90,000 fine. The firm failed to establish, maintain and enforce a reasonable supervisory system, including WSPs, for the review of email and customer correspondence and the review of its registered representatives’ business-related websites and social media.[5] FINRA found that contrary to its WSPs, the firm failed to conduct a weekly review of representatives’ social media sites that the representatives disclosed to the firm 22 times out of a sample of 26 weeks reviewed.

The Future is Being Written Now: What Firms Can Do in 2020

In 2020, the COVID-19 virus remote workforce mandate has increased the need for communication and collaboration tools. The new dynamic will not change firms’ regulatory obligations. Indeed, firms will likely need to be more vigilant because the increasingly broad array of digital communications (i.e., texting, messaging, social media or collaboration applications) may cause them to struggle with their compliance obligations related to the review and retention of such communications.[6] In turn, the regulators will likely increase their focus on the expanded use of these communications. FINRA expects member firms to establish and maintain reasonable supervisory systems designed to supervise the activities of each associated person while working from an alternative or remote location during the pandemic.[7]

This regulatory regime means that firms need to capture, archive and supervise all written business communications. Retention of electronic communications includes email, text messages, instant messages, social media and collaboration tools. Now may be a good time to review policies and procedures to ensure they properly address the firm’s business activities and comply with the provisions of the recordkeeping and supervision rules.

Firms may need to review whether employees have the ability to communicate through non-firm email addresses or third-party communication systems, such as Bloomberg and Reuters. If a firm permits employees to communicate with customers (or even with other associated persons) through these means, it must supervise and retain those communications. Where firms elect to prohibit the use of these means, they often require their associated persons to certify that they are acting in accordance with such policies and procedures on an annual or more frequent basis. Many firms also block access to these email platforms through their networks. Thus, associated persons would be able to access the internet, but not the non-firm email functionality. Many firms using this blocking functionality periodically conduct tests to ensure that it is functioning as designed or intended. Firms should also consider how to demonstrate adherence to regulatory requirements during exams. Firms should also periodically test their systems as well as third-party systems to ensure that communications are being captured for review and retention. Firms cannot assume that representatives are not using their personal emails to communicate with clients.

Steep fines imposed in 2018 for violations made many firms stand up and take notice. The tone in 2020 has not changed for FINRA. The regulators will continue to sanction firms and registered representatives for failing to meet regulatory requirements. Given the new normal and the number of employees working remotely, we expect the regulators will take a hard look at firms and individuals who ignore the obvious rules and the lessons from the past. Therefore, fines and other disciplinary actions will likely be steeper when we see the 2020 results a year from now.

[1] This article contains a summary of the findings.  For a more complete analysis, as well as details about the source of the data, see https://www.law360.com/articles/1250683/finra-disciplinary-actions-underscore-aml-focus.

[2] AWC No. 2016048912703 (July 26, 2019).

[3] AWC No. 2014042949704 (Apr. 12, 2019).

[4] AWC No. 2014039169602 (Mar. 22, 2019).

[5] AWC No. 2015047824201 (July 3, 2019).

[6] See News Release, FINRA, FINRA Releases 2020 Risk Monitoring and Examination Priorities Letter (Jan. 9, 2020).

[7] See FINRA, Regulatory Notice 20-08 Pandemic – Related Business Continuity Planning, Guidance and Regulatory Relief (March 8, 2020) (Jan. 9, 2020).