Supervision and Information Barriers – Revisiting FINRA 07-59
There are two major approaches to messaging supervision: Real-time monitoring and comprehensive post-review. Real-time monitoring, also referred to as data loss prevention (DLP) is used when an individual communicates confidential or proprietary information to individuals outside of the organization. A real-time monitoring system actively monitors the content of all outgoing messaging and stops the message if the content violates institutional policies. Such content might be information on a pending M&A transaction, intellectual property such as software source code or algorithmic trading formulas or even just inappropriate language. There is a high cost to monitoring such messaging as it puts another component into the messaging data flow and may delay the delivery of messaging.
When FINRA (then NYSE and NASD) first provided email supervision guidance, it was assumed by the industry that email content was required to be reviewed before the email could be delivered. This was based on a legacy understanding of the procedure for written correspondence that letters to customers had to be reviewed by the branch manager before being mailed. The Assentor system was widely used in financial institutions between 2002 and 2007 and was positioned between the email server and the customer to monitor the email output of brokers.
However, this process became very unpopular as it was not uncommon for investment bankers working on time-critical transactions to find that a term sheet had not reached the customer and was sitting in the Assentor review queue while a compliance officer was out to lunch. Many winning bids were lost due to compliance review delays.
Besieged by user complaints, compliance officers reviewed policies internally and with regulators and transitioned to a post-review supervision model in which case, emails were sent to customers and to the supervision system at the same time. The post-review model also proved far more effective as reviewers could create more appropriate lexicons and policies and review without the time pressure of real-time monitoring.
Today, virtually all of the major email supervision systems, Veritas Enterprise Vault, Smarsh, Global Relay, HP Autonomy and EMC’s SourceOne, support supervisory systems on a post-review basis. As is the case with secondary messaging platforms used by institutions including Bloomberg, Reuters and Symphony. In each case, the primary mechanism for supervision is to download daily messaging files and ingest these messages into the email supervision system. This allows compliance officers to monitor email and Bloomberg messages on a single system.
FINRA’s Guidance on Information Barriers
FINRA has issued a number of Regulatory Notices to provide industry guidance on supervision of messaging (see Supervision of Electronic Communications (Regulatory Notice 07-59), Social Media Web Sites (Regulatory Notice 10-06) and Consolidated Supervision Rules (Regulatory Notice 14-10). FINRA has also extensively reviewed information barriers and conflicts of interest within member firms and provided guidance as to how to manage such conflicts (FINRA 2241, Debt Research (Regulatory Notice 15-31).
As there are many ways to communicate between departments (email, instant messaging, Bloomberg etc.), the concern for a compliance officer becomes: Can I consolidate the various communication systems into one supervisory system so that I can have insight into all communications in/ around the information barriers?
Leveraging the current tools available with the supervision systems, the compliance reviewer can see whether emails on any platform between research / trading, research / investment banking or other departments communicate content that is Material Non-public Information (“MNP”). For instance, Veritas’ EnterpriseVault supports the monitoring of communications, regardless of platform used, between departments which have information policies barriers.
Supervising using Natural Language Processing
Though beyond the scope of this comment, Natural Language Processing (“NLP”) is becoming a technology which may now be deployed to analyze text, inflection and patterns within messaging threads and structures. Both Microsoft’s Equivio (Zoom) and IBM’s Watson are both able to analyze the context of messages and provide a higher level of compliance and governance beyond keyword filtering. However, such analysis takes time and is not available for real-time communication. Once all messaging (email, instant messaging, texting and industry platforms such as Bloomberg) are all run through a NLP engine, then compliance teams will be able to ask such questions as:
- Does any research analyst contact anyone in trading on the days before research reports are released?
- Do any communications between investment banking and trading contain phasing focusing on non-business matters? (A query such as this might find investment bankers who are sharing information in code. This occurred recently with the target companies being expressed as names for golf courses.)
Review MNPI and IP and Consolidate Supervisory Review
Just as email has moved from real-time to post-review, so has Bloomberg and Reuters messaging and so should instant messaging. This allows compliance to have single tool for the supervision of communication of MNPI, research, trading or M&A activities.
As FINRA’s Regulatory Notice 07-59 indicates:
In adopting such supervisory review procedures, existing interpretive material directs members to, among other things:
- Identify the types of correspondence that will be pre- or post-reviewed;
- Identify the organizational position(s) responsible for conducting reviews of the different types of correspondence;
- Monitor the implementation of, and compliance with, the member’s procedures for reviewing public correspondence;
- Periodically re-evaluate the effectiveness of the member’s procedures for reviewing public correspondence and consider any necessary revisions;
Though this guidance was issued in 2007 and certainly technology has significantly changed since then, it is still true and remains good guidance. Financial institutions should assess sources of IP and MNPI within the organization and whether real-time (pre-) or post-review is appropriate. Our position is that if the release of content will damage the institution (i.e. software source code, client or deal information), then a real-time or DLP policy is appropriate. If it is for compliance purposes or supervision, then the time allowed for review and tools to integrate all types of communication are best managed with post-review.
We have summed up in the table below the many types of content within a broker/dealer that should be pre- or post-reviewed as recommended by FINRA 07-59. Financial institution will have other types of information content which should also be reviewed as part of the institutional annual compliance review (FINRA Rule 3130):
Post-Reviewed by Supervision
- Emails from email / Office 365 server
- Industry messaging platform (Bloomberg, Reuters, Symphony)
- Internal instant messaging and chat systems (Skype, Cisco Jabber, HipChat)
- Presentations or on-line meetings hosted by brokers, investment bankers etc.
Pre-Reviewed or Monitored by Data Loss Protection (DLP) System
- MNPI content such as M&A transactions, research reports
- Password or encrypted communications violating internal messaging policies
- Inappropriate language or terms
- Software code or other proprietary IP