On December 14, 2018, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert to remind investment advisors of their obligations with respect to electronic communications and social media and to help advisors improve their systems, policies, and procedures.
The risk alert can be found here.
Background on the Risk Alert
The risk alert is based on OCIE’s findings from a number of limited-scope examinations it conducted of registered investment advisors with the goal of understanding the various forms of electronic messaging used by advisors, the risks associated with such use, and the policies and procedures firms have in place to address such risks. OCIE conducted the initiative because it had noticed an increasing use of various types of electronic messaging by advisor personnel for business-related communications.
Requirements under the Advisers Act
Investment advisors are required under Rule 204(2) of the Advisers Act to make and keep certain books and records relating to their investment advisory business. The Commission has stated that, “regardless of whether information is delivered in paper or electronic form, broker-dealers and investment advisers must reasonably supervise firm personnel with a view to preventing violations.” In addition, pursuant to Rule 206(4)-7 (the Compliance Rule), the SEC has stated that an advisor’s policies and procedures should address, to the extent relevant to the advisor, “[t]he accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction,” among other things.
Types of Electronic Communications
OCIE included in its review the following types of electronic communications: text/SMS messaging, instant messaging, personal email, and personal or private messaging. Also included were communications conducted on the advisor’s systems or third-party applications or platforms or sent using the advisor’s computers, mobile devices, or personally owned computers or mobile devices. Chief Compliance Officers (“CCOs”) should take into account these types of communications when reviewing whether personnel are making business-related communications that are not being archived or reviewed.
Policies and Procedures Observed by OCIE
The following are some of the policies and procedures and practices, observed by OCIE staff during their review, that should be considered by investment advisors in addressing the risks associated with electronic communications and messaging:
- Specifically prohibiting business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.
- In the event that an employee receives an electronic message using a form of communication prohibited by the firm for business purposes, requiring procedures that the employee move those messages to another electronic system that the adviser determines can be used in compliance with its books and records obligations, and including specific instructions to employees on how to do so.
- If advisors permit their personnel to use social media, personal email accounts, or personal websites for business purposes, adopting and implementing policies and procedures for the monitoring, review, and retention of such electronic communications.
- Requiring personnel to complete training on the advisor’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging and electronic apps and the advisor’s disciplinary consequences of violating these procedures.
- Obtaining attestations from personnel at the commencement of employment with the advisor and regularly thereafter that employees (i) have completed all of the required training on electronic messaging, (ii) have complied with all such requirements, and (iii) commit to do so in the future.
- For advisors that permit use of social media, personal email, or personal websites for business purposes, contracting with software vendors to (i) monitor the social media posts, emails, or websites, (ii) archive such business communications to ensure compliance with record retention rules, and (iii) ensure that they have the capability to identify any changes to content and compare postings to a lexicon of key words and phrases.
- Requiring employees to obtain prior approval from the advisor’s information technology or compliance staff before they are able to access firm email servers or other business applications from personally owned devices. This may help advisors understand each employee’s use of mobile devices to engage in advisory activities.
- Loading certain security apps or other software on company-issued or personally owned devices prior to allowing them to be used for business communications. Software is available that enables advisors to (i) “push” mandatory cybersecurity patches to the devices to better protect the devices from hacking or malware, (ii) monitor for prohibited apps, and (iii) “wipe” the device of all locally stored information if the device were lost or stolen.
Summary
In light of OCIE’s risk alert, CCOs and investment advsiors should take steps to ensure that their policies and procedures regarding electronic communications and social media are adequate and that employees are educated regarding what types of business-related electronic communications they may and may not send.
For more information about the regulatory requirements regarding electronic communications and how your firm can establish effective policies and procedures, please contact NCA Compliance.
Hayley Nelson is the President and Principal Consultant of NCA Compliance, Inc., a compliance consulting firm providing a wide range of customized compliance solutions for investment advisors nationwide, including mock audits, forensic testing, email surveillance, and assistance with the annual compliance review. Ms. Nelson previously worked for the Securities and Exchange Commission and a large investment manager in New York.
