In December 2018, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) published its fifth and last risk alert of 2018 on the topic of electronic messaging by personnel of registered investment advisers. In the alert, OCIE focuses its attention on the growing use by advisory personnel of various types of electronic messaging for business-related communications and seeks to provide suggestions to advisory firms on ways firms can continue to meet their regulatory requirements, notwithstanding this new challenge.
According to OCIE, the risk alert was occasioned by the increasing use of social media, texting, and other types of electronic messaging apps by investment advisers and their representatives. OCIE cautioned that advisers should be aware of the regulatory implications of the pervasive use of mobile and personally owned devices for business purposes. According to OCIE, the use of electronic messaging by advisory personnel implicates the following regulations under the Investment Advisers Act of 1940 (“Advisers Act”):
- Certain provisions of the Advisers Act Books and Records Rule (Rule 204-2), including Rule 204-2(a)(7), which requires advisers to make and keep “[o]riginals of all written communications received and copies of all written communications sent by [an] investment adviser relating to (i) any recommendation made or proposed to be made and any advice given or proposed to be given, (ii) any receipt, disbursement or delivery of funds or securities, (iii) the placing or execution of any order to purchase or sell any security, or (iv) the performance or rate of return of any or all managed accounts or securities recommendations,” subject to certain limited exceptions; and Rule 204-2(a)(11), which requires advisers to make and keep a copy of each notice, circular, advertisement, newspaper article, investment letter, bulletin, or other communication that the investment adviser circulates or distributes, directly or indirectly, to ten or more persons; and
- The Advisers Act Compliance Rule (Rule 206(4)-7), which requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and rules thereunder, including violations of the Books and Records Rule, by the adviser or its supervised persons.
The risk alert provides a list of best practices that OCIE observed and identified during its examinations of registered investment advisers that it believes may assist other advisers in meeting their obligations under the Books and Records Rule and the Compliance Rule. The practices include the following:
Policies and Procedures
- Advisers should adopt policies limiting the use of electronic communication technology for business purposes to only those forms of electronic communication that the adviser determines can be used in compliance with the Books and Records Rule.
- Advisers should specifically prohibit business use of apps and other technologies that can be readily misused. This includes apps that allow an employee to send messages or otherwise communicate anonymously, that allow for the automatic destruction of messages, or that prohibit third-party viewing or back-up.
- In the event that an employee receives an electronic message using a form of communication prohibited by the firm for business purposes, firm procedures should require the employee to move those messages to another electronic system that the adviser determines can be used in compliance with the Books and Records Rule. Procedures should include specific instructions to employees on how to do so.
- Where advisers permit the use of personally owned mobile devices for business purposes, they should adopt and implement policies and procedures that address such use with respect to, for example, social media, instant messaging, texting, personal email, personal websites, and information security.
- If advisers permit their personnel to use social media, personal email accounts, or personal websites for business purposes, they should adopt and implement policies and procedures for monitoring, reviewing, and retaining such electronic communications.
- Advisers should include a statement in their policies and procedures informing employees that violations of the policies and procedures may result in discipline or dismissal.
Employee Training and Attestations
- Advisers should require their supervised persons to complete training on the adviser’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging and electronic apps and the potential disciplinary consequences of violating such procedures.
- Advisers should obtain attestations from personnel at the commencement of employment with the adviser and regularly thereafter that employees (i) have completed all of the required training on electronic messaging, (ii) have complied with all such requirements, and (iii) commit to do so in the future.
- Advisers should provide regular reminders to employees of what is permitted and prohibited under an adviser’s policies and procedures with respect to electronic messaging.
- Advisers should solicit feedback from personnel as to what forms of messaging are requested by clients and service providers in order for the adviser to assess their risks and how those forms of communication may be addressed by the adviser’s policies.
- Advisers that permit use of social media, personal email, or personal websites for business purposes should contract with software vendors to (i) monitor the social media posts, emails, or websites, (ii) archive such business communications to ensure compliance with the Books and Records Rule, and (iii) ensure that they have the capability to identify any changes to content and to compare postings to a lexicon of key words and phrases.
- Compliance personnel should regularly review popular social media sites to identify if employees are using the media in a way not permitted by the adviser’s policies. Such policies should include prohibitions on using personal social media for business purposes or using it outside of the vendor services the adviser uses for monitoring and record retention.
- In order to identify potentially unauthorized advisory business being conducted online, compliance personnel should run regular Internet searches or set up automated alerts to notify the adviser when an employee’s name or the adviser’s name appears on a website.
- Advisers should establish a reporting program or other confidential means by which employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications. Particularly with respect to social media, colleagues may be “connected” or “friends” with each other and may see questionable or impermissible posts before compliance staff notes them during any monitoring.
Control Over Devices
- Advisers should require employees to obtain prior approval from the adviser’s information technology or compliance staff before they are able to access firm email servers or other business applications from personally owned devices. This may help advisers understand each employee’s use of mobile devices to engage in advisory activities.
- Technology teams should ensure that certain security apps or other software is loaded on to company-issued or personally owned devices prior to allowing them to be used for business communications. Software is available that enables advisers to (i) “push” mandatory cybersecurity patches to the devices to better protect the devices from hacking or malware, (ii) monitor for prohibited apps, and (iii) “wipe” the device of all locally stored information if the device is lost or stolen.
- Advisers should consider a policy allowing employees to access the adviser’s email servers or other business applications only by virtual private networks or other security apps to segregate remote activity to help protect the adviser’s servers from hackers or malware.
Despite the inherent difficulty in policing the use of texting and other types of electronic messaging by advisory personnel, their pervasive use means that advisory firms cannot ignore the likelihood that these apps will be used for business purposes. Advisers should therefore carefully review their current policies and procedures in light of the best practices identified by OCIE to determine if any updates should be considered.