On December 17, 2018, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a new National Exam Program Risk Alert reminding registered investment adviser (“RIA”) firms of their obligations related to the use of electronic messaging. According to the risk alert, the “OCIE conducted this initiative because it noticed an increasing use of various types of electronic messaging by adviser personnel for business-related communications.” The OCIE staff shares their recent observations from these focused audits with the goal to help RIA firms improve their electronic messaging systems and policies and procedures.
While the methods of how investment advisers communicate with prospects and clients are rapidly shifting to not only include e-mail, but also social media, texting, and other mobile applications, the SEC OCIE staff references a few key investment adviser regulations which still remain relevant regardless of the type of electronic messaging being utilized:
- Advisers Act Rule 204-2 (“Books and Record rule”) which “requires advisers to make and keep certain books and records relating to their investment advisory business.” In particular, Rule 204-2(a)(7) requires RIA firms to make and keep “`o`riginals of all written communications received and copies of all written communications sent by such investment adviser relating to (i) any recommendation made or proposed to be made and any advice given or proposed to be given, (ii) any receipt, disbursement or delivery of funds or securities, (iii) the placing or execution of any order to purchase or sell any security, or (iv) the performance or rate of return of any or all managed accounts or securities recommendations.”
- Advisers Act Rule 206(4)-7 (the “Compliance Rule”) “requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and rules thereunder.” Furthermore, the SEC OCIE staff notes, “the Compliance Rule also requires an adviser to review, no less frequently than annually, the adequacy of the adviser’s compliance policies and procedures and the effectiveness of their implementation.”
In addition, this recent risk alert also highlights the growing use of personally owned mobile devices to communicate directly with prospects and clients which can cause compliance challenges.
In summary, SEC OCIE staff “observed and identified the below examples of practices that the staff believes may assist advisers in meeting their record retention obligations under the Books and Records Rule and their implementation and design of polices and procedures under the Compliance Rule:”
- Policies and Procedures
- Permitting limited forms of electronic communication for business purposes.
- Prohibiting professional use of apps that allow employees to “send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.”
- Requiring employees of the firm to move prohibited forms of communication to “another electronic system that the adviser determines can be used in compliance with its books and records obligations.”
- If permitted, implementing polices and procedures around the use of personally owned electronic devices.
- If permitted, implementing policies and procedures around the use of their personal social media, personal email, or personal websites for business purposes.
- Adopting and implementing policies and procedures informing staff members of the disciplinary action which will be taken if policies and procedures are violated.
- Employee Training and Attestations
- Training staff on the all of the firm’s policies and procedures including electronic communication and letting them know the consequences of violations of policies and procedures.
- At beginning of employment, require all personnel to attest to their understanding of policies and procedures. In addition, requiring employees to regularly attest to the firm’s policies and procedures.
- Regularly communicate with employees with reminders on what is “permitted and prohibited under the adviser’s polices and procedures with respect to electronic messaging.”
- Supervisory Review
- “For advisers that permit use of social media, personal email, or personal websites for business purposes, contracting with software vendors to (i) monitor the social media posts, emails, or websites, (ii) archive such business communications to ensure compliance with record retention rules, and (iii) ensure that they have the capability to identify any changes to content and compare postings to a lexicon of key words and phrases.”
- Conduct regular internet searches or create automated alerts for employee’s name or the adviser’s name appears “on a website to identify potentially unauthorized advisory business being conducted online.”.
- Establish confidential reporting by which employees can report their concerns about co-workers.
- Control over Devices
- Require employees to obtain permission to access firm email servers or other business software from personally owned devices.
- Load certain security applications or other necessary software on all company-owned or personally owned devices prior to being used for business communication.
- Require all employees only access their company email and other applications on virtual private networks (VPNs).
We highly recommend that the Chief Compliance Officer (“CCO”) and all advisory firm principals carefully review this latest SEC RIA compliance risk alert. Failure to address electronic messaging issues can lead to serious compliance issues. Firms need to take a step back to ensure that new forms of electronic communication are being properly contemplated and addressed in the firm’s policies and procedures.
Be sure to check back soon as we continue to provide updates on relevant RIA regulatory compliance focus areas.