SEC’s Latest Risk Alert Focuses on Electronic Communications

The SEC’s most recent risk alert, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” issued on December 14, 2019, focuses on the use and maintenance of electronic communications for business purposes. The purpose of the alert is to remind advisers of their obligations related to personal use of electronic messaging and the requirements for business-related electronic messages. Below are some best practices that can be used to help ensure your firm has reasonable controls in place for the use of electronic communications. We encourage all firms to review the full alert.

Policies and Procedures
  • Only permit electronic communications for business purposes if the messages can be supervised and retained in compliance with the books and records requirements of the Advisers Act.
  • Specifically prohibit the use of apps or other technology that gives employees the ability to communicate anonymously, automatically destroys messages or prohibits third-party backup and reviews.
  • If an employee receives an electronic message in a form that is prohibited by the firm for business purposes, require that the employee move the message to another electronic system where the firm can supervise and retain the communication in compliance with the Books and Records Rule. Include specific instructions on how employees can move such messages.
  • If a firm permits the use of personally owned mobile devices for business purposes, adopt and implement policies and procedures that address the use of electronic communications by employees, including social media, instant messaging, texting, personal email, personal websites and information security.
  • If a firm permits personnel to use social media, personal email accounts or personal websites for business purposes, address how the firm monitors, reviews and retains such communications.
  • Inform employees that violations to the firm’s electronic communications policy may result in discipline or dismissal.
Employee Training
  • Include training on electronic communications policies and procedures in the firm’s initial and annual employee compliance training. Make sure to address specific restrictions and limitations placed on messaging and apps, along with consequences for violating the firm’s procedures.
  • Upon commencement of employment and annually thereafter, have all employees attest to:

– Completion of all required training on electronic messaging

– Compliance with the firm’s policies and procedures

– Continued commitment to comply with the firm’s policies

  • Periodically remind employees of the dos and don’ts of electronic messaging.
  • Include electronic messaging in the firm’s annual risk assessment. Consider new forms of communications requested by clients or service providers when assessing the firm’s risk.
Supervisory Reviews
  • If social media, personal email or personal websites are permitted to be used for business purposes, make sure communications and changes to communications are monitored and archived. Messages should be monitored for key words and phrases.
  • Regularly review whether employees are utilizing social media in accordance with the firm’s policies.
  • Set up automated internet alerts when the firm’s name or an employee’s name appears on a website to help detect unauthorized use of electronic media (e.g., Google alerts).
  • Make sure employees know how they can confidentially report violations to the firm’s electronic communications policy.
Control over Devices
  • Require that staff get approval from IT or Compliance for email access on personal devices.
  • If a device will be used for business communications, load security software on the device to better protect it from hacking or malware. Software should automatically push out security patches, monitor for prohibited apps and be able to wipe the device if it is lost or stolen.
  • Limit access to the firm’s email server or other business applications through virtual private networks or other security apps to segregate remote activity.

As technology continues to evolve and provide more ways to communicate with clients, the regulators will continue to scrutinize how firms are using and maintaining electronic messages. Stay ahead of the game by continuing to evaluate your firm’s risks, practices and controls regarding electronic communications and make improvements to your compliance program as needed.

Post written by Ariana Monchick

Related Content

Latest Content

Regulation Best Interest, Cybersecurity Top Concerns at IAA 2019 Compliance Conference

The Investment Adviser Association (IAA) represents the interests of investment advisers in Washington D.C., and the IAA Investment Adviser Compliance Conference 2019 was a forum for the discussion of future potential rulemaking. Cybersecurity and Fiduciary Rule considerations were headline topics, with custody and marketing right behind. The following is a summary of key issues discussed … Continued

The Challenges of Building a Global Compliance Program

Compliance programs face challenges in balancing global requirements with local exceptions while incorporating the fast pace of regulatory change, addressing critical business needs and obtaining the necessary resources necessary to manage the program. Trends and thinking on the subject were center stage at the recent CSS London event “Looking at the Year Ahead – Global … Continued

Coming to America – California Adopts GDPR-Like Privacy Regulation

After a number of firms struggled last year to get their marketing and information systems into compliance with the EU’s General Data Protection Regulation (GDPR), advisers to U.S. clients will soon be facing similar requirements on the home front.  On the heels of the Cambridge Analytica scandal, California enacted the California Consumer Privacy Act of … Continued

SEC and FINRA 2019 Examination Priorities

The SEC and FINRA have recently released their examination priorities for 2019. These releases provide insight into regulatory priorities and serve as guidance for a firm in evaluating its compliance program. We will discuss topics covered in these releases, including: Protecting retail investors Fees and expenses Disclosure Conflicts of interest Suitability Protecting senior investors Trading … Continued

SEC Reopened After 35-Day Government Shutdown

SEC Chairman Jay Clayton announced on Saturday, January 26 that with an agreement reached to end the government shutdown, the “Commission has resumed normal staffing levels and is returning to normal operations.” In total, about 94% of the commission’s approximately 4,400 employees had been furloughed during the 35-day shutdown, according to its operations plan. In a … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.