Overcoming the Challenges of SEC Compliance around Electronic Messaging

Overcoming the Challenges of SEC Compliance around Electronic Messaging

01 March 2019

 

Written by Katie Mogan

Did you see the SEC’s Risk Alert on Electronic Messaging?

We did!  And let us start by saying, this Risk Alert was actually really helpful!

A lot of times, the SEC issues Risk Alerts that tell you the issues they’re seeing in recent SEC examinations and remind you of your compliance obligations, but they don’t often give you any advice or guidance on what you can do about it.

Not so with this Risk Alert!

What was the Risk Alert about?

This Risk Alert was based on a limited-scope examination initiative conducted with the intention of the SEC gaining an understanding of:

  1. the types of electronic messaging advisers’ personnel are using
  2. the risks involved with using them
  3. the challenges advisers face in meeting their compliance obligations because of that use, and
  4. how advisers are addressing the risks presented by evolving forms of electronic communication.

Types of Electronic Messaging Observed

When the SEC says “electronic messaging” they mean any written business correspondence conveyed electronically using:

  • text/SMS messaging
  • instant messaging
  • personal email, and
  • personal/private messaging apps.

 

This includes personnel using company-issued computers and mobile devices to access apps as well as their own personal computers and mobile devices to send business communication.

The only method of electronic correspondence not covered by this exam initiative was email…since advisers have conducted business correspondence by email for decades and have experience with email-related compliance requirements. Plus, email is transmitted on the firm’s systems, not through third-party apps, platforms, and/or devices.

The Risks Involved

If your personnel are using electronic messaging—anything other than company email on company systems—to communicate with your clients, you run the risk of not meeting your compliance obligations.  Why?  How?

As an RIA, you have to adhere to the Books and Records Rule (204-2), which requires you to make and keep certain books and records, including:

Originals of all written communications received, and copies of all written communications sent, relating to:

  • any recommendation made or proposed to be made
  • any advice given or proposed to be given
  • any receipt, disbursement, or delivery of funds or securities
  • the placing or execution of any order to purchase or sell any security, and
  • the performance or rate of return of any or all managed accounts or securities recommendations.

 

Furthermore, the Compliance Rule (Rule 206(4)-7) requires RIAs to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and requirements thereunder, which includes:

the accurate creation of required records and their maintenance in a manner that

  • secures them from unauthorized alteration or use and
  • protects them from untimely destruction
  • …among other things.

 

So, how do you make sure your firm is able to capture and retain all applicable correspondence between your personnel and your clients?  And how do you construct your policies and procedures around how employees use various media to communicate with clients and conduct advisory business?

The SEC shed some light on this in the Electronic Messaging Risk Alert, and we’ve shared our insights below.

Policies and Procedures

Social Media and Other Electronic Messaging

Do you have a social media policy in place?  If not (or even if you do), the SEC suggested, as a starting point, to poll your employees about the social media and other electronic messaging they currently use. (That’s what they did as part of their exam initiative.)  Engage your personnel in conversations about how clients communicate with them and, to stay ahead of the curve, ask what new apps they are using or seeing other advisory firms use.

A common policy we see at SCS is the prohibition of social media for business use, other than allowing employees to list their employer and job title on business-relates social media sites, like LinkedIn.  Often advisers do not have the resources—time, money, technology, etc.—to monitor and archive third-party apps, platforms, or other correspondence on personal devices.  If you do not have the resources to archive a social media platform or app that your employees are using for advisory business purposes, prohibit it from business use in your policies.  However, this doesn’t mean you can’t use social media for business purposes.  It’s just a reminder that if you do allow it, you need to have policies, procedures, and resources in place to be able to review and monitor its use and capture the required records. Some firms have pre-approval processes, which involve the marketing and compliance teams, for social media postings, which is a great idea.

Whether or not your firm permits social media sites, certain sites or apps should be prohibited because they do not meet the Books and Record Rule requirements.  Some examples include:

  • apps with auto-destruct capabilities, such as SnapChat
  • platforms that allow an employee to communicate anonymously, and
  • those that do not allow third-party viewing or back-up. Several e-mail archiving service providers can archive social media platforms, but there are still those that cannot be archived.

 

If employees are inadvertently contacted via electronic messaging not archived by the Firm, create a policy that either requires your personnel to copy and paste the initial communication into your firm’s email system and continue the communication from there or follow up with the client through your firm’s email and just start by restating their initial communication.  For example, you could say, “As per your request…” and then provide your response to their original correspondence.

