The Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission (“SEC”) conducted a limited-scope examination initiative of registered investment advisers (“advisers”) that was designed to provide the SEC with a greater understanding of the various forms of electronic messaging used by advisers and their personnel, the risks of such use, and the challenges in complying with certain provisions of the Investment Advisers Act of 1940 (“Advisers Act”).
OCIE conducted this initiative as a result of the increasing use of various types of electronic messaging by adviser personnel for business-related communications. As a result of the initiative, OCIE recently issued a Risk Alert to remind advisers of their obligations when their personnel use electronic messaging and to help advisers improve their systems, policies, and procedures by sharing a number of the observations noted by the SEC staff from those examinations.
Scope of Initiative
For purposes of the initiative, “electronic messaging” or “electronic communication” included written business communications conveyed electronically using, for example, text/SMS messaging, instant messaging, personal email, and personal or private messaging. OCIE also included communications when conducted on the adviser’s systems or third-party applications (“apps”) or platforms, or sent using the adviser’s computers, mobile devices issued by advisory firms, or personally owned computers or mobile devices used by the adviser’s personnel for the adviser’s business.
The staff specifically excluded email use on advisers’ systems from this review because firms have had decades of experience complying with regulatory requirements with respect to firm email, and it often does not pose similar challenges as other electronic communication methods because it occurs on firm systems and not on third-party apps or platforms.
While not an exhaustive list, OCIE staff observed and identified examples of practices that the staff believes may assist advisers in meeting their record retention obligations under the Books and Records Rule and their implementation and design of policies and procedures under the Compliance Rule:
Policies and Procedures
- Advisers should specifically prohibit business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.
- In the event that an employee receives an electronic message using a form of communication prohibited by the firm for business purposes, the firm should require in-firm procedures that the employee move those messages to another electronic system that the adviser determines can be used in compliance with its books and records obligations. Additionally, these procedures should include specific instructions to employees on how to do so.
- Where advisers permit the use of personally owned mobile devices for business purposes, adopting and implementing policies and procedures addressing such use with respect to, for example, social media, instant messaging, texting, personal email, personal websites, and information security.
- If advisers permit their personnel to use social media, personal email accounts, or personal websites for business purposes, adopting and implementing policies and procedures for the monitoring, review, and retention of such electronic communications.
- Including a statement in policies and procedures informing employees that violations may result in discipline or dismissal.
Employee Training and Attestations
- Advisers should require personnel to complete training on the adviser’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging and electronic apps and the adviser’s disciplinary consequences of violating these procedures.
- Obtaining attestations from personnel at the commencement of employment with the adviser and regularly thereafter that employees (i) have completed all of the required training on electronic messaging, (ii) have complied with all such requirements, and (iii) commit to do so in the future.
- Soliciting feedback from personnel as to what forms of messaging are requested by clients and service providers in order for the adviser to assess their risks and how those forms of communication may be incorporated into the adviser’s policies.
- Regularly reviewing popular social media sites to identify if employees are using the media in a way not permitted by the adviser’s policies. Such policies included prohibitions on using personal social media for business purposes or using it outside of the vendor services the adviser uses for monitoring and record retention.
- Running regular Internet searches or setting up automated alerts to notify the adviser when an employee’s name or the adviser’s name appears on a website to identify potentially unauthorized advisory business being conducted online.
- Establishing a reporting program or other confidential means by which employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications. Particularly with respect to social media, colleagues who are “connected” or “friends” with each other, are positioned to see and note questionable or impermissible posts, before compliance staff notes them during any monitoring.
Control over Devices
- Requiring employees to obtain prior approval from the adviser’s information technology or compliance staff before they are able to access firm email servers or other business applications from personally owned devices. This may help advisers understand each employee’s use of mobile devices to engage in advisory activities.
- Firms need to focus on the loading of certain security apps or other software on company-issued or personally owned devices, prior to allowing them to be used for business communications. To this end, software should enable advisers to (i) “push” mandatory cybersecurity patches to the devices to better protect the devices from hacking or malware, (ii) monitor for prohibited apps, and (iii) “wipe” the device of all locally stored information, if the device were lost or stolen.
- Allowing employees to access the adviser’s email servers or other business applications only by virtual private networks or other security apps, This segregates remote activity and helps protect the adviser’s servers from hackers or malware.
Takeaway for Advisers
OCIE encourages advisers to review their risks, practices, policies, and procedures regarding electronic messaging and to consider any improvements to their compliance programs that would help them comply with their regulatory requirements. OCIE also encourages advisers to stay abreast of evolving technology and how they are meeting their regulatory requirements while utilizing new technology.
Additionally, while this initiative was limited to examinations of investment advisers, it was noted in the Risk Alert that other types of regulated financial institutions face similar challenges with new communication tools and methods.