On December 14, 2018, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert titled “Observations from Investment Adviser Examinations Relating to Electronic Messaging”.
Based on a series of limited-scope examinations, OCIE reviewed electronic messaging for business-related communications by RIAs to ensure that the relevant regulations were being followed. In these examinations, OCIE reviewed advisers’ practices regarding retention and review of text messaging/SMS messaging, instant messaging, personal emails, and personal or private messaging (collectively, “electronic communications”). They did not review business-related email sent and received through firm email systems, due to the fact that firms already have years of experience complying with business email retention and business email does not pose the types of challenges as other electronic communication methods that are maintained via third-party apps or platforms as opposed to firm systems.
The observations that OCIE published fell into the following categories:
- Policies and Procedures
- Employee Training and Attestations
- Supervisory Review
- Control over Devices
This Risk Alert addresses the regulatory requirements that impact a firm’s use of electronic communications, describes adviser’s deficiencies in meeting these regulatory requirements, and provides best practice examples and suggestions for compliance, based on OCIE’s observations.
If your firm or its staff uses any of the forms of electronic communications covered by this alert, you should consider the following items prior to use:
- Is this method of communications archivable and reviewable?
- Many of the archiving services are now able to archive and review text/SMS messaging and instant messaging. You should check with your service provider prior to allowing this type of activity.
- Do your Policies and Procedures effectively document which of these methods are allowable?
- You should review your policies and procedures, specifically in relation to communications and electronic messaging, to ensure that any method used is included and detailed.
- A statement prohibiting any other methods should be included.
- A process for which any prohibited methods are addressed (request to send text message received to the Firm Email, cc to firm email on response to personal email).
- Do your annual employee attestations detail the methods of electronic communications that are allowed and are prohibited?
- If employee used their personal devices for business purposes, are employees required to obtain approval to use such devices for business purposes, and does the adviser have a method to ensure such devices comply with firm cybersecurity requirements?
- Do you train your staff on the use electronic communications and are disciplinary actions considered as a result of violation of firm’s policies?
- Is your supervisory system capable of monitoring, reviewing, and retaining the electronic communications?
- This should be documented and detailed in your policies and procedures.
- Web searches and periodic social media reviews should be used as part of the overall supervisory system to ensure that your firm’s policies and procedures are being followed.
As with any other technology-based systems, cybersecurity and information protection should always be a priority. Allowing your advisers to use any alternative methods of electronic communications may pose security risks, so it is always advisable to speak to your IT department, IT consultant, or Cybersecurity team.
If you have any questions, please contact your NCS Regulatory Compliance Consultant, we are here to help!!! We can work with you on updating your policies and procedures, as well as conducting social media reviews or offering guidance on these, and other risk-based reviews of your business.
Click the following link to view the full text of the SEC’s Risk Alert: https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Electronic%20Messaging.pdf