On Friday December 14, 2018, the Securities and Exchange Commission (“SEC”) published a Risk Alert advising Registered Investment Advisers (“RIAs”) of their obligation to revise written policies and procedures related to electronic messaging utilized by their personnel as a recent examination conducted by the Office of Compliance Inspections and Examinations (“OCIE”) identified shortfalls.
A limited-scope examination initiative was designed and conducted by the SEC to obtain an understanding of the various forms of electronic communications used by RIAs and its personnel, the risk of such use, and the hurdles of complying with provisions of the Investment Advisers Act. One of the observations by OCIE was the increasing use of various types of electronic communications by adviser personnel in the conduct of its business.
This Risk Alert is a reminder to RIAs of their obligations when allowing the usage of electronic communications and to assist the RIAs in improving their systems, policies and procedures.
Books and Records Rule and Compliance Rule
The Books and Records Rule (Adviser Act Rule 204-2) requires RIAs to make and keep certain books and records relating to their investment advisory business. Adviser Act Rule 206(4)-7 (“Compliance Rule”) requires RIAs to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and the rules thereunder. In accordance with the Compliance Rule’s adopting release, each RIA should identify compliance factors creating risk exposures for the firm and its clients in light of the adviser’s particular operations, and then design policies and procedures that address those risks. A RIAs policies and procedures should address, to the extent relevant to the RIA, the accurate creation of required books and records and their maintenance that secures them from unauthorized alterations or use and protects them from untimely destruction, among other things. The Compliance Rule requires a RIA to review, no less frequently than annually, the adequacy of the RIAs compliance policies and procedures and the effectiveness of their implementation.
As communication tools and devices have changed over the years, including a change in the way mobile and personally owned devices are used in the business setting, challenges have emerged for RIAs in meeting their obligations under both the Books and Records and Compliance Rules.
OCIE “observed a range of practices with respect to electronic communications, including advisers that did not conduct testing or monitoring to ensure compliance with their policies and procedures. The review specifically excluded email use on the RIAs systems because firms have had decades of experience complying with regulatory requirements with respect to firm email, and it often does not pose similar challenges as other electronic communication methods because it occurs on firm systems and not on third party application or platforms.”
As electronic communications have evolved, text/SMS messaging, instant messaging, personal email, and personal or private messaging have received more wide-spread usage. These third part applications (“apps”) are often times utilized on mobile devices or personally owned computers. The OCIE staff observed and identified a set of examples of practices that it believes may assist RIAs and their personnel in meeting the retention obligations under the Books and Records Rule and their implementation and design of policies and procedures under the Compliance Rule.
The following test areas involved:
- Policies and Procedures
- Employee Training and Attestations
- Supervisory Review
- Control over Devices
Each area noted above had some key takeaways, including the OCIE recommending that RIAs prohibit business use of apps and technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up. Further, for RIAs that permit use of social media, personal email, or personal website for business purposes, it is recommended to contract with software vendors to (i) monitor the social media posts, emails, or websites, (ii) archive such business communications to ensure compliance with retentions rules, and (iii) ensure that they have the capability to identify any changes to content and compare postings to a lexicon of key words and phrases.
To view the Risk Alert please click here.
The SEC encourages RIAs to review their risks, policies and procedures regarding electronic communications and to consider improvements accordingly. This Risk Alert highlighted key aspects of their limited review with an emphasis on the impact electronic communications, the devices and technology deployed, have on the Books and Records requirements as well as the Compliance Rule. We encourage our RIA clients as well as our NFA and FINRA member firms to evaluate their policies, procedures and monitoring efforts to ensure compliance. If you have any questions regarding this Risk Alert, please do not hesitate to contact an ARG Compliance Analyst.