The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert on December 14, 2018 concerning the use of electronic messaging by registered investment advisers and their personnel.¹ The Risk Alert, which draws on the staff’s observations from a limited-scope examination initiative that surveyed advisers regarding their use of electronic messaging, is intended to “remind” advisers of certain obligations under the Investment Advisers Act of 1940 that may apply to electronic messages, and to help advisers by providing “examples of practices that the staff believes may assist advisers” to improve their relevant systems, policies and procedures. Electronic messages include “written business communications” via text message, instant message, personal/private message, personal email, personal websites and social media posts that are “conducted on the adviser’s systems or third-party applications [ ] or platforms” or sent on adviser computers, adviser-issued mobile devices or personally owned devices that are used for business purposes, but not emails via an adviser’s email system.²

According to the Risk Alert, the staff recently conducted a “limited-scope examination initiative” to better understand: how electronic messaging is currently used by advisers; the risks involved with electronic messaging and how advisers are addressing such risks; and potential compliance issues that may arise under certain provisions of the Advisers Act. As part of this initiative, the staff reviewed the electronic messaging practices and policies and procedures of advisers. In a departure from prior guidance statements regarding social media and prior Risk Alerts, here OCIE is focused on examples of policies and procedures it looks upon favorably. The Risk Alert notes that “other types of regulated financial services entities may face similar challenges with new communication tools and methods.”

Books and Records and Compliance Rules

The Risk Alert focuses on compliance issues that may arise under Advisers Act Rules 204-2 (Books and Records Rule) and 206(4)-7 (Compliance Rule) from the use of electronic messaging by an adviser and its employees. As background, the Books and Records Rule requires advisers to maintain for a period of time certain books and records that relate to their advisory business, including certain advertisements, marketing materials and client communications. The SEC has long emphasized the importance of maintaining records to allow for reasonable supervision, and the Risk Alert points to the proposing release for the Compliance Rule, which emphasized the accurate creation and secure maintenance of required records. The staff noted in the Risk Alert that recent “changes in the way mobile and personally owned devices are used,” such as the growing popularity of texting, social media, and other applications that are capable of electronic messaging and the “pervasive use” of personally owned devices for business purposes, “pose challenges for advisers in meeting their obligations under the Books and Records Rule and the Compliance Rule.”

Risk Alert

Based on the staff’s observations from the limited-scope examination initiative, the staff indicated that it “observed a range of practices,” and that the following practices may help advisers (and their employees) that engage in electronic communications comply with the requirements of the Books and Records Rule and the Compliance Rule:

Policies and Procedures. The staff identified several processes an adviser might adopt that could provide guidance for employees engaging in electronic messaging activities for business purposes, including:

• Designation of permitted and prohibited forms of communication for business purposes. The staff highlighted the practice of permitting employees to use electronic communications for business purposes only on platforms and devices that the adviser has determined to be capable of being used in a manner compliant with the Books and Records Rule. The staff identified the practice of prohibiting employees from using any “apps or other technologies” with features that could prevent an adviser from properly monitoring, reviewing and retaining such communications (e.g., applications that permit anonymous communications or the automatic deletion of messages, or that otherwise enable employees to circumvent third-party review and retention).
• Procedures for moving communication from a prohibited to a permitted system. The staff highlighted the adoption of procedures to govern a potential scenario where an employee receives an electronic message in a manner that is not permitted under the adviser’s policies and procedures, including instructions as to how to properly move such messages to a system permitted by the adviser.
• Procedures for bring-your-own-device and business communications using personal accounts. Where an adviser permits its employees to use personally owned devices for business purposes, the staff highlighted the adoption of policies and procedures that govern how employees may use their devices for business purposes (e.g., how such devices may be used with respect to “social media, instant messaging, texting, personal email, personal websites, and information security”). Further, the staff highlighted the adviser’s adoption of procedures for monitoring and reviewing the use of social media, personal websites, and personal email accounts by its employees for business purposes and to provide for the retention of any electronic communications.
• Informing employees of consequences of policy violations. The staff identified the practice of expressly stating in the adviser’s policies and procedures that violating such policies and procedures concerning electronic messaging could lead to disciplinary action or termination of employment.

Employee Training and Attestations. The staff identified several practices that help to ensure employees are familiar with the adviser’s electronic messaging policies and procedures and to inform the adviser about new forms of messaging that have been requested by clients or service providers for possible implementation, including:

• Periodic training and reminders of firm policy. If the adviser restricts the extent to which employees may use electronic messaging for business purposes, the staff highlighted the adoption of mandatory training for employees regarding these restrictions. The staff noted that the training should cover the potential disciplinary actions that may result from a policy violation. The staff also highlighted the practice of periodically reminding employees about the types of electronic messaging that are permitted (and prohibited) under the adviser’s policies and procedures.
• Regular employee attestations. The staff highlighted the practice of obtaining written confirmations from employees indicating that they have completed the mandatory training and complied with the adviser’s electronic messaging policies and procedures and will continue to do so going forward. The staff also highlighted the practice of obtaining such confirmations upon employment and at regular intervals thereafter.
• Solicitation of feedback from personnel on potential new systems. The staff highlighted the creation of a channel through which employees can inform management of a client’s or service provider’s requests for forms of electronic messaging, so that the adviser can consider whether a new method of communication can be integrated into its policies and procedures.

Supervisory Review. The staff identified several practices relating to review by the adviser of the electronic messaging activities of its employees and the retention of any electronic communications made for business purposes, including:

• Engaging third parties to monitor personal communications for business purposes. The staff identified the practice of contracting a third-party service provider to monitor the electronic messaging activities of the adviser’s employees and to archive any business communications consistent with the Books and Records Rule. The staff noted that the service provider should be capable of identifying “changes to content” of the applicable social media or website, and searching the content for “key words and phrases.”
• Regular review of employees’ social media activity. The staff identified the practice of reviewing the activities of the adviser’s employees on “popular social media sites” to confirm that their activities are consistent with the adviser’s policies and procedures.
• Routine searches/alerts for employees and adviser online. The staff identified the practice of periodically searching the internet for “unauthorized advisory business” conducted online on behalf of the adviser or by its employees.
• Enabling of confidential reporting by colleagues. The staff highlighted the creation of a program through which employees can internally report any electronic messaging activities of co-workers that are potentially inconsistent with the adviser’s policies and procedures.

Control over Devices. The staff identified several practices relating to employees’ use of personally owned devices for business purposes, as well as security safeguards that an adviser might adopt in an attempt to mitigate certain security risks associated with permitting employees to remotely access an adviser’s email server (or other business applications), including:

• Proper onboarding of bring-your-own device. The staff highlighted the practice of requiring pre-approval from the adviser’s compliance or information technology staff before employees are permitted to access the adviser’s email servers (or other business applications) through a personally owned device.
• Installation of security software on all devices. The staff highlighted the practice of requiring employees to install security software on any devices (company-issued or personally owned) that are expected to be used for business communications. The staff noted that software currently available on the market enables advisers to install periodic security updates on devices, monitor devices for prohibited applications and wipe information stored on stolen or compromised devices.
• Remote access through secure means. The staff identified the practice of authorizing employees to remotely access the adviser’s email servers or other business applications only through a virtual private network or other security application to protect against malware and hackers.

Implications for Advisers

While the Risk Alert draws a distinction between e-mail maintained on firm systems, and all other types of electronic communication, advisers have long contended with the challenges of maintaining instant messages and web-based communication not native to the adviser’s own systems. The Risk Alert serves as a reminder that the regulatory framework applicable to investment advisers continues to apply even though the ways in which firms communicate internally, with clients and with the public have evolved with the advent of social media and other forms of electronic communication. It also encourages advisers to stay current on “evolving technology.” Advisers may want to review their compliance policies and procedures in light of their business and technology practices to make sure that they reasonably capture how the adviser and its employees utilize electronic messaging and calibrate such policies and procedures to mitigate risks reflected in the Risk Alert. The staff indicates that the Risk Alert is not intended to be a comprehensive instruction for how advisers should address electronic communications. As such, advisers also may want to revisit earlier SEC guidance that touches on the subject of electronic communications.³