The Financial Industry Regulatory Authority (FINRA) recently fined five units of ING Groep NV a total of $1.2 million for failing to retain or review millions of emails. The penalties highlight the importance of email retention policies and procedures, particularly for regulated companies.
According to FINRA, the firms failed to properly configure hundreds of employee email accounts to ensure that messages were retained and reviewed. In addition, four of the subsidiaries did not have systems in place to retain certain types of emails, including emails sent to distribution lists, emails received as blind carbon copies, and "cloud" email (emails sent through third-party systems). Because the emails were not retained, they were not subject to supervisory review
In addition to retention violations, FINRA also found that four of the firms failed to review millions of emails that the firms' email review software had flagged for supervisory review. Overall, supervisory principals did not evaluate nearly six million emails flagged for review because the email review software was not properly configured.
As this case makes clear, New York and New Jersey firms regulated by FINRA must follow strict guidelines for email archiving. In fact, in announcing the fines, Brad Bennett, executive vice president and chief of enforcement, made it clear that “email retention and review continues to be an important regulatory responsibility and an issue of concern for FINRA.”
Under FINRA’s Books & Records Rule (3110), member firms are required to make and preserve accounts, records, memoranda, books and correspondence in conformity with all applicable regulations, statements, and rules under SEC 17a-3 under the Securities Exchange Act of 1934. In addition, record retention procedures must comply with SEC Rule 17a-4. Overall, keeping detailed records allows firms to clearly demonstrate that they have fulfilled both their investor and regulatory obligations.