In general, what we’re saying is, to meet your Compliance Rule obligation (to have policies and procedures reasonably designed to prevent violations of the Advisers Act), review and craft your policies and procedures to permit only the forms of electronic messaging that can be used in compliance with the Books and Records Rule.

Employee Training and Attestations

A Risk Alert is a great opportunity to train your employees!  It’s on the SEC’s mind.  It’s on your mind.  So, put it on your team’s mind!

Training is a key component of every successful compliance program.  When employees understand the “why” behind the policies and procedures, they’re a lot more likely to adhere to them.

For example, do your personnel understand that communication must be archived per the Books and Records Rule?  Do they know that this includes text messaging with a client?  If the correspondence cannot be archived through the firm’s systems, they are putting the firm at risk of violation.

Also, employees may not understand the risks involved with discussing performance.  For example, have they included all necessary disclosures?  Did they share a quarterly letter on LinkedIn that includes past-specific recommendations?  Did they receive an endorsement on LinkedIn?  Ensuring that your employees understand the ways in which their actions can put the firm and/or themselves at risk is essential.  There is one point, in particular, that may be helpful to emphasize to your personnel during training:

If employees use personal email or social media sites for business purposes, the employee is at risk of having the SEC broaden the scope of their exam or investigation…into the employee’s personal texts, emails, and/or social media sites—and that is NOT typically popular among employees!

Even if you do not take this Risk Alert as an opportunity for training right away, you should provide employees with training on firm policies, including social media and electronic messaging policies, at least annually.  The reason why it’s good to provide compliance training annually is because, let’s face it, people tend to forget, and it’s good to remind them. Providing regular reminders of prohibited use or sharing employee mis-steps (anonymously) can be helpful in making sure your personnel understand and remember proper usage, policies, and procedures. Any new or updated policies and procedures should be trained on as they are implemented so that employees don’t inadvertently violate a new policy.  Another consideration is new hires.  They may not be aware of the sensitivity around social media, especially if they are new to the RIA space.  Take time to train new employees about proper and prohibited use.  Another option could be to require an acknowledgement of social media use, annually, to remind them of the importance of the social media polices.

Supervisory Review

As with all policies, supervision and review are necessary.  As discussed above, if you allow the use of social media or other electronic messaging, first find a solution to archive that media and then set in place a regular schedule to review the archived data.

Take a risk-based approach to your reviews, considering:

  • the size of your firm,
  • whether or not you have remote offices, and
  • how seasoned your employees are with compliance.

 

For example, larger firms with more employees may consider more frequent reviews.  Smaller firms with personnel who are experienced in compliance may be able to review their correspondence less frequently.  However, if you’re a smaller firm, and all of your personnel are new to the industry, that may be considered higher risk and therefore require more frequent or more thorough reviews.

Even if you do not permit social media or other electronic messaging, it’s important to periodically monitor and review personal social media sites for adherence to your firm’s policies.  Consider randomly reviewing frequently used sites, conducting random Google searches, and implementing Google Alerts to notify you by email when the name of your advisory firm or employees are mentioned on the Web.  Remember, if you set a schedule in your policies and procedures, stick to it and document it!  Record the employees that you reviewed, what you reviewed for, and any violations found.

Control Over Personally-Owned Devices

Allowing employees to use personal devices for work purposes, which we refer to as bring your own devices (“BYOD”), increases some risk for compliance.  Employees can expose firm systems to viruses and hackers when using BYODs that are not supported by the firm.  In addition, employees could have access to confidential client information without the ability of the adviser to track how and when they use that information.

If your policies allow you and/or your colleagues to bring your own devices:

  • Set clear policies with regard to use of social media, instant messaging, texting, personal email, websites, and information security.
  • Be aware of and educate your staff regarding security on personal laptops used to work from home or for travel.
  • Require employees to obtain prior approval before they can access firm email servers or other business applications from their personal devices.
  • Load security apps or other software on personally-owned devices prior to allowing use for business communications.
  • Remind employees to regularly update virus/malware software.
  • In order to protect the adviser’s servers from hackers or malware, require employees to access email servers or other business applications only by virtual private networks (“VPN”) or other security apps.

 

Conclusion

The SEC kindly laid out clear policies and procedures for addressing electronic messaging, social media and apps and included testing methods.  Whenever the SEC releases Risk Alerts we always recommend reviewing policies and procedures in light of their recommendations and updating your processes as necessary.  Remember to advise your employees after you update your policies and require acknowledgements of receipt of the new polices.  And continue to learn from your employees to keep abreast of up and coming changes in technology, communications, and social media platforms, like Insta-Face, SnapWhatsApp, and Twittergram.  (Just kidding on that last part.  We made those names up.)