Registered investment advisers will want to pay attention to some recent observations shared by the Office of Compliance Inspections and Examinations following an examination initiative it conducted that offers some key insights for firms to consider as they look to strengthen their supervisory, compliance, and risk-management practices related to the use of electronic messaging systems.
In December, the OCIE issued a Risk Alert focused on registered investment advisers to better understand the various forms of electronic messaging they use, the risks of such use, and the challenges in complying with certain provisions of the Investment Advisers Act. The OCIE conducted the examination initiative because it noticed an increasing use of various types of electronic messaging by adviser personnel for business-related communications.
“The purpose of this Risk Alert is to remind advisers of their obligations when their personnel use electronic messaging and to help advisers improve their systems, policies, and procedures by sharing the staff’s observations from these examinations,” the OCIE said.
Advisers Act Rule 204-2 (Books and Records Rule) requires advisers to make and keep certain books and records relating to their investment advisory business, including typical accounting and other business records as required by the Commission. Additionally, Advisers Act Rule 206(4)-7 (Compliance Rule) requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act.
According to the OCIE, several changes in the way mobile and personally owned devices are used pose challenges for advisers in meeting their obligations under these two rules. “These changes include the increasing use of social media, texting, and other types of electronic messaging apps, and the pervasive use of mobile and personally owned devices for business purposes,” the OCIE stated.
OCIE’s examination initiative focused on whether and to what extent advisers complied with the Books and Records Rule and adopted and implemented policies and procedures as required by the Compliance Rule. During the initiative, the staff observed a range of practices with respect to electronic communications, including advisers that did not conduct any testing or monitoring to ensure compliance with firm policies and procedures.
The staff identified the following practices that it believes might assist advisers in meeting their record retention obligations under the Books and Records Rule and their implementation and design of policies and procedures under the Compliance Rule:
Policies and procedures
- Permitting only those forms of electronic communication for business purposes that the adviser determines can be used in compliance with the books and records requirements of the Advisers Act.
- Specifically prohibiting business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or backup.
- In the event that an employee receives an electronic message using a form of communication prohibited by the firm for business purposes, requiring in-firm procedures that the employee move those messages to another electronic system that the adviser determines can be used in compliance with its books and records obligations, and including specific instructions to employees on how to do so.
- Where advisers permit the use of personally owned mobile devices for business purposes, adopting and implementing policies and procedures addressing such use with respect to, for example, social media, instant messaging, texting, personal e-mail, personal websites, and information security.
- If advisers permit their personnel to use social media, personal email accounts, or personal websites for business purposes, adopting and implementing policies and procedures for the monitoring, review, and retention of such electronic communications.
- Including a statement in policies and procedures informing employees that violations may result in discipline or dismissal.
Employee training and attestations
- Requiring personnel to complete training on the adviser’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging and electronic apps and the adviser’s disciplinary consequences of violating these procedures.
- Obtaining attestations from personnel at the commencement of employment with the adviser and regularly thereafter that employees (i) have completed all of the required training on electronic messaging, (ii) have complied with all such requirements, and (iii) commit to do so in the future.
- Providing regular reminders to employees of what is permitted and prohibited under the adviser’s policies and procedures with respect to electronic messaging.
- Soliciting feedback from personnel as to what forms of messaging are requested by clients and service providers for the adviser to assess their risks and how those forms of communication may be incorporated into the adviser’s policies.
- For advisers that permit use of social media, personal email, or personal websites for business purposes, contracting with software vendors to (i) monitor the social media posts, emails, or websites, (ii) archive such business communications to ensure compliance with record retention rules, and (iii) ensure that they have the capability to identify any changes to content and compare postings to a lexicon of key words and phrases.
- Regularly reviewing popular social media sites to identify if employees are using the media in a way not permitted by the adviser’s policies. Such policies included prohibitions on using personal social media for business purposes or using it outside of the vendor services the adviser uses for monitoring and record retention.
- Running regular Internet searches or setting up automated alerts to notify the adviser when an employee’s name or the adviser’s name appears on a website to identify potentially unauthorized advisory business being conducted online.
- Establishing a reporting program or other confidential means by which employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications. Particularly with respect to social media, colleagues may be “connected” or “friends” with each other and see questionable or impermissible posts before compliance staff notes them during any monitoring.
Control over devices
- Requiring employees to obtain prior approval from the adviser’s information technology or compliance staff before they can access firm e-mail servers or other business applications from personally owned devices. This may help advisers understand each employee’s use of mobile devices to engage in advisory activities.
- Loading certain security apps or other software on company-issued or personally owned devices prior to allowing them to be used for business communications. Software is available that enables advisers to (i) “push” mandatory cybersecurity patches to the devices to better protect the devices from hacking or malware, (ii) monitor for prohibited apps, and (iii) “wipe” the device of all locally stored information if the device were lost or stolen.
- Allowing employees to access the adviser’s email servers or other business applications only by virtual private networks or other security apps to segregate remote activity to help protect the adviser’s servers from hackers or malware.
In conclusion, OCIE said the key message is that it “encourages advisers to review their risks, practices, policies, and procedures regarding electronic messaging and to consider any improvements to their compliance programs that would help them comply with their regulatory requirements. OCIE also encourages advisers to stay abreast of evolving technology and how they are meeting their regulatory requirements while utilizing new technology.”