United States: SEC OCIE Issues Guidance On Advisers' Recordkeeping Requirements For Electronic Messaging Following Its Sweep Examination

Key Points

• On December 14, the SEC's OCIE issued a Risk Alert summarizing the findings of its limited-scope examination initiative relating to electronic messaging.
• Noting a "pervasive use" of electronic messaging by adviser personnel for business purposes, the Risk Alert identifies effective ways to mitigate risk around the use of electronic messaging, including formal policies and procedures, employee training and attestations, supervisory review and controls associated with employee use of personal devices for adviser business.
• The Risk Alert encourages advisers to assess how innovations in technology require them to review and adjust, as needed, their compliance programs to ensure compliance with recordkeeping and other regulatory requirements.

Background

Like many businesses, advisers and their employees now rely on an increasing variety of electronic communications for work purposes, including text/SMS messaging, instant messaging, personal email, and smartphone applications. In response to this trend, and with a concern for compliance with recordkeeping requirements of the Investment Advisers Act of 1940 ("Advisers Act"), the Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations (OCIE) conducted a limited-scope examination initiative of advisers that was designed to obtain an understanding of the various forms of electronic messaging used by advisers and their employees, the risks of such use and the challenges in complying with the Advisers Act.

The Risk Alert outlines OCIE's findings from the initiative and provides an overview of the applicable Advisers Act rules and best practices for compliance with respect to electronic messaging.

Books and Records Rule

Rule 204-2 requires advisers to make and keep certain books and records relating to the adviser's business. In key part, Subsection (a)(7) of Rule 204-2 requires advisers to make and keep records of all written communications sent or received by an adviser and its personnel regarding a wide variety of matters, including investment advice, buy/sell orders, receipt and distribution of funds or securities, and the performance of managed accounts or recommended securities. Additionally, Subsection (a)(11) requires advisers to make and keep a copy of each notice, circular, advertisement, newspaper article, investment letter, bulletin or other communication that the investment adviser circulates or distributes, directly or indirectly, to 10 or more persons.

The Risk Alert states that "a number of changes in the way mobile and personally owned devices are used pose challenges for advisers" in meeting their obligations under Rule 204-2 and the broader obligation that advisers adopt and implement written policies and procedures that are designed to prevent violations of the Advisers Act and rules thereunder.

Best Practices and Key Takeaways

The Risk Alert provides a list of best practices with respect to electronic messaging that OCIE observed in its limited-scope examination initiative.¹ OCIE recommended that advisers limit electronic communications to certain expressly permitted applications, and it identified particularized risks associated with so-called ephemeral messaging apps, which allow for automatic destruction of communications after a certain amount of time, as well as apps that allow for anonymous communication and do not allow for third-party viewing or backup. Relatedly, the Risk Alert addresses monitoring, review and retention of social media posts and activity, personal websites and personal email that relate to adviser business.

Of further note, the Risk Alert addresses the use of programs by advisers through which employees can access firm email and other business applications from personally owned devices (also known as "Bring Your Own Device" programs). The use of non-firm-owned computer equipment in an adviser's information technology environment creates additional risk, and, accordingly, the Risk Alert identifies the benefits of security applications or other software that allow advisers to (1) automatically load cybersecurity tools and patches on employee-owned devices; (2) monitor employee-owned devices for prohibited applications; (3) remotely delete locally stored information from the device if it were lost or stolen; and (4) require the use of virtual private networks or other security applications when employees access firm email servers or other business applications.

We recommend reviewing the full list of OCIE's recommended practices in the Risk Alert.

Conclusion

Given OCIE's attention to electronic messaging and the resources that it committed to this limited-scope examination initiative and Risk Alert, advisers in future examinations are likely to face inquiries regarding their policies and procedures for retaining electronic messages and may be asked to produce records from a variety of electronic messaging sources based on the particularities of their businesses. More information on electronic messaging in SEC examinations and investigations is available in this article, which we published earlier this year.

Footnote

1 Of note, OCIE specifically excluded email use on advisers' systems, given the "decades of experience" that advisers have with respect to monitoring firm email as it pertains to their business, adding that third-party applications and platforms pose more difficult challenges.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.