Advisers Encouraged to Assess Use of New Electronic Messaging Technologies as part of Annual Compliance Review Process

With annual compliance reviews in full swing this time of year, we write today to remind advisory firms to be sure to assess the sufficiency of their policies and procedures in the ever-developing area of electronic messaging.  Our note comes on the heels of a recent Risk Alert on this topic issued by the SEC’s Office of Compliance Inspections and Examinations or “OCIE,” which exhorts advisory firms to take a fresh look at their current compliance policies in light of the particular risks of non-compliance posed by the firm’s usage of electronic messaging.

“Electronic messaging,” as discussed in OCIE’s Risk Alert, refers to such mediums as text/SMS messaging, instant messaging, personal email, and personal or private messaging, but specifically excludes firm-wide email.  Notably, OCIE’s exclusion of firm email from analysis in the Risk Alert should not be read as diminishing an adviser’s compliance obligations to capture, store, and periodically review firm email communications.  Rather, as OCIE explains, “firms have had decades of experience complying with regulatory requirements with respect to firm email” and it is not as problematic from a compliance standpoint as compared to some of the newer technologies that run on third-party applications or platforms. 

OCIE’s Risk Alert is essentially a “best practices” guide for advisers in that it relies on the results of a limited-scope examination initiative designed to survey to what extent advisers have been successful in meeting their record retention obligations under Advisers Act Rule 204-2 (the Books and Records Rule) and their obligation to implement and design policies and procedures under Advisers Act Rule 206(4)-7 (the Compliance Rule).  Among those best practices specifically identified by OCIE as potentially facilitating an adviser’s compliance with the aforementioned obligations, the following practices were most salient:

• Permitting only those forms of “business purpose” electronic messaging that the adviser can adequately manage for compliance with the Books and Records Rule.
• Specifically prohibiting business use of electronic messaging or other technologies that allow staff to send messages or otherwise communicate anonymously.
• To the extent that advisers permit staff to use social media, personal email accounts, or personal websites for business purposes, the ability to adopt and implement policies and procedures for monitoring, reviewing, and retaining such electronic communications.
• Requiring staff to complete training on the adviser’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging.
• Obtaining staff attestation that such persons: (i) have completed all of the required training on electronic messaging, (ii) have complied with all such requirements, and (iii) commit to do so in the future.
• Regularly reviewing popular social media sites and running regular Internet searches to identify whether employees use the media in a manner not permitted by the adviser’s policies.
• Requiring employees to request and obtain approval from the adviser before they are able to access firm email servers or other business applications from personally-owned devices.

As always, the most important (and effective) aspect of an adviser’s compliance program is that it be reasonably tailored or customized to fit that adviser’s particular operations and commensurate risks of non-compliance.  OCIE echoes this maxim throughout the Risk Alert by encouraging advisers to assess their particular risks vis-à-vis any new electronic messaging technologies used by that firm and, in turn, design customized compliance procedures in response to those identified risks.

---