SEC OCIE Issues Risk Alert Regarding Electronic Messaging
January 9, 2019
The staff (the “Staff”) of the SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert to remind registered investment advisers (“advisers”) of their obligations relating to the use of electronic messaging for business-related communications.
The Staff conducted a limited-scope examination initiative (the “Exam Initiative”) of advisers to gain an understanding of the various forms of electronic messaging used by advisers and their personnel, the risks of such use, and the challenges presented in complying with certain provisions of the Investment Advisers Act of 1940 (“Advisers Act”).1 In particular, the Staff noted that the increasing use of social media, texting, and other types of electronic messaging applications (“apps”), and the pervasive use of mobile and personally owned devices for business purposes presented difficulties for advisers in meeting their obligations under Rule 204-2 (the “Books and Records Rule”) and Rule 206(4)-7 (the “Compliance Rule”) of the Advisers Act.2
In the Risk Alert, the Staff identified the following examples of practices regarding electronic messaging that the Staff believes may assist advisers in meeting their record retention obligations under the Books and Records Rule and the design and implementation of policies and procedures under the Compliance Rule.
Policies and Procedures
- Permitting only those forms of electronic communication for business purposes that can be used in compliance with the adviser’s obligations under the Books and Records Rule.
- Prohibiting business use of apps and other technologies that allow anonymous communication, allow automatic destruction of messages, or prohibit third-party monitoring or back-up.
- Requiring employees who receive electronic messages using a form of communication prohibited by the adviser to move those messages to an approved electronic system.
- Where the use of personally owned mobile devices for business purposes is permitted, adopting and implementing policies and procedures to address such use with respect to, for example, social media, instant messaging, texting, personal email, personal websites and information security.
- If social media, personal email, or personal websites are permitted to be used for business purposes, adopting and implementing policies and procedures for monitoring, reviewing, and retaining such communications.
- Informing employees that violations of the adviser’s policies and procedures regarding electronic communications may result in discipline or dismissal.
Employee Training and Attestations
- Requiring training on the adviser’s policies and procedures relating to the use of electronic messaging and apps.
- Obtaining attestations from employees of their compliance with the adviser’s policies and procedures on electronic communications and required training.
- Regularly reminding employees of the adviser’s policies and procedures with respect to electronic messaging.
- Gathering feedback from personnel as to the forms of electronic messaging being requested by clients and service providers in order to assess their risks and how those communications may be incorporated into the adviser’s policies.
- If the use of social media, personal email, or personal websites is permitted for business purposes, contracting with software vendors to monitor and archive such business communications and ensure that they have the capability to identify changes to content and compare postings.
- Regularly reviewing employees’ use of social media to identify violations of the adviser’s policies.
- Conducting regular internet searches or setting up automated alerts (e.g., of an employee’s or the adviser’s name) to identify potentially unauthorized online activity.
- Establishing confidential means for employees to report concerns about a colleague’s use of electronic communications for business purposes.
Control over Devices
- Requiring employees to obtain prior approval before being able to access firm email servers or other business applications from personally owned devices.
- Loading certain security apps or other software on company-issued or personally owned devices prior to allowing them for use that enables advisers to “push” mandatory cybersecurity patches, monitor prohibited apps, and “wipe” the device of all locally stored information.
- Restricting employee access to the adviser’s email servers or other business applications to virtual private networks or other security apps that segregate remote activity.
In light of the practices identified by the Staff regarding electronic communications, advisers should carefully review the adequacy and effectiveness of their policies and procedures relating to the use of electronic messaging and consider what enhancements may be needed to ensure compliance with their regulatory obligations
1 For purposes of the Exam Initiative, “electronic messaging” or “electronic communication” included written business communications conveyed electronically using, for example, text/SMS messaging, instant messaging, personal email, and personal or private messaging. The Staff included communications when conducted on the adviser’s systems or third-party applications or platforms or sent using the adviser’s computers, mobile devices issued by advisers, or personally owned computers or mobile devices used by the adviser’s personnel for the adviser’s business. The Staff specifically excluded email use on advisers’ systems from the Exam Initiative due to advisers’ extensive experience in complying with the Advisers Act with respect to firm email and because firm email does not present that same challenges since they occur on the firm’s systems rather than third-party apps or platforms.
2 The Books and Records Rule requires advisers to make and keep certain books and records relating to its investment advisory business, including certain electronic communications. The Compliance Rule requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and rules thereunder.