FINRA Email AWC Raises Question About Regulatory Hypocrisy

January 29, 2016

A recent FINRA regulatory settlement seems to be on sound footing when it comes to citing a member firm for email violations. Then you re-read the fact pattern. And then you try and figure out not so much what the firm did wrong as what FINRA is suggesting it should have done right. And then your head aches. And then your head explodes.

Case In Point

For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, Coker & Palmer, Inc. submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of Coker & Palmer, Inc., Respondent (AWC 2013035330101, January 15, 2016).

Since 1991, Corker & Palmer has been a FINRA member firm engaging in a general securities business, which generates the largest percentage of revenue from private placement. The AWC asserts that CPI has 34 registered persons operating from  four branch offices.

Firm-Sponsored Email Address

The AWC asserts that from the relevant time of August 23, 2010, through October 1, 2012, CPI prohibited its associated person from using personal email addresses for any business-related communications. In furtherance of that policy, CPI provided its associated persons with a CPI-sponsored email address for use in business-related communications; and the firm's written supervisory procedures mandated that all business-related emails were to be run through that address. 

Notwithstanding CPI's email policies, the AWC alleges that during the relevant time, the firm permitted four associated persons to maintain and utilize outside email addresses for communications relating to their respective outside businesses, which included investment-advisory, real-estate, and insurance services. Although the firm permitted these four individuals to communicate away from the firm's email address, the AWC asserted that CPI allegedly lacked an effective system or procedure:

  • to ensure that the outside email addresses were not used for CPI-related communications; and
  • to preserve, maintain, or review any such communications through the outside email addresses.

During the relevant time, the AWC asserts that the cited outside email addresses were utilized for communications relating to CPI business, but CPI did not preserve, maintain, or timely review those communications.

Contingency Offerings

The AWC further alleges that from November 1, 2013, through October 31, 2014, CPI failed to establish, maintain, and enforce adequate written procedures relating to its participation in contingency offerings. Namely, the AWC alleges that the firm's contingency-offerings procedures did not address actions that were either required or prohibited in the event that a given contingency offering was subject to a modification of its terms. 

Private Placement Due Diligence

From November 1, 2013, through March 31, 2014, the AWC alleges that CPI failed to enforce its written procedures requiring the documentation of the specific details of due diligence conducted by the firm in connection with a private-placement offering. The AWC cites two private-placement offerings in which CPI participated as selling agent but the firm allegedly failed to fully document the details of its due diligence.

Accordingly, FINRA deemed CPI's conduct as related above, constituted violations for:

  • Email Deficiencies: SEC Rule 17a-4; NASD Conduct Rules 3010, subparts (a) and (d)(2) and 3110 (for conduct before December 5, 2011); and FINRA Rules 4511 (for conduct after December 4, 2011) and 2010.
  • Failed Supervision of Contingency Offerings and Private Placement Due DiligenceNASD Conduct Rule 3010, subparts (a) and (b)(1), and FINRA Rule 2010.

In accordance with the terms of the AWC, FINRA imposed upon CPI a Censure and $30,000 fine.

Bill Singer's Comment

As best I understand FINRA's email allegations, CPI implemented a policy that required all business-related communications to be run off of its sponsored email address. What prompted the charges of misconduct in this case was that CPI permitted at least four associated persons to engage in communications about their non-brokerage outside business activities (e.g., advisory, insurance, real estate) through personal email addresses. Having given its associates permission to use personal email addresses for communications that did not involve CPI's business, the firm came under FINRA's criticism for failing to ensure that, in fact, those associates were meticulous in not using their personal addresses to communicate about CPI-business-related matters. FINRA's rules, however, seem limited to the use of business-related communications and I am unaware of a blanket regulatory prohibition against anyone using a personal email address for solely personal communications -- if there were, no registered representative would be able to use a Gmail, Yahoo, or other personal email account; yes, there may be limits imposed upon the communications of associated persons with firm customers or restrictions on discussing market-related activity or bans on the use of unapproved devices during business hours, but that's a different proposition.

