A new Risk Alert by the U.S. Securities and Exchange Commission reminds advisers of their obligations concerning the use of electronic messaging.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) has found that changes in the way mobile and personally owned devices are used for business purposes is posing challenges for advisers in meeting their obligations under the Books and Records Rule and the Compliance Rule. These challenges also include the increasing use of social media, texting and other types of electronic messaging apps.
OCIE surveyed firms to learn the types of electronic messaging used by firms and their personnel, and reviewed firms’ policies and procedures to understand how advisers were addressing the risks presented by the evolving forms of electronic communication. The OCIE staff notes that it observed a range of practices with respect to electronic communications, “including advisers that did not conduct any testing or monitoring to ensure compliance with firm policies and procedures.”
As a result, the office is encouraging advisers to “review their risks, practices, policies and procedures” regarding electronic messaging and consider possible improvements to their compliance programs.
The Risk Alert offers numerous observations and practice examples that the OCIE believes may assist advisers in meeting their obligations, including:
- Prohibiting business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.
- Requiring internal procedures such that, in the event an employee receives electronic messages using a firm-prohibited communication, the employee moves the messages to another electronic system that the adviser determines is in compliance with its books and records obligations.
- Requiring personnel to complete training on the adviser’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging and electronic apps and the adviser’s disciplinary consequences of violating these procedures.
- Soliciting feedback from personnel as to what forms of messaging are requested by clients and service providers in order for the adviser to assess their risks and how those forms of communication may be incorporated into the adviser’s policies.
- Regularly reviewing popular social media sites to identify if employees are using social media in a way that is not permitted by the adviser’s policies.
- Establishing a reporting program or other confidential means by which employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications.
- Requiring employees to obtain prior approval from the adviser’s information technology or compliance staff before they are able to access firm email servers or other business applications from personally owned devices.
- Loading certain security apps or other software on company-issued or personally owned devices prior to allowing them to be used for business communications.
The OCIE further encourages advisers to stay abreast of evolving technology and how they are meeting their regulatory requirements while utilizing new technology. In addition, while this initiative was limited to examinations of investment advisers, other types of regulated financial services entities may face similar challenges with new communication tools and methods, the alert notes.