The SEC’s most recent risk alert, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” issued on December 14, 2019, focuses on the use and maintenance of electronic communications for business purposes. The purpose of the alert is to remind advisers of their obligations related to personal use of electronic messaging and the requirements for business-related electronic messages. Below are some best practices that can be used to help ensure your firm has reasonable controls in place for the use of electronic communications. We encourage all firms to review the full alert.
Policies and Procedures
- Only permit electronic communications for business purposes if the messages can be supervised and retained in compliance with the books and records requirements of the Advisers Act.
- Specifically prohibit the use of apps or other technology that gives employees the ability to communicate anonymously, automatically destroys messages or prohibits third-party backup and reviews.
- If an employee receives an electronic message in a form that is prohibited by the firm for business purposes, require that the employee move the message to another electronic system where the firm can supervise and retain the communication in compliance with the Books and Records Rule. Include specific instructions on how employees can move such messages.
- If a firm permits the use of personally owned mobile devices for business purposes, adopt and implement policies and procedures that address the use of electronic communications by employees, including social media, instant messaging, texting, personal email, personal websites and information security.
- If a firm permits personnel to use social media, personal email accounts or personal websites for business purposes, address how the firm monitors, reviews and retains such communications.
- Inform employees that violations to the firm’s electronic communications policy may result in discipline or dismissal.
- Include training on electronic communications policies and procedures in the firm’s initial and annual employee compliance training. Make sure to address specific restrictions and limitations placed on messaging and apps, along with consequences for violating the firm’s procedures.
- Upon commencement of employment and annually thereafter, have all employees attest to:
– Completion of all required training on electronic messaging
– Compliance with the firm’s policies and procedures
– Continued commitment to comply with the firm’s policies
- Periodically remind employees of the dos and don’ts of electronic messaging.
- Include electronic messaging in the firm’s annual risk assessment. Consider new forms of communications requested by clients or service providers when assessing the firm’s risk.
- If social media, personal email or personal websites are permitted to be used for business purposes, make sure communications and changes to communications are monitored and archived. Messages should be monitored for key words and phrases.
- Regularly review whether employees are utilizing social media in accordance with the firm’s policies.
- Set up automated internet alerts when the firm’s name or an employee’s name appears on a website to help detect unauthorized use of electronic media (e.g., Google alerts).
- Make sure employees know how they can confidentially report violations to the firm’s electronic communications policy.
Control over Devices
- Require that staff get approval from IT or Compliance for email access on personal devices.
- If a device will be used for business communications, load security software on the device to better protect it from hacking or malware. Software should automatically push out security patches, monitor for prohibited apps and be able to wipe the device if it is lost or stolen.
- Limit access to the firm’s email server or other business applications through virtual private networks or other security apps to segregate remote activity.
As technology continues to evolve and provide more ways to communicate with clients, the regulators will continue to scrutinize how firms are using and maintaining electronic messages. Stay ahead of the game by continuing to evaluate your firm’s risks, practices and controls regarding electronic communications and make improvements to your compliance program as needed.
Subscribe to CSS Blog
CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.