On December 14, 2018, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert reminding investment advisers of their recordkeeping obligations with respect to electronic messaging and summarizing their related observations from recent examinations. The staff’s recent limited‑scope examinations discussed in the Risk Alert were designed to obtain an understanding of the various forms of electronic messaging used by advisers and their personnel, the risks of such use and the challenges in complying with the related provisions of the Investment Advisers Act of 1940 (the “Advisers Act”) and rules thereunder. A copy of the Risk Alert is available here. The Risk Alert is an opportunity for investment advisers to review their electronic messaging practices, policies and procedures and make improvements where necessary.
Advisers Act Books and Records Rule
Advisers Act Rule 204-2 requires advisers to make and keep certain books and records relating to their business. Rule 204‑2(a)(7) requires advisers to make and keep, among other things, originals of all written communications received and copies of all written communications sent relating to recommendations made or advice given, trade orders, disbursement of funds or securities or any discussion of performance or rate of return. Furthermore, Rule 204-2(a)(11) requires advisers to make and keep a copy of each notice, circular, advertisement, newspaper article, investment letter, bulletin or other communication that the adviser circulates or distributes, directly or indirectly, to ten or more persons.
OCIE Examinations and Observations
OCIE’s examinations surveyed firms to learn the types of electronic messaging used by firms and their personnel and reviewed firms’ policies and procedures to understand how advisers were addressing the risks presented by evolving forms of electronic communication. The scope of OCIE’s examinations included text messaging, instant messaging, personal email and personal or private messaging on a variety of different platforms. Given firms’ decades of experience complying with the regulatory requirements regarding emails on firm systems, firm emails were not included in the scope of OCIE’s examinations.
OCIE summarized some potentially helpful practices in a number of categories:
Policies and Procedures
OCIE noted that firms have adopted policies and procedures specific to electronic communications. These included policies and procedures to limit personnel to use only those forms of electronic business communication that can reasonably be used in compliance with the Rule and prohibit business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously. OCIE also noted certain firms’ policies and procedures provided for the preservation of messages received off of firm systems and the monitoring and review of communications sent and received through personal devices or third-party platforms.
Employee Training and Attestations
OCIE noted that some advisers required their employees to complete training on policies and procedures regarding electronic messaging, while others required employee attestations that employees completed training and would commit to complying with the firm’s policies and procedures. OCIE’s examinations also revealed that some firms regularly remind employees of their electronic messaging obligations and solicit feedback from personnel as to what forms of messaging should be permitted by a firm’s policies and procedures.
For advisers that permit use of social media, personal email, or personal websites for business purposes, OCIE observed that certain firms contract with software vendors to (i) monitor the social media posts, emails or websites, (ii) archive such business communications to ensure compliance with record retention rules and (iii) ensure that they have the capability to identify any changes to content and compare postings to a lexicon of key words and phrases. Advisers also adopt procedures to review social media sites and conduct regular internet searches to determine if unauthorized business is being conducted online.
Control Over Devices
OCIE observed that some advisers required employees to obtain prior approval from the adviser’s information technology or compliance staff before they are able to access firm email servers or other business applications from personally owned devices. Certain advisers also installed security apps or other software on company-issued or personally owned devices prior to allowing them to be used for business communications. Some advisers also required that access to business email or other business applications be only by virtual private network or other security applications.
Advisers should review their risks, practices, policies and procedures regarding electronic messaging in light of the Risk Alert and the practices identified therein. OCIE noted in the Risk Alert that this was not intended to be a comprehensive list of practices for a firm to meet its regulatory obligations, but rather to provide a sample of practices staff observed that may be helpful to advisers assessing their compliance policies and procedures addressing electronic messaging.