Software Glitch Overwhelms Firm's Email Review

July 23, 2015

Embedded in the fabric of our laws is the old Latin maxim: Ubi Jus Ibi Remedium -- which means that for every wrong the law provides a remedy. That's a nice and very ambitious goal. The problem is, it's both unrealistic and misleading. In fact, the law does not have remedies for every wrong. Too often, what the law offers is an arbitrary system of fines and imprisonment that proves unsatisfactory to victims as well as perpetrators. In the realm of regulation, we frequently see gross acts of misconduct being sanctioned by slaps on the wrist; and, similarly, we often see so-called "speed traps," where minor miscues seem to be the excuse to impose fines for the apparent purpose of raising revenue. Ultimately, there is a sense that those with wealth and influence not only have an inordinate influence in the drafting of laws and regulations but also gain an unfair advantage when it comes to paying for their crimes and civil infractions.

In a recent regulatory case, we have the interesting situation of a large company engaging in what appears to have been a somewhat modest violation largely prompted by the conduct of a third-party provider. For veteran regulatory lawyer Bill Singer, the issue is not whether a wrong occurred -- he concedes as much; and it's not whether the firm should have been censured and fined -- he concedes that the modest sanctions are not excessive. What Singer asks, provocatively, is whether this penny-ante approach to regulating Wall Street is calculated to achieve any meaningful change or whether, inadvertently, it may be prompting even worse behavior.  The edgy aspect of today's blog is that it's not a small firm or individual registered person who is the respondent; to the contrary, it's a fairly substantial company. 

Case In Point

For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue John Hancock Funds, LLC submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of John Hancock Funds, LLC, Respondent (AWC  #22011025618702, July, 17, 2015).

Since 1991 John Hancock Funds ("JHF") has been a FINRA member firm and is wholly-owned by John Hancock Advisors, LLC. JHF employs about 360 registered person in 10 branch offices but does not have any retail customers. The AWC asserts that JHF had no prior relevant formal disciplinary history with the Securities and Exchange Commission, any state securities regulator or any self-regulatory organization.

No Retail Customers

Because JHF does not have retail customers, the AWC asserts that the bulk of the firm's electronic communications occur internally or with selling firms that market its affiliated mutual funds.

Email Supervision

From at least February 1, 2011, to April 30, 2013, JHF's written supervisory procedures ("WSPs") provided for the timely review of email, and particularly for those communications that were flagged for review based on a lexicon search and a random sampling.

2011 Service Provider

In February 2011, JHF began using a new outside service provider to review emails. Because of an error in the application of the new vendor' s lexicon searches, there was a significant increase in the number of emails flagged for supervisory review, which caused a backlog that the JHF failed to review for over a year.

Second-Level Review

Additionally, the AWC asserts that the WSPs required that emails that were escalated for second  level review would be reviewed by the Compliance Department each month, and that said reviews would be documented. From November 1, 2012 through January 31, 2013, JHF allegedly failed to document this second-level email review.


FINRA deemed JHF's failures to follow its WSPs regarding the review of electronic communications as constituting violations of NASD Conduct Rule 3010 and FINRA Rule 2010.In accordance with the terms of the AWC, FINRA imposed upon JHF a Censure and $15,000 fine.

Bill Singer's Comment

Although I fully understand FINRA's concerns about the need to review emails and follow WSPs, I am still ambivalent about the imposition of a fine and Censure in this case.

Does that fact tht JHF was not involved in retail give a FINRA member firm a free pass to engage in lax supervision? Absolutely not. Moreover, the regulatory concerns here are twofold: the one-year review backlog and the failed second-level review documentation. To that extent, I appreciate FINRA's desire to censure and fine.

On the other hand, let's take a look at what actually went down here, as explained in the relatively terse AWC:

JHF hired an outside service provider to set up a system to review and flag emails. As FINRA seems to acknowledge, that service provider had some sort of bug in its software and the lexicon searches went haywire, producing an excessive number of positive hits. The apparent byproduct of this glitch was to overwhelm JHF's resources and result in a one-year backlog of required review, and likely as a result of the domino effect, negatively impacted the second-level review process for a period of about three months.

Missing from the AWC is some meaningful explanation as to what JHF and its staff knew about the lexicon glitch, what (if anything) they could have done differently, and the nature of the timeline and process by which the member firm discovered the problem at its outside service provider. What is troubling me is that FINRA comes off as punishing the firm because of an unforeseen technical issue at the third-party provider.  Perhaps a more substantive presentation of the facts and dates may have buttressed the regulator's decision to impose sanctions and better explained what the member firm did wrong.

What the hell does the Censure and $15,000 fine actually accomplish here? As if, what? -- the $15,000 fine has any financial impact or even meaning to John Hancock? And if the sanction is little more than cosmetic, it runs two risks. First, you encourage bad actors to engage in misconduct because the regulatory consequences are trivial. Two, you promote a culture in which firms and their employees cover-up misconduct in order to avoid disclosure to their regulator, and, accordingly, you increase the risk that a minor problem will exponentially mushroom into a disaster. The goal is not "fear" of a regulator but "respect." In some circumstances, a regulator should raise the issues and lapses with the member firm and demand a written assurance of future compliance. Even FINRA has its so-called Letter of Caution. Solely based upon the minimal facts set forth in the AWC, it would appear that an LOC could have been appropriate in this case.
There are signs that the use of third-party service providers to maintain and monitor all sorts of electronic communications and data may not be working out as well as hoped. Perhaps we need more third-party providers in order to encourage more innovation and competition. On the other hand, if reliance upon outside vendors is proving dangerous and misplaced, perhaps FINRA needs to insist that the entire process remains in-house. Keep in mind that the lexicon issue in the JHF AWC is not new; we've recently seen this situation arise in another matter: "Failed Email Review Offers Example Of Hidden Compliance Costs" ( Blog, June 15, 2015). 

Moreover, FINRA is presently a defendant in a federal lawsuit involving allegations that a third-party service provider failed to properly retain and transmit emails, and that FINRA knew, or should have known, of this issue: