Do FINRA Rules Prohibit Financial Institutions from Issuing iPhones and iPads to Employees?

On December 2, 2015, there was a terrorist attack in San Bernardino, California where 14 people were killed and 22 people were seriously injured.  On December 3, 2015, the FBI opened a counter-terrorism investigation.  On December 6, 2015, President Barack Obama defined the shooting as an act of terrorism.

Fast forward to Tuesday February 16, 2016. A federal magistrate judge ordered Apple, Inc. to help the FBI hack into the gunman’s iPhone.  Specifically, the order asked Apple, Inc. to “provide reasonable technical assistance” to unlock the iPhone.  In the words of the Associated Press, this court order ordered Apple to “supply highly specialized software the FBI can load onto the phone to cripple a security encryption feature that erases data after too many unsuccessful unlocking attempts.”

Basically, such software would allow the FBI to “bruteforce” the iPhone by making thousands of successive password attempts.

In a letter to Apple’s consumers, CEO Tim Cook states that this is the equivalent to “building a backdoor” to the iPhone, which would “circumvent several important security features and install it on an iPhone recovered during the investigation.”  Tim Cook states that “in the wrong hands, this software–which does not exist today–would have the potential to unlock any iPhone in someone’s physical possession.”

Tim Cook’s letter states that Apple will fight this order.

As other commentators have pointed out, this could have direct consequences for the financial industry.

This iPhone wasn’t the gunman’s iPhone, but it was owned by the San Bernardino County Department of Public Health.  They issued it to their employee, the gunman for his use at work.  This means that the employee’s privacy rights are greater than the owners.

In December 2007, the Financial Industry Regulatory Authority (“FINRA”) issued Regulatory Notice 07-59 which states that, “FINRA expects a firm to have supervisory policies and procedures to monitor ALL electronic communications technology used by the firm and its associated persons to conduct the firm’s business.”

Notice 07-59 states, “To that end, a firm should consider, prior to implementing new or different methods of communication, the impact on the firm’s supervisory system, particularly any updates or changes to the firm’s supervisory policies and procedures that might be necessary.”

The Notice further clarifies in Endnote 1 that “electronic communications” “email” and “electronic correspondence” can include “forms of electronic communications such as instant messaging and text messaging.”

This FINRA Rule stems from Securities Exchange Act Rules 17a-3 and 17a-4, which basically sets forth record keeping requirements required of financial institutions, broker/dealers, and other exchange members.  These financial institutions are required to keep track of a dizzying array of items such as buy and sell orders, advertisements, sales literature, and other communications.

These rules are taken very seriously.  In fact, in February 2014, FINRA took disciplinary action against several firms and registered representatives for violating these recordkeeping rules.

One representative and firm was fined by FINRA because their representative was “utilizing text messaging and a personal email account to communicate with a customer and conduct securities business … his use of text messaging and the personal account … contravened his firm’s policies and caused the firm to violate its recordkeeping requirements.”

Many enterprise compliance departments need to establish internal policies and procedures that mitigate their risk as much as possible.  This being the case, many enterprise compliance departments are reactive and proactive.  Before Apple decided to fights this administrative order, there was no reason for a compliance department to rule out the use of iPhones related to these recordkeeping requirements.

However, if Apple wins, and the Administrative order is overturned, then a financial institution will basically not be in a position to override their employees’ personal security key on THE FINANCIAL INSTITUTION’S OWN CORPORATE ISSUED IPHONE.

Now that this information is out there and accessible, a compliance department will likely pull their firms’ contracts with Apple.  If they retain iPhones, and can’t get a text message off of a broker/dealer’s phone for some reason in court, the director of compliance is going to look like a fool.