Technology makes it easy for investment advisers to communicate with clients. However, it is important to remember that many of the “old” rules still apply. In a recent National Exam Program Risk Alert, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) reminded the regulated community that the Investment Advisers Act of 1940 (Advisers Act) often applies to electronic messages, such as text messages, instant messages, and social media posts.
OCIE conducted a limited-scope examination initiative of registered investment advisers (advisers) designed to obtain an understanding of the various forms of electronic messaging used by advisers and their personnel, as well as the risks of such use. The resulting Risk Alert “reminds” advisers of their obligations under the Advisers Act that may apply to electronic messages and provides “examples of practices that the staff believes may assist advisers” to improve their relevant systems, policies and procedures. Before examining the SEC’s guidance, the Advisers Act “Books and Records Rule,” Advisers Act Rule 204-2 is summarized.
Adviser Act Provisions Governing Electronic Messaging
The “Books and Records Rule,” Advisers Act Rule 204-2, requires advisers to make and keep certain books and records relating to their investment advisory business. For example, Rule 204-2(a)(7) requires advisers to make and keep “[o]riginals of all written communications received and copies of all written communications sent by such investment adviser relating to (i) any recommendation made or proposed to be made and any advice given or proposed to be given, (ii) any receipt, disbursement or delivery of funds or securities, (iii) the placing or execution of any order to purchase or sell any security, or (iv) the performance or rate of return of any or all managed accounts or securities recommendations,” subject to certain limited exceptions.
Additionally, Rule 204-2(a)(11) requires advisers to make and keep a copy of each notice, circular, advertisement, newspaper article, investment letter, bulletin or other communication that the investment adviser circulates or distributes, directly or indirectly, to ten or more persons. The SEC previously advised that, “regardless of whether information is delivered in paper or electronic form, broker-dealers and investment advisers must reasonably supervise firm personnel with a view to preventing violations.” Additionally, Advisers Act Rule 206(4)-7 (the “Compliance Rule,”) requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules.
OCIE Electronic Messaging Risk Alert Provides Guidance to Advisers - Expansive Definition of Electronic Communications:
Usage developments in the way mobile and personally owned devices are used pose challenges for advisers in meeting their obligations under both the Books and Records Rule and the Compliance Rule. OCIE broadly defines “electronic messaging” or “electronic communication” to include written business communications conveyed electronically using, text/SMS messaging, instant messaging, personal email, and personal or private messaging. OCIE included communications when conducted on the adviser’s systems, third-party applications, platforms or sent using the adviser’s computers, mobile devices issued by advisory firms, or personally owned computers or mobile devices used by the adviser’s personnel in the adviser’s business.
Examples of practices OCIE identified as helpful to advisers in meeting their record retention obligations under the Books and Records Rule and implementation and design of policies and procedures under the Compliance Rule:
Policies and Procedures
- Prevent Misuse: Prohibiting business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.
- Surveillance of Electronic Communications: If advisers permit their personnel to use social media, personal email accounts, or personal websites for business purposes, adopting and implementing policies and procedures for the monitoring, review, and retention of such electronic communications.
- Sanctions Policy Notice: Including a statement in policies and procedures informing employees that violations may result in discipline or dismissal.
Employee Training and Attestations
- Training Program: Requiring personnel to complete training on the adviser’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging, electronic apps, and the adviser’s disciplinary consequences of violating these policies and procedures. Obtaining signed/dated attestations from employees documenting (i) completion of the required training on electronic messaging, (ii) compliance with all such requirements, and (iii) commitment to do so in the future (i.e., annual updates).
- Periodic “Reminders”: Providing reminders to employees of what is permitted and prohibited under the adviser’s policies and procedures with respect to electronic messaging.
- Feedback Request: Soliciting feedback from personnel as to the various forms of messaging requested by clients and service providers in order for the adviser to (1) assess their risks and (2) how those forms of communication may be incorporated into the adviser’s updated policies/procedures.
- Contract/Agreement Diligence: Contracting with software vendors to assure functionality: (i) monitor the social media posts, emails, or websites, (ii) archive such business communications to ensure compliance with record retention rules, and (iii) ensure that they have the capability to identify any changes to content and compare postings to a lexicon of key words and phrases.
- Social Media Site Review: Regularly reviewing popular social media sites to identify if employees are using the media in a way not permitted by the adviser’s policies.
- Internet Searches: Running regular Internet searches or setting up automated alerts to notify the adviser when an employee’s name or the adviser’s name appears on a website to identify potentially unauthorized advisory business being conducted online.
Control Over Devices
- Prior Approval of Firm Required: Requiring employees to obtain prior approval from the adviser’s information technology or compliance staff before they are able to access firm email servers or other business applications from personally owned devices. This may help advisers create an inventory list of devices and understand each employee’s use of mobile devices to engage in advisory activities.
- Security Apps Required: Loading certain security apps or other software on company-issued or personally owned devices prior to allowing them to be used for business communications.
Softwareis available that enables advisers to (i) “push” mandatory cybersecurity patches to the devices to better protect the devices from hacking or malware.
(ii) monitor for prohibited apps, and (iii) “wipe” the device of all locally stored information if the device were lost or stolen.
- Access Restrictions: Allowing employees to access the adviser’s email servers or other business applications only by virtual private networks or other security apps to segregate remote activity to help protect the adviser’s servers from hackers or malware.
One of the keys to compliance program success is a continuous assessment of Company risks and improvements to existing policies/procedures as determined to be necessary. With respect to electronic messaging, it is important to remain current with emerging technology. Lastly, monitoring regulatory developments provides useful guidance for the Company’s Compliance and Legal departments.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Paul Lieberman, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.