The increasingly widespread use and acceptance of various types of online communications have made it more attractive — for both firms and clients — to conduct business online, while at the same time making it more doubtful that all advisory personnel can be relied upon to observe all firm prohibitions on such conduct. In response, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a December 14, 2018, “Risk Alert” that may well accelerate the trend for firms to permit their advisory personnel to use a broad range of electronic business communications.
The Risk Alert addresses, for example, text/SMS messaging, instant messaging, and personal or private messaging used by advisory personnel for business purposes. In general, the Risk Alert covers such “Electronic Messaging” regardless of whether systems or applications (“apps”) of the firm or a third party are being used and regardless of who owns the computers or mobile devices being used. However, the Risk Alert does not cover emails using an advisory firm’s systems, as OCIE believes that firms already have considerable experience in administering compliance arrangements for those transactions.
Although the Risk Alert by its terms applies only to investment advisers, many of the ideas expressed apply equally to Electronic Messaging by registered representatives of broker-dealer firms, including those who offer insurance products. See “FINRA Issues New Guidance on Social Media and Digital Communications,” Expect Focus Life Insurance, Vol. II (June 2017).
The Risk Alert suggests a number of steps that firms may consider to promote regulatory compliance, including:
requiring advisory personnel who receive communications in a form prohibited by the firm to move those communications to an electronic system that the firm permits and providing “specific instructions” to such personnel on “how to do so”;
conducting regular internet searches and “regularly reviewing popular social media sites to identify if employees are using the media in a way not permitted” by the firm; and
establishing confidential means by which advisory personnel “can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications.”
Although the Risk Alert does not mandate these particular procedures, OCIE probably will be expecting firms to observe compliance procedures that are reasonably designed, in light of the firms’ own circumstances, to ensure that advisory personnel are complying with any prohibitions the firm imposes on particular types of communications.
Just Say No?
To the extent that advisers, therefore, may be faced with administering increasingly cumbersome procedures in connection with prohibitions, just saying “no” can become a more costly and unattractive option.
The Risk Alert does, however, suggest that firms consider prohibiting:
any forms of Electronic Messaging that the firm has not determined can be used in compliance with the books and records requirements under the Investment Advisers Act; or
any “apps or other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up.”
How to Say “Yes”
The Risk Alert also may encourage broader use of Electronic Messaging by suggesting a number of procedures that can help firms comply with regulatory requirements. In this connection, OCIE notes:
“[Some] advisers that permit use of social media, personal email, or personal websites for business purposes [contract] with software vendors to (1) monitor the social media posts, emails, or websites, (2) archive such business communications to ensure compliance with record retention rules, and (3) ensure that they have the capability to identify any changes to content and compare postings to a lexicon of key words and phrases.”
Although adequate vendor-supