Books and Records: Electronic Messaging
Main Contributor: Elizabeth Cope, CPA, CSCP, CIPM, CEO & Lead Consultant
You have probably already heard of the 16 firms brought under enforcement for the improper use of electronic communications. For years, these firms had employees routinely communicate business matters via text messaging applications on their personal devices without the proper retention of those records. The fines amounted to $1.1 billion and should serve as a warning for investment advisors.
OCIE (now the Division of Exams) issued a Risk Alert back in December 2018 summarizing what they found to be adequate practices of examined advisors as it related to electronic messaging and is a good reference point even today as firms revisit their current practices.
Background
Rule 204-2 of the Investment Advisors Act (“Rule”) requires advisors to maintain books and records relating to their advisory business. Section 204-2(a)(7) specifically requires advisors to keep and maintain records of all written communications received and sent by the advisor relating to a) any recommendation made or proposed, b) receipt, disbursement, or delivery of funds or securities, c) the placing or execution of any order to buy or sell a security, and/or d) the performance or rate return of any or all managed accounts or securities recommendations.
The Rule itself doesn’t require advisors to maintain all emails, text messages, Teams messages, etc., however, if the firm allows certain types of electronic media (or is silent on the requirements) for communicating business matters and doesn’t retain ALL of the correspondence, the challenge becomes trying to substantiate to the Division of Exams that key records were not destroyed or deleted. Therefore, it is in your best interest to have policies and procedures on the use of electronic messaging, training amongst internal staff, tools to retain allowed modalities, and an oversight review to substantiate that all policies are reasonably designed to prevent violations of the Rule.
Suggested Practices
Policies and Procedures
If you don’t already, you should have policies and procedures that clearly outline to your personnel what approved modalities are allowed for communicating business-related matters and what modalities are not allowed. Interview key personnel to ensure you have a grasp on all the electronic communications used by internal staff and your firm’s clients. In addition, the policies should address the retention and review of the allowed modalities. The policies should further outline what the staff is to do in the event they receive communications on an unapproved modality (such as text), including reporting the violation and how to retain that communication to meet the requirements of the Rule.
Train Your Staff
Fact: You have to remind your internal staff of the policies and requirements. They forget and need to be reminded, as we all do. Help them understand the reason for the policies to build buy-in. Keep documentation of all of the trainings conducted and the attendees to substantiate to the SEC Staff when undergoing an exam.
Attestations
It’s not required, but it is a best practice to require attestations from internal staff to affirm they understand the policies for electronic communication, and that they have complied. This puts the onus on the employee, and in most cases makes them think about the policies and their adherence before signing.
Reviews
Although not explicitly required, it’s expected and a best practice to regularly review retained electronic correspondence. It is in these reviews that we have often found instances where internal staff were, for example, sending emails to their personal email account. Be sure to document all reviews you conduct so you can substantiate to the SEC Staff during an examination that you are conducting reviews, which you can also maintain as part of your firm’s annual review requirement.
Mobile Device Management
Mobile Device Management is software that allows a third party, typically IT, to control, secure, and enforce policies on smartphones. Again, this is not a requirement, but it is a best practice for advisors to maintain control over the applications on personal and work-related devices. The firm can set up rules and parameters that assist with not only the books and records requirements but also cybersecurity controls. It can further allow the firm to wipe clean applications used for business if devices are lost or stolen to further protect the firm and the firm’s clients.
Conclusion
Whenever you have a large enforcement case, such as the one brought upon those 16 brokerage firms, it serves as a warning for others in the industry. It’s important that your firm re-visit its policies on the use of electronic messaging or draft one if it’s not already in place, incorporate this as a topic in the firm’s compliance training, ensure regular reviews as part of the firm’s annual review requirements, and consider other possible controls, such as mobile device management. It’s important to first assess the firm’s risk level and ensure the controls in place are reasonably designed to mitigate the identified risk(s) and prevent violations of the Rule.