Risk Alerts are designed to remind investment advisers of their compliance obligations and to help firms improve their systems, policies, and procedures. On December 14, 2018, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert, which contained examiners’ observations regarding electronic messaging. These observations can help Registered Investment Advisers (RIAs) to comply with the Books and Records Rule. OCIE’s comments can also help RIAs to improve their policies and procedures.
To compile these observations, OCIE launched a limited-scope examination initiative of RIAs. The purpose of the initiative was to help OCIE understand the various forms of electronic messaging used for business-related communications. OCIE had noticed an increased use of electronic messaging by advisory personnel. OCIE’s goal was to address the risks and challenges of electronic messaging in the context of the Investment Advisers Act and its rules. OCIE had observed that communication has changed dramatically over the years, and investment advisers are now using text/SMS messaging, instant messaging, and personal email, as well as personal or private messaging.
The Risk Alert highlighted Rule 204-2(a)(7), which requires advisers to make and keep originals of all written communications received and copies of all written communications sent that pertain to:
- any recommendation made or proposed and any advice given or proposed;
- any receipt, disbursement or delivery of funds or securities;
- the placing or execution of any order to purchase or sell any security; or
- the performance or rate of return for any or all managed accounts or securities recommended.
Rule 206(4)-7, better known as the Compliance Rule, requires RIAs to adopt and implement written policies and procedures that are reasonably designed to prevent violations of the Investment Advisers Act and its rules. Pursuant to that rule, RIAs should identify compliance factors that create risk exposures for the firm and its clients in light of the adviser’s business model. The next step is for an RIA to design policies and procedures to address those risks.
Summary of examination practices
During the examination initiative, examiners observed a range of practices with respect to electronic communications. They found that certain RIAs did not conduct any testing or monitoring to ensure compliance with the firm’s policies and procedures. There are a number of areas addressed in the Risk Alert.
Policies and Procedures
OCIE offered the following best practices for RIAs to consider:
- Permitting only those forms of business-related electronic communication that the RIA believes can be used compliantly.
- Specifically prohibiting the business use of apps and other technologies that can be readily misused by an employee to send messages or otherwise communicate anonymously.
- When an employee receives an electronic message using a prohibited form of communication, he/she must move those messages to another electronic system that can be saved in the firm’s books and records, and transfer instructions must be provided by the RIA.
- Where RIAs permit the use of personally-owned mobile devices for business purposes, they must adopt and implement policies and procedures addressing this kind of use.
- If RIAs permit their personnel to use social media, personal email accounts, or personal websites for business purposes, they must adopt and implement policies and procedures for the monitoring, review, and retention of these electronic communications.
- The firm’s policies and procedures should state that violations may result in discipline or dismissal.
Employee Training and Attestations
- Requiring personnel to complete training regarding the prohibitions and limitations placed on the use of electronic messaging and apps, as well as the disciplinary consequences for violating the firm’s policies and procedures.
- Obtaining attestations from personnel at the inception of their employment and regularly thereafter to show they have completed all of the required electronic messaging training, have complied with all such requirements, and commit to do so in the future.
- Providing regular reminders to employees regarding what is permitted and prohibited by the RIA’s electronic messaging policies and procedures.
- Soliciting feedback from personnel as to what forms of messaging are requested by clients and service providers, so the RIA can assess their risks and determine how those forms of communication may be incorporated into the firm’s policies.
- For RIAs that permit use of social media, personal email, or personal websites for business purposes, they should contract with software vendors to: (i) monitor social media posts, emails, or websites, (ii) archive business communications in accordance with the Books and Records Rule, and (iii) make certain that they are able to track any changes to content and compare postings to a lexicon of key words and phrases.
- Regularly reviewing popular social media sites to determine if employees are obeying the RIA’s policies and procedures.
- Searching Internet sites regularly or establishing automated alerts to notify the RIA when an employee or the RIA’s name appears on a website to identify potentially unauthorized activities.
- Establishing a reporting program or other confidential method by which employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications.
Control over Devices
- Requiring employees to obtain prior approval from the RIA’s information technology or compliance staff before they are able to access firm email servers or other business applications from personally owned devices. This may help firms to understand each employee’s use of mobile devices to engage in advisory activities.
- Loading certain security apps or other software on company-issued or personally owned devices prior to approving them to be used for business communications.
- Permitting employees to access the RIA’s email servers or other business applications only by virtual private networks or other security apps to help protect the firm’s servers from hackers or malware.
RIAs should not view these examples as the only policies and procedures they should implement to tackle electronic messaging risks.
In this Risk Alert, OCIE is strongly encouraging RIAs to review their risks and practices, as well as their electronic messaging policies and procedures, to ensure they are complying with applicable regulatory requirements. OCIE is also advising RIAs to stay on top of evolving technology and the applicable regulatory requirements.
OCIE’s Risk Alert can be viewed HERE.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.