SEC’s Latest Risk Alert Focuses on Electronic Communications

The SEC’s most recent risk alert, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” issued on December 14, 2019, focuses on the use and maintenance of electronic communications for business purposes. The purpose of the alert is to remind advisers of their obligations related to personal use of electronic messaging and the requirements for business-related electronic messages. Below are some best practices that can be used to help ensure your firm has reasonable controls in place for the use of electronic communications. We encourage all firms to review the full alert.

Policies and Procedures
  • Only permit electronic communications for business purposes if the messages can be supervised and retained in compliance with the books and records requirements of the Advisers Act.
  • Specifically prohibit the use of apps or other technology that gives employees the ability to communicate anonymously, automatically destroys messages or prohibits third-party backup and reviews.
  • If an employee receives an electronic message in a form that is prohibited by the firm for business purposes, require that the employee move the message to another electronic system where the firm can supervise and retain the communication in compliance with the Books and Records Rule. Include specific instructions on how employees can move such messages.
  • If a firm permits the use of personally owned mobile devices for business purposes, adopt and implement policies and procedures that address the use of electronic communications by employees, including social media, instant messaging, texting, personal email, personal websites and information security.
  • If a firm permits personnel to use social media, personal email accounts or personal websites for business purposes, address how the firm monitors, reviews and retains such communications.
  • Inform employees that violations to the firm’s electronic communications policy may result in discipline or dismissal.
Employee Training
  • Include training on electronic communications policies and procedures in the firm’s initial and annual employee compliance training. Make sure to address specific restrictions and limitations placed on messaging and apps, along with consequences for violating the firm’s procedures.
  • Upon commencement of employment and annually thereafter, have all employees attest to:

– Completion of all required training on electronic messaging

– Compliance with the firm’s policies and procedures

– Continued commitment to comply with the firm’s policies

  • Periodically remind employees of the dos and don’ts of electronic messaging.
  • Include electronic messaging in the firm’s annual risk assessment. Consider new forms of communications requested by clients or service providers when assessing the firm’s risk.
Supervisory Reviews
  • If social media, personal email or personal websites are permitted to be used for business purposes, make sure communications and changes to communications are monitored and archived. Messages should be monitored for key words and phrases.
  • Regularly review whether employees are utilizing social media in accordance with the firm’s policies.
  • Set up automated internet alerts when the firm’s name or an employee’s name appears on a website to help detect unauthorized use of electronic media (e.g., Google alerts).
  • Make sure employees know how they can confidentially report violations to the firm’s electronic communications policy.
Control over Devices
  • Require that staff get approval from IT or Compliance for email access on personal devices.
  • If a device will be used for business communications, load security software on the device to better protect it from hacking or malware. Software should automatically push out security patches, monitor for prohibited apps and be able to wipe the device if it is lost or stolen.
  • Limit access to the firm’s email server or other business applications through virtual private networks or other security apps to segregate remote activity.

As technology continues to evolve and provide more ways to communicate with clients, the regulators will continue to scrutinize how firms are using and maintaining electronic messages. Stay ahead of the game by continuing to evaluate your firm’s risks, practices and controls regarding electronic communications and make improvements to your compliance program as needed.

Post written by Ariana Monchick

Related Content

Latest Content

Takeaways and Tips Related to SEC Risk Alert on Regulation S-P

On April 16, 2019, the SEC released a Risk Alert providing a list of compliance issues related to Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers. As with other risk alerts, these were deficiencies noted by OCIE in regulatory examinations. Though the deficiencies were fairly common … Continued

How to Be a Wildly Effective Compliance Officer

Being a Compliance Officer is no easy task. Administering a compliance program, implementing controls to help protect clients and the firm, and staying on top of new regulations is only part of the job. Compliance Officers are also expected to be flexible and pro-business. So how do you do it all? How can you be … Continued

Mitigating the Risk of Insider Trading

One of the biggest risks affecting investment advisers is the potential that material non-public information (“MNPI”) may be misused, leading to a charge of insider trading. Advisers should implement controls to mitigate these risks. Steven Stone of Morgan, Lewis & Bockius, LLP, Salvatore Cincinelli of the FBI and David Chaves of Tone at the Top … Continued

Compliance 2.0 – Being a Strategic Partner in Your Firm

Compliance as a profession continues to evolve. With Enron, Bernie Madoff and numerous other failures paving the way for rulemaking across industries and nations, the days of drawing a short straw, getting drafted into a compliance role and operating in isolation outside of the business are – or should be – ancient history. Since the … Continued

Big Data Part III: Preparing for the Future of Global Regulatory Governance

United States and European Union reporting requirements imposed on investment managers have exploded since the Global Financial Crisis and, with the imminent arrival of SFTR in Europe, it seems poised to expand again. The challenge of reporting trades, transactions and contracts in multiple jurisdictions requires firms to embrace technology as regulators continue to look to … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.