In terms of FINRA's jurisdiction, the term "business" is normally interpreted as being limited to the "business" of the member firm;  for example, a stockbroker at XYZ Broker Dealer communicates with an XYZ customer about a recommended stock purchase or about the balance in the account or about anything involving the business of or the business conducted through XYZ. In the preceding example, such communications should be conducted through an XYZ email address (or firm approved address), which should be monitored and archived by the firm's Compliance Department. 

Now, lets consider an XYZ stockbroker who also owns a local pizza shop and wants to communicate with a third-party about some business aspect of that food business. In the regulatory sense of things, the communications about the pizza shop are not "business-related" to XYZ's business or to the stock markets. Under normal circumstances, such a communication would not seem to fall under FINRA regulation or subject to XYZ's supervision (although prior written notice of the outside business activity should have  been provided to the member firm).

Essentially, this AWC sanctions CPI for allowing its associated persons the right to do what is not prohibited to them under the rules to begin with.  In a technical sense, the four associated persons didn't necessarily need CPI's permission to communicate off of the firm's email address when it came to non-firm-related matters. What then is the email issue in this AWC about? One might argue that the four associated persons abused the "waiver" given to them by CPI by, intentionally or inadvertently, using non-firm email addresses to communicate about firm-related business matters. If that's the case, then charge the individual associated persons but not the member firm. If nothing else, we come away from this AWC with this mind-blowing bit of circular regulatory logic:

CPI gave four associated persons the right to engage in conduct that was not otherwise prohibited. CPI admonished those associated persons to not engage in prohibited conduct. The individuals engaged in the prohibited conduct. FINRA charges CPI with not timely discovering that the individuals were doing what they were prohibited from doing. 

Why then, you may ask, do I criticize the email aspect of the AWC? I criticize FINRA here because I find the regulator's conduct to be unfair, not constructive, and more "gotcha" than meaningful regulation.  Think about it . . . just what is the better practice here that FINRA is advocating through this settlement?

Assuming that a FINRA member firm enforces the business-related communications policy, what legal right would such a firm have to demand access to an employee's personal emails? Sure, that could be a precondition of employment and/or you could certainly impose a policy prohibiting the business-day use of non-firm-related email address. If that's where FINRA was going with the CPI AWC, then it would have been helpful for the self-regulator to have taken the opportunity to make that ad hoc pronouncement: We think it a better compliance practice for our member firms to deny the use of any outside, non-firm-related email address by any associated person during that person's business hours. 

If a FINRA member firm were to implement such a Draconian policy, consider how that might impact that firm's ability to hire and retain staff.  How many men and women do you know who have a smartphone, tablet, or personal laptop and who use that to communicate daily with family, friends, and non-clients? Is it a practical restriction in the modern workplace to prohibit such communications during the workday?

It appears that this AWC is suggesting that CPI should not permit any associated person the right to engage in non-firm related communications via personal email addresses without also imposing a precondition that said persons provide a real-time link to the firm capable of allowing real-time monitoring of all communications so as to ensure that any business-related communication is overseen and archived. Again, I ask as an agent provocateur, is that a realistic approach in this day and age? Is this a policy consistently in place in most workplaces? If such a policy should properly be implemented on Wall Street, then are there not other sectors that should come under similar restrictions?

What troubles me about FINRA's position here is that it has a bit of hypocrisy to it. I have no issue whatsoever if the self-regulatory organization brought charges against the four individual associated person for engaging in business-related communications via personal email addresses. Where I am having a problem is in understanding CIP's misconduct: which may well be the byproduct of the limited explanation in the AWC of the email issues and a more extended presentation of the facts by the regulator might eliminate my objections. 

Finally, note that CPI's cited email misconduct occurred in 2010 to 2012, nearly four to six years ago. It's not as if FINRA discovered the member firm's alleged misconduct in a timely manner, right? In closing, let's re-visit my circular regulatory logic example above and see what you think of this example:

FINRA gives its member firms the right to engage in conduct that is not otherwise prohibited under its rules. FINRA admonishes its member firms to not engage in prohibited conduct. Some FINRA member firms engage in conduct prohibited under FINRA's rules. The Securities and Exchange Commission charges FINRA with not timely discovering that member firms were doing what they were prohibited from doing.