The Next Generation of Supervision for FINRA Rule 3120: Leveraging Microsoft’s Office 365 Security & Compliance
FINRA Rule 3120 outlines the requirement for broker/dealers to, ‘establish, maintain and enforce a system of supervisory control policies and procedures that (1) test and verify that the firm’s supervisory procedures are reasonably designed with respect to the firm’s and its associated persons’ activities to achieve compliance with applicable securities laws and regulations and FINRA rules, and (2) where necessary, create additional or amended supervisory procedures.’
A large financial institution needs to develop policies and procedures for Rule 3120 compliance but also incorporate appropriate policies regarding conduct (i.e. rules regarding profanity), intellectual property (i.e. proprietary software code and algorithms), material non-public information (“MNPI”) (i.e. M&A discussions, financial reports) and, lastly, financial and personal identifiable information (“PII”) (i.e. credit card or SSN# information).
The majority of second generation supervision systems remain based on post review with heavy dependence upon words and phrases. The recent release of Goldman Sachs’ supervisory words/ phrases is an example of these types of systems. Goldman has since upgraded its supervisory policies; it is nevertheless the general state of Rule 3120 supervision.
1st and 2nd Generation Supervision
The first generation of supervision monitored email on a realtime basis. This method broke down for two reasons: First, many time-sensitive messages (i.e. M&A proposals and trading bids/offers) were stuck in compliance review and not delivered in a timely manner. Second, new platforms emerged (i.e. Bloomberg, Blackberry SMS, AIM) which meant that many messages bypassed the realtime monitoring systems altogether.
The second generation of supervision was built as a component of the institutional archival system. Systems like Enterprise Vault’s Compliance Accelerator, Global Relay, Smarsh, Autonomy and others enabled post-review of many different types of messaging but did not allow for real-time monitoring of language, MNPI, PII and software code. So a compliance officer conducting a post-review could catch the programmer sending out software IP, but the disclosure damage has already been done.
3rd Generation Supervision
Third generation supervision are now emerging and may best be represented by Microsoft’s Office 365. Office 365’s new Security & Compliance Center encompasses three types of supervision:
- Data Loss Prevention
- Word, Phrase and Random Monitoring
- Deep Analytics which can analyze millions of messages into patterns and allow compliance and legal to use tools to interpret these patterns.
For most institutions, realtime monitoring of communications requires using Microsoft’s Exchange Content Filter Agent which runs on Edge Transport servers. The IT messaging team must then construct an Exchange Management Shell command such as: Add-ContentFilterPhrase -Influence BadWord -Phrase “stock tip”. These scripts are only available to members of the IT team, difficult to construct, and represent a crude supervisory tool as the released Goldman phrases indicate.
However, in Office 365, Microsoft provides the compliance department the Security & Compliance Center tools to construct a rich set of words and phrases to monitor communications. If a word or phrase is encountered, Microsoft allows the compliance team to either bounce the message back to the sender with an error message, send and copy the message to the compliance department or only send it to the compliance department. The latter would be appropriate if a programmer were sending out computer code or an investment banker was sending out information on a stock in the firm’s restricted list.
The last offering is a rich analytical tool using Microsoft’s Advanced eDiscovery (incorporating Equivio) which will allow all messaging to be analyzed and patterns interpreted. Performing analysis on data by applying the text analytics, machine learning, and the Relevance/predictive coding capabilities. This can help an organization quickly process thousands of email messages, documents, and other kinds of data to find those items that are most likely relevant to a specific case. The reduced data set can then be exported out of Office 365 for further review. For instance, if financials are released on the first day of the month, does anyone always send an email to the same person the day before? Even though these messages may not seem to contain sensitive information, they may be coded between the sender and recipient. This analysis would encompass all types of messaging including email, Bloomberg, texting and even social media.
Preparing for 3rd generation supervision
17a-4 works with clients to prepare policy and procedures for the new generation of realtime and post engagements, typically start with constructing the below tables which list the types of information the institution needs to monitor.
Pre-Reviewed/Monitored by Data Loss Protection (DLP) System
|· Material non-public Information (“MNPI”) content such as M&A transactions and research reports|
|· Confidential internal financial or HR information|
|· Password or encrypted communications violating internal messaging policies|
|· Inappropriate language or terms|
|· Software code or other proprietary IP|
Post-Reviewed by Archival Supervision Reports
|· Email words and phrases which may represent customer complaints or account information|
|· Industry messaging platform (Bloomberg, Reuters, Symphony)|
|· Internal instant messaging and chat systems (Skype, Cisco Jabber, HipChat)|
|· Presentations or on-line meetings hosted by brokers or investment bankers|
Advanced Analyses by eDiscovery / Equivio
|· Patterns between groups such as traders and investment banking that reveal how many emails were sent between these groups, who was included and why. For instance, why was a trader sending messages regarding enoxaparin to a contact at the Food and Drug Administration as recently occurred at Visium.|
|· Emails which may contain content from confidential documents such as financial statements or client lists. Confidential documents would be tagged and other messaging compared.|
|· Patterns wherein traders communicate using two systems which makes creating threads more difficult. For instance, an email thread stops and is continued on a Bloomberg chat which may circumvent DLP policies|
The primary value of this third generation supervision system is that all the compliance platforms are integrated. Rather than communicate one policy (“DLP”) to IT to build a script and another (messaging analytics) to export to a third party, all may be created and managed within a single set of administrative compliance controls.
As these systems emerge, financial institutions have commenced developing more complex Rule 3120 policies and procedures in parallel. Using the Office 365 Security & Compliance Center or other system integrating DLP, word/phrase monitoring and deep analytics, financial institutions can confidently represent to senior management not only effective supervisory procedures and training initiatives, but also disclose recommended changes that indicate proactive compliance monitoring of risk in business areas such as trading, investment banking, anti-fraud and non-compliant sales practices, and anti-money laundering.
Reviewing and adopting these policies and systems conforms with FINRA’s continued emphasis on creating a ‘culture of compliance’ and combining all three types of supervision builds the ‘policies and procedures activities to achieve compliance with applicable securities laws and regulations and FINRA rules’.