A new Risk Alert publication issued by the Securities and Exchange Commission (SEC)’s Office of Compliance Inspections and Examinations (OCIE) encourages advisers to “review their risks, practices, policies, and procedures regarding electronic messaging.”
The guidance from SEC comes after a growing number of advisory firms, broker/dealers and other providers have rolled out FINRA-reviewed texting solutions to their reps. In the Risk Alert, regulators remind advisers of their duties under the Advisers Act Rule 204-2, known as the “Books and Records Rule.” OCIO further encourages firms to proactively consider “improvements to their compliance programs that would help them comply with applicable regulatory requirements.”
According to the Risk Alert, OCIE examiners have noticed an increasing use of various types of electronic messaging by adviser personnel for business-related communications. Many of the solutions have been reviewed by FINRA, but the SEC notes that its own Books and Records Rule is distinct from any FINRA regulations and applies to digital as well as print communications.
Section 204-2(a)(7), for example, requires advisers to make and keep originals of all written communications received and copies of all written communications sent by such investment adviser relating to any recommendation made or proposed to be made and any advice given or proposed to be given; any receipt, disbursement or delivery of funds or securities; the placing or execution of any order to purchase or sell any security; or the performance or rate of return of any or all managed accounts or securities recommendations, subject to certain limited exceptions.
The OCIO Risk Alert also points to Advisers Act Rule Section 206(4)-7, known as the “Compliance Rule.” This rule requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and the communications and recordkeeping rules thereunder. According to the Compliance Rule’s adopting release, OCIO explains, each adviser should identify compliance factors creating risk exposures for the firm and its clients in light of the adviser’s particular operations, and then design specific policies and procedures that address those risks.
“The Commission has stated that an adviser’s policies and procedures should address, to the extent relevant to the adviser, the accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction, among other things,” OCIE says. “The Compliance Rule also requires an adviser to review, no less frequently than annually, the adequacy of the adviser’s compliance policies and procedures and the effectiveness of their implementation.”
OCIE believes a number of changes in the way mobile and personally owned devices are used “pose challenges for advisers in meeting their obligations under the Books and Records Rule and the Compliance Rule.” These changes include the increasing use of social media, texting, and other types of electronic messaging apps, and the “pervasive use of mobile and personally owned devices for business purposes.”
Interestingly, the OCIE staff specifically excluded email use on advisers’ systems from its review and subsequent Risk Alert. The stated reason is that firms have had decades of experience complying with regulatory requirements with respect to firm email, “and it often does not pose similar challenges as other electronic communication methods because it occurs on firm systems and not on third-party apps or platforms.”
Many Adviser Mistakes Identified
OCIE staff says it observed a range of problematic practices with respect to electronic communications, including finding groups of advisers that did not conduct any testing or monitoring to ensure compliance with firm policies and procedures.
Other firms had stronger policies and procedures in place, which the OCIE distilled into a list of recommendations. These include the following: Permitting only those forms of electronic communication for business purposes that the adviser determines can be used in compliance with the books and records requirements of the Advisers Act; specifically prohibiting business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up; in the event that an employee receives an electronic message using a form of communication prohibited by the firm for business purposes, requiring in firm procedures that the employee move those messages to another electronic system that the adviser determines can be used in compliance with its books and records obligations, and including specific instructions to employees on how to do so; and, where advisers permit the use of personally owned mobile devices for business purposes, adopting and implementing policies and procedures addressing such use with respect to, for example, social media, instant messaging, texting, personal email, personal websites, and information security.
Other suggestions from OCIE are to proactively inform employees that violations of digital communications rules may result in discipline or dismissal and to provide regular reminders to employees of what is permitted and prohibited under the firm’s policies and procedures with respect to electronic messaging. OCIE recommends soliciting feedback from personnel as to what forms of messaging are requested by clients and service providers in order for advisers to assess their risks and how those forms of communication may be incorporated into their policies.
The full text of the Risk Alert includes additional suggestions, such as establishing a reporting program or other confidential means by which employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications. Particularly with respect to social media, colleagues may be “connected” or “friends” with each other and see questionable or impermissible posts before compliance staff notes them during any monitoring. OCIE further recommends that firms set strict and specific policies regarding the control over mobile and personal devices
“In sharing its observations from this examination initiative, OCIE encourages advisers to review their risks, practices, policies, and procedures regarding electronic messaging and to consider any improvements to their compliance programs that would help them comply with their regulatory requirements,” OCIE’s Risk Alert concludes. “OCIE also encourages advisers to stay abreast of evolving technology, and how they are meeting their regulatory requirements while utilizing new technology.”