SEC OCIE Issues Guidance on Investment Advisers’ Recordkeeping Requirements for Electronic Messaging
On December 14, 2018, the Office of Compliance Inspections and Examinations (“OCIE“) of the Securities and Exchange Commission (the “SEC“) issued a risk alert (the “Risk Alert“) to remind SEC-registered investment advisers (“RIAs“) of their obligations when their personnel use electronic messaging, such as text messages, instant messaging, personal email or messaging apps, and to help RIAs improve their compliance policies regarding electronic messaging. This client alert describes the Risk Alert and offers some practical guidance for RIAs.
Background – Books and Records Rule and Compliance Rule
Rule 204-2 (the “Books and Records Rule“) under the Investment Advisers Act of 1940, as amended (the “Advisers Act“) requires RIAs to make and keep certain books and records relating to their investment advisory business, including typical accounting and other business records. For example, Rule 204-2(a)(7) requires RIAs to make and keep “[o]riginals of all written communications received and copies of all written communications sent by such investment adviser relating to (i) any recommendation made or proposed to be made and any advice given or proposed to be given, (ii) any receipt, disbursement or delivery of funds or securities, (iii) the placing or execution of any order to purchase or sell any security, or (iv) the performance or rate of return of any or all managed accounts or securities recommendations,” subject to certain limited exceptions. As a reminder, this includes, for example, written communications by the RIA related to securities recommendations to clients, written investment recommendations from brokers, consultants, etc., wire transfer instructions and broker buy/sell orders.
Additionally, Rule 204-2(a)(11) requires RIAs to make and keep a copy of each notice, circular, advertisement, newspaper article, investment letter, bulletin or other communication that the RIA circulates or distributes, directly or indirectly, to ten or more persons. This includes, for example, due diligence questionnaire’s, investor letters and performance information given to prospective investors.
Rule 206(4)-7 (the “Compliance Rule“) under the Advisers Act requires RIAs to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and rules thereunder. According to the adopting release of the Compliance Rule, each RIA should identify compliance factors creating risk exposures for the firm and its clients in light of the RIA’s particular operations and design policies and procedures that address those risks. In the adopting release, the SEC stated that an RIA’s policies and procedures should address, to the extent relevant to the RIA, “[t]he accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction,” among other things. The Compliance Rule also requires an RIA to review, at least annually, the adequacy of its compliance policies and procedures and the effectiveness of their implementation.
In the Risk Alert, the Staff of OCIE (the “Staff“) noted that the increased use of social media, texting and other types of electronic messaging apps and the pervasive use of mobile and personally owned devices for business purposes pose unique challenges for RIAs in meeting their obligations under both the Books and Records Rule and the Compliance Rule. Below is an outline of the practices that the Staff identified as potentially helpful to RIAs in satisfying their obligations under these rules.
Policies and Procedures
• Permitting only those forms of electronic communication for business purposes that the RIA determines can be used in compliance with the Books and Records Rule.
• Prohibiting business use of apps and other technologies that can be easily misused by allowing an employee to communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up. There are numerous apps that may fall under this category, but some of the more popular apps include Telegram, Snapchat, WeChat and Nimbuzz.
• Implementing procedures for employees who receive electronic messages for business purposes using a form of communication that is not approved by the firm whereby such employees must move such messages to another electronic system that the RIA determines can be used in compliance with the Books and Records Rule, and providing clear instructions to employees on how to do so. An example of this could be requiring employees who have business related conversations on WhatsApp to copy, on perhaps a daily basis, all threads into an email sent to themselves at their business email address so that compliance has access to those conversations. Alternatively, RIAs could require personnel to provide compliance with their app credentials to allow the RIA to monitor business communications. Concerns around employee privacy could be mitigated by requiring employees to create work related accounts on any such apps.
• Implementing policies addressing the use of personally owned mobile devices for business purposes with respect to, for example, social media, instant messaging, texting, personal email, personal websites and information security.
• Implementing policies for the monitoring, review and retention of electronic communications for business purposes by RIA personnel on social media, personal email accounts or personal websites.
• Including a statement in their compliance policies that violations may result in discipline or dismissal.
Employee Training and Attestations
• Requiring personnel to complete training on the RIA’s policies and procedures regarding the use of electronic messaging and apps.
• Obtaining attestations from personnel at the commencement of employment and regularly thereafter that they (i) have completed the required training on electronic messaging, (ii) have complied with all such requirements and (iii) commit to do so in the future. In our experience, the common market practice is to secure attestations along these lines at least annually.
• Providing regular reminders to employees of what is permitted and prohibited with respect to electronic messaging.
• Soliciting feedback from personnel as to what forms of messaging are requested by clients and service providers so that the RIA can assess the risks related to such messaging mediums and determine how those forms of communication may be incorporated into the RIA’s policies.
• For RIAs that permit use of social media, personal email or personal websites for business purposes, contracting with software vendors (i) to monitor the social media posts, emails or websites, (ii) to archive such business communications and (iii) to identify any changes to content and compare postings to certain key words and phrases.
• Regularly reviewing popular social media sites to see if employees are using them in a way not permitted by the RIA’s policies. The Staff noted that social media policies included prohibitions on using personal social media for business purposes or using it outside of the vendor services the RIA uses for monitoring and record retention.
• Running regular Internet searches or setting up automated alerts to notify the RIA when an employee’s name or the RIA’s name appears on a website to identify potentially unauthorized advisory business being conducted online.
• Establishing a reporting program by which employees can confidentially report concerns about a colleague’s electronic messaging, website or use of social media for business communications. The Staff noted that, for example, colleagues may be “connected” or “friends” with each other allowing them to see questionable or impermissible posts before the compliance staff identifies them.
Control over Devices
• Requiring employees to obtain approval from the RIA’s information technology or compliance staff before they are permitted to access firm email servers or other business applications from personally owned devices.
• Loading certain security apps or other software on company-issued or personally owned devices prior to allowing them to be used for business communications. For example, the Staff noted that mobile device management software is available that enables RIAs (i) to “push” mandatory cybersecurity patches to the devices to better protect the devices from hacking or malware, (ii) to monitor for prohibited apps and (iii) to “wipe” the device of all locally stored information if the device were lost or stolen.
• Allowing employees to access the RIA’s email servers or other business applications only by virtual private networks or other security apps to segregate remote activity to help protect the RIA’s servers from hackers or malware.
The Risk Alert urged RIAs to carefully review their compliance policies regarding electronic messaging and consider any improvements that would help them comply with their regulatory requirements. The Staff also encouraged RIAs to stay abreast of evolving technology and how they are meeting their regulatory requirements while utilizing new technology.
Notably, the Risk Alert acknowledges the ability of RIA personnel to use personal devices, social media and texting or instant messaging for business purposes, provided the RIA maintains policies to comply with applicable regulations. Nevertheless, in our experience, many RIAs prohibit the use of personal social media and email accounts for business purposes.
The Risk Alert could serve as a signal to the industry that in future examinations by the Staff, RIAs may face increased scrutiny and/or decreased leniency regarding their policies relating to electronic communications, especially in respect of compliance with the Books and Records Rule and the Compliance Rule.
 Securities and Exchange Commission, Office of Compliance Inspections and Examinations, Risk Alert: Observations from Investment Adviser Examinations Relating to Electronic Messaging (Dec. 14, 2018), available here. Note that, for ease of reference, this client alert includes substantially all of the substance of the Risk Alert.