SEC Risk Alert – Electronic Messaging

December 19, 2018

December 17, 2018 the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) released a new National Exam Program Risk Alert Relating to Electronic Messaging. The purpose of the risk alert is to remind SEC registered investment advisers of their obligations when their supervised persons use electronic messaging and to help SEC registered investment advisers improve their systems, policies, and procedures by sharing the SEC staff’s observations from its investment adviser examinations.

The SEC Risk Alert references Rule 204-2 (“Books and Records Rule”) and Rule 206(4)-7 (“Compliance Rule”) under the Investment Advisers Act of 1940 as relevant regardless of the type of electronic messaging being used:

  • SEC Rule 204-2 (“Books and Record rule”) which “requires [investment] advisers to make and keep certain books and records relating to their investment advisory business.” In particular, Rule 204-2(a)(7) requires an SEC registered investment adviser firm to make and keep “originals of all written communications received and copies of all written communications sent by such investment adviser relating to (i) any recommendation made or proposed to be made and any advice given or proposed to be given, (ii) any receipt, disbursement or delivery of funds or securities, (iii) the placing or execution of any order to purchase or sell any security, or (iv) the performance or rate of return of any or all managed accounts or securities recommendations.”
  • SEC Rule 206(4)-7 (the “Compliance Rule”) “requires [investment] advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the [Investment] Advisers Act and rules thereunder.” Furthermore, the SEC staff notes, “the Compliance Rule also requires an adviser to review, no less frequently than annually, the adequacy of the [investment] adviser’s compliance policies and procedures and the effectiveness of their implementation.”

The SEC staff “observed and identified the below examples of practices that the staff believes may assist investment advisers in meeting their record retention obligations under the Books and Records Rule and their implementation and design of polices and procedures under the Compliance Rule:”

  • Policies and Procedures
    • Permitting limited forms of electronic communication for business purposes.
    • Prohibiting professional use of apps that allow employees to “send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.”
    • Requiring employees of the firm to move prohibited forms of communication to “another electronic system that the adviser determines can be used in compliance with its books and records obligations.”
    • If permitted, implementing polices and procedures around the use of personally owned electronic devices.
    • If permitted, implementing policies and procedures around the use of their personal social media, personal email, or personal websites for business purposes.
    • Adopting and implementing policies and procedures informing staff members of the disciplinary action which will be taken if policies and procedures are violated.
  • Employee Training and Attestations
    • Training staff on the all of the firm’s policies and procedures including electronic communication and letting them know the consequences of violations of policies and procedures.
    • At beginning of employment, require all personnel to attest to their understanding of policies and procedures. In addition, requiring employees to regularly attest to the firm’s policies and procedures.
    • Regularly communicate with supervised persons with reminders on what is “permitted and prohibited under the adviser’s polices and procedures with respect to electronic messaging.”
  • Supervisory Review
    • “For advisers that permit use of social media, personal email, or personal websites for business purposes, contracting with software vendors to (i) monitor the social media posts, emails, or websites, (ii) archive such business communications to ensure compliance with record retention rules, and (iii) ensure that they have the capability to identify any changes to content and compare postings to a lexicon of key words and phrases.”
    • Conduct regular internet searches or create automated alerts for supervised person’s name or the investment adviser representative’s name appears “on a website to identify potentially unauthorized investment advisory business being conducted online.”.
    • Establish confidential reporting by which employees can report their concerns about co-workers.
  • Control over Devices
    • Require supervised persons to obtain permission to access firm email servers or other business software from personally owned devices.
    • Load certain security applications or other necessary software on all company-owned or personally owned devices prior to being used for business communication.
    • Require all supervised persons to only access their company email and other applications on virtual private networks (VPNs).

RIA Compliance Consultants has developed several resources to assist your investment adviser firm in improving its policies and procedures regarding the use of electronic messaging. These resources include:

If your investment adviser firm subscribes to one of our Annual Compliance Program packages, you can download all of the above resources through your online subscription account linked here. These resources may also be purchased a la carte. RIA Compliance Consultants also encourages you to speak with your consultant about how your investment adviser firm can create strong electronic messaging policies and procedures. If you are not a client or RCC, please click here to set up an introductory call.

Posted by Grant Parr
Labels: Books Records, Common Deficiencies, Risk Alert, Sample Forms, SEC, text messaging
Tagged: