Financial industry giant Merrill Lynch has the funding and capability to use any technology platform on the market to manage their books and records. They should have the best technology and compliance processes money can buy, right?
Not so fast. The investment firm was recently censured and fined $1.2 million for failure to comply in two separate enforcement investigations. In addition, one broker was barred from supporting clients while another was suspended.
What could have gone wrong to create this costly, career, and reputation-jeopardizing situation? The problems occurred partly because of the firm’s choice of record-keeping vendor.
FINRA noted that the vendor had either destroyed or deleted some of the firm’s communication records, putting the firm out of compliance and creating obstructions during FINRA’s investigation process.
What Happened with the Firm’s Data?
Merrill Lynch failed to provide documentation, including telephone records and customer notes, over the course of 2+ years, despite recurring requests for cooperation from the regulator.
The situation came to light after a customer complaint was filed regarding one of the brokers. When FINRA requested information to follow up on the claim, the firm was unable to comply because of multiple issues, including:
-
- Deleted phone records, based on a vendor’s policy to periodically delete information that was more than three years old
- Delayed request for telephone records, which meant that many of the phone records still within the vendor’s system were deleted before the request was provided
- Missing meeting notes of conversations between brokers and customers
- Improperly saved email records that made it difficult to search for content
Initial requests for information were made in May 2018, and Merrill Lynch was unable to comply with the requests, despite multiple requests over the course of two years.
What Rules Was Merrill Lynch Fined for Breaking?
The issues in this situation were multi-fold. The brokers in question were accused of making poor decisions, including “unauthorized and excessive trading, unsuitable recommendations, and other sales practice violations.” In addition, the firm was incapable of providing information to satisfy the regulator’s requests as they investigated the matter.
Specifically, FINRA referenced Rule 8210 (which requires cooperation with information requests in a timely manner) and Rule 2010 (which requires “high standards of commercial honor”).
Organizations can’t always control the choices made by the employees or advisers they hire. Someone who seems fully aboveboard may make poor decisions when not being closely monitored. However, they can be aware of what’s happening in their organizations, put institutional controls in place, and develop a culture of compliance.
And, particularly relevant to this story, firms can ensure they’re using technology that keeps them in compliance regarding their record-keeping. With the appropriate record-keeping and auditing systems in place, they would have had a better pulse on their brokers’ actions and the requisite tools to cooperate with the regulator’s requests.
What Should Other Firms Take Away From this Fine?
The biggest takeaway for most firms should be a thorough review of the processes and procedures of their compliance technology vendors. Many firms may think that as long as they have a “big-name” vendor on the job, they’re covered, and they don’t have to worry about keeping an eye on their compliance records themselves.
However, the only company that will be held accountable if records are missing, incomplete, or deleted is yours. Regulators focus on the responsibility of the firm they oversee, not of the vendors to whom they might outsource a portion of their compliance tracking or record-keeping.
Firms should take time to evaluate the technology they’ve put in place and to determine whether the regulator’s data retention guidelines align with the regulator’s requirements. (Not sure how to get that information? Download our guide with questions to ask your regtech provider.)
For example, firms should be aware of:
-
- Specific retention rules for different types of communication
- Hierarchical data regarding leadership involved in communication/review/approval
- Ownership of data submitted/managed within the system
- Accessibility of information and records
- Whether data is maintained for WORM compliance only or whether retention policies are fully in compliance with SEC Rule 17(a)-4
Firms need to ensure their information is easily accessible, not just by a technical team or a partner on the vendor side.
In Merrill Lynch’s case, they relied on the vendor to pull data and use relevant search terms. Firms shouldn’t have to rely on the best efforts of an outside party when hefty fines and potential censuring are in the balance. Instead, their technology choices should empower them to easily access their own data so they can provide the necessary information to their regulators.
For example, Red Oak’s data extraction API allows the firm’s staff to pull their own data packages when needed. They can easily access the necessary information (which has been stored in a 100% books and records compliant manner) and provide it to regulators in a timely fashion.
No firm wants to be fined for its business practices, yet it happens – to firms large and small. Ensure you have the appropriate regulatory compliance technology in place to support your firm’s efforts. By doing so, you’ll be able to mitigate many of the potential issues that might arise related to your firm’s record-keeping, audit trail, and retention processes.