The Financial Industry Regulatory Authority (FINRA) recently published its annual regulatory oversight report for 2024. This has been allocated to provide firms with key insights and observations from the regulator's recent operations, with the aim of improving transparency and strengthening compliance programs for businesses in the finance sector.
Alongside current focuses on the use of artificial intelligence and the changing state of cyber security, data retention requirements also continue to evolve alongside modern technology. Below, we will look at the main points of data retention.
Out-of-channel communications
The report indicates that FINRA uses a risk-based approach to review how firms manage business-related communications. He acknowledges that with off-channel platforms and devices, there is clearly a much greater risk of data not being retained. Reference is made to SEC fines administered across the industry from 2021 to 2023where they really weren't.
While off-channel communications can occur in any medium that is not approved for business use (e.g. email and instant messaging platforms), mobile correspondence undoubtedly accounts for a significant portion, largely due to ease of use, its immediacy and availability outside working hours.
In the report, firms are asked whether their electronic communications policy includes…
- Procedures to store, store and monitor all business-related correspondence from staff, including those via off-channel methods.
- Processes to monitor for new channels available to customers.
Rather than simply expecting employees to follow protocol, the oversight element is now more pronounced and compliance teams are expected to do detective work to understand the landscape and ensure employee behavior is up. FINRA directly recommends that firms supervise …
- If approved channels are unused, indicating that alternatives are being used.
- Their approved channels, for “indications of communications occurring outside the channel”, ie references to other conversations in unsanctioned domains.
The last point can come in the form of email chains that copy an email address from an off-channel domain, or suggestions that recipients should interact elsewhere, away from screening.
Firms are also asked to consider what remedial/disciplinary measures are in place for advisors who commit fraud and violate policies. Traditionally, companies have paid the price for employee misconduct, and FINRA is encouraging the creation of preventative measures for individuals.
Communications with the public
Like the SEC's marketing rule, FINRA Rule 2210 (communication to the public) includes electronic communications, so websites and social media channels are held to the same standard as printed brochures, TV commercials and indeed emails.
FINRA reminds firms of their obligation to present accurate, balanced, and non-misleading information; sharing the risks associated with a product/service alongside its benefits, for example. This is significantly related to developments around the use of AI for content creation purposes.
Artificial intelligence
FINRA explicitly classifies AI as an “emerging risk,” recommending that firms consider its pervasive impact and the regulatory ramifications of its deployment.
When you break down ways in which marketers can use ChatGPT, for example, it becomes clear how effective the tool has become. Not only can it design social media posts and website copy, but it can also optimize them based on SEO, trending keywords, or other relevant metrics. This saves marketers a tremendous amount of work and will tempt stretched workforces in need of a lifeline.
Unfortunately, those teams may not be equipped to fully control the product generated, which is particularly problematic in the context of “hallucinations” chatbot. Without the right controls and changes, the brand's tone of voice and clarity of messaging can be compromised. More worrying is its factual legitimacy.
The SEC already has CLEAR that advisors themselves are liable when issues arise as AI tools are used for investment recommendations. FINRA shares many of the same uncertainties. In one podcast breaking down the 2024 reportOrnella Bergeron, FINRA's senior vice president for member oversight, said that despite the operational efficiencies offered by developments in AI, there are concerns.
“While these tools may present very promising opportunities, their development has raised concerns about things like accuracy, privacy, bias and intellectual property.
“So far, firms are being very cautious and thoughtful when considering the use of AI tools and before deploying new technologies,” Bergeron said. “So while there wasn't much in the AI section by way of specific roles or observations for this year's report, it's likely a topic we'll be seeing a lot more of in the future.”
A shift in surveillance
Out-of-channel and public communications have been on the regulatory agenda for some time, and FINRA's 2024 report echoes these concerns.
By providing probing questions for firms to ask themselves, it will help highlight the gaps and blind spots that led to industry-wide recordkeeping deficiencies in the first place. And by outlining procedures to detect and root out the use of unauthorized channels, the regulator has shown a genuine desire to put an end to it, or for firms to find new ways to deal with the situation accordingly.
Communication archiving providers can now capture and log data across traditional out-of-channel platforms (WhatsApp, WeChat, Telegram). They are also increasingly being developed to address the surveillance part of the puzzle; applying lexical policies to mark specific wording, for example. This would negate the need for unrealistic platform bans and ensure that illegal activity is quickly detected.
While much of the content of the report looks familiar, FINRA has also indicated that they are aware of new developments, particularly the latent carnage that artificial intelligence can bring to processes. In a world where algorithms may follow an order but may declare some fiction in the process, digital accountability is of paramount importance. FINRA, like most regulators, is treading carefully.
Harriet Christie is Chief Operating Officer at MirrorWeb