Off-channel communications - sometimes referred to as off-platform communications - are when members of an organization bound by FINRA and the SEC use an un-approved form of communication to discuss business, and is typically done through text messaging or online messaging services.

‍

These include text messages, social media, and internet-based messaging platforms such as WhatsApp or WeChat, and it includes anything that is considered ‘business communications.’ The rules set by regulatory bodies regarding off-platform communications are in place to prevent fraud and malicious behavior, and are enforced vigilantly.

In September 2022, the SEC charged 16 Wall Street firms with recordkeeping failures that ran each organization from $50-125 million each, totaling fines of $1.1 billion. The fines occurred because from January 2018 to September 2021, the firms’ employees routinely communicated about business matters by texting with their personal phones.

‍

It is a violation of SEC Rule 17(a), SEC Rule 204-2, FINRA Rule 4511, FINRA Rule 3110, and FINRA Rule 2010 to not be able to produce business-related text messages. In the UK, the Financial Conduct Authority (FCA) also upholds these standards.

‍

Individual fines (of a broker for example) in the tens of thousands, organizational fines in the hundreds of millions, and suspension of FINRA membership are among some of the penalties for violating these rules. Financial institutions and online marketplaces that are responsible for keeping these records need to do their part to ensure they don’t fall subject to fines. For many companies, this type of failure can not only lead to fines, but can also cause reputational damage to the organizations.

‍

Off-platform communications pose a significant threat to an organization looking to avoid fines or violate FINRA & SEC rules. There are a lot of essential factors to consider:

‍

• It does not matter if the communications contain any fraud or wrongdoing - Using unapproved platforms for communications is the wrongdoing.
• This is always an internal problem - The organization must set the guidelines and take reasonable steps to enforce them. This is not some difficult-to-detect external threat. It is simply internal prevention and enforcement.
• It’s not enough to set the guidelines - The organization must also demonstrate they continuously reminded employees of this policy, and that reviewing communications was part of supervision.
• Companies must have adequate records of all business communications - If employees are using personal devices that are not monitored by the company, the SEC does not consider this adequate.
• If already fined, you must still act - After a fine, a company must still implement improvements to compliance policies to ensure they meet the requirements of these rules.

‍

The SEC warned immediately after this large-scale investigation that they were just getting started, and that investigations will continue, and fines will increase. On the subject, SEC Chair Gary Gensler stated:

‍

“Make no mistake: If a company or executive misstates or omits information material to securities investors, whether in an earnings call, on social media, or in a press release, we will pursue them for violating the securities laws.”

To those responsible in any way for compliance at an eCommerce marketplace or financial organization, preventing and enforcing these rules is critical to avoiding fines. There are clear best practices that can be followed to avoid the mistakes made by the organizations already fined, and who now have updated their compliance policies to reflect these guidelines:

‍

‍

1. Establish an off-channel communication policy

This might seem simple, but a prohibitory policy on off-channel communication is not nearly enough. This policy must be in place, all employees at all levels must be aware of it, it must take reasonable steps to prevent off-platform communication, it must actually collect data from employees, it must be easily enforceable, and it must be enforced - regularly.

‍

Begin by considering every step below, and incorporating how each aspect is reflected in your policy.

‍

‍

2. Incorporate data collection technology

To not be in violation, you must actually have surveillance protocols in place that can identify off-channel communications about business activities. You must collect data from employees’ personal devices, and retain that information over time to prove that it was done in case of an investigation.

‍

That information also must be reviewed regularly, and communicated to the proper channels, which ideally would be a communications supervisor.

‍

‍

3. Designate a communications supervisor

The amount of vigilance required to follow SEC & FINRA rules necessitates a designated supervisor who can review text messages or other off-platform messages. This person must be responsible for actually reviewing the employee surveillance, managing access to proper communication for employees, and escalating issues.

‍

If the firm does nothing to preserve or review the off-platform messages collected, they are failing to reasonably supervise them.

‍

‍

4. Establish the supervisory process

With a designated supervisor, you must have clear-cut guidelines for the supervisor to follow and enforce. All of the following aspects should be reflected in the supervisor’s process:

‍

• How does the supervisor conduct a review? - Literally ‘how’ do they access messages, where do they get them, how do they read them? It should not be difficult for the supervisor to access all information required easily.
• How frequently are reviews done? - The supervisor should conduct at least weekly but ideally daily reviews of employee communications.
• What actions are taken? - What does the supervisor physically do? Are they reading messages off of a screen? How many messages should be reviewed in a session? How are they noting violations of the policy? Where does all of this take place - in an office or remotely?
• When is something escalated? - When is something considered a violation? Where do these escalations take place? Who decides when further action must be taken? Where does the supervisor’s authority end and higher management or executives take over?
• How is every aspect of this documented by the supervisor? - Where do they keep notes? Who reviews those notes? How is proof of the investigation and escalation process going to be made available to FINRA or the SEC if needed?

‍

‍

5. Provide employee training

Employees must be provided with training on proper communication techniques that follow your policy, as well as easy access to approved channels of communication, and the ability to complete their work within those channels. It should not be necessary in the first place for employees to text each other on their personal devices.

‍

Senior team members and managers must send clear messages about which channels are authorized and which aren’t, and they must do this regularly. All new employees must be aware of it during onboarding, and all changes should be explained and incorporated into the continued training of employees.

‍

‍

6. Establish consequences for violators

Employees must be penalized for using off-channel communications, and not lightly. Just because this occurred and the firm noticed it rather than the SEC, this is still a violation, so the consequences should be appropriate given the violation.

‍

You must also establish a system where other employees who are aware of off-channel communications must report them, or otherwise be considered complacent and equally penalized. If employees are aware this is occurring yet not doing it themselves, this is a violation and a clear indicator to the SEC of willful wrongdoing - regardless of who the employee is that is aware (i.e. even if this is just another broker rather than a senior manager).

‍

‍

7. Iterate your policy and incorporate new regulatory changes

Make sure the process of how the policy is updated to reflect new regulatory changes is also clear. Conduct frequent risk assessments of the policy and adjust practices accordingly and promptly, because an airtight policy that covers everything except the most recent regulatory change is not an airtight policy.

‍

Ensure these changes are communicated to everyone down the line - from new employees to existing ones to your communications supervisor to senior management to executives.

‍

‍

‍

Build a Proactive Compliance Program with Unit21

A proactive compliance program is the key to preventing off-platform communications, as well as the hundreds of other potential violations of SEC & FINRA rules. AML regulations and other consumer protection laws require many additional best practices.

‍

While commonly associated with financial institutions, many eCommerce marketplaces are also bound by the same rules. It’s essential that business communications are kept on record; to make that happen, all communication needs to be conducted through the proper channels.

‍

Unit21’s all-in-one solution optimizes all aspects of fraud and anti-money laundering compliance, including automatic SAR filing through an efficient Case Management system.

‍

‍Schedule a demo of Unit21 today to see how it could help enhance your compliance program.