The Securities and Exchange Commission's (the "Commission") Office of Compliance Inspections and Examinations ("OCIE") released a Risk Alert on December 14, 2018 encouraging investment advisers to review their Investment Advisers Act of 1940 (the "Advisers Act") Rule 204-2 and Advisers Act Rule 206(4)-7 compliance programs with respect to electronic messaging. The Risk Alert was prompted by the OCIE's observation of the increased use of non-email electronic communication, including text/SMS messaging, instant messaging, social media and the use of third-party applications, and the increased use of personal devices. The OCIE recommendations include the following:

Policies and Procedures:

  • permitting only those forms of electronic communication that can be used in compliance with the Advisers Act;
  • prohibiting the use of apps that allow anonymous communication or automatic destruction of messages or prohibit third-party viewing or backup;
  • requiring the retention and transfer of messages received on prohibited apps or services to a compliant electronic system; and
  • addressing the use of personal devices, social media, personal email accounts, personal websites, instant messaging, texting and information security.

Employee Training and Attestations:

  • conducting training on electronic communication policies and procedures and compliance therewith; and
  • soliciting feedback regarding forms of messaging requested by clients for use in the ongoing review and adaption of the firm's policies.

Supervisory Review:

  • monitoring and archiving, directly and through the use of third-party service providers, the use of electronic communications; and
  • conducting regular Internet and social media searches for unauthorized communication and the creation of a confidential reporting program.

Control over Devices:

  • requiring prior approval for the use of personal devices for business purposes, limiting remote access to virtual private networks, and the installation of security apps and software that enable the adviser to push security patches, monitor for prohibited apps, and remotely wipe out all devices. In addition to the specific recommendations noted above, the OCIE encourages advisers to stay abreast of evolving technology and regularly review their compliance policies and procedures in light of ongoing developments in electronic communication. The OCIE recommendations are applicable as well to broker-dealers.

The Risk Alert can be found here.

Originally published in REVERSEinquiries, Volume 2, Issue 1.

Originally published 22 January 2019

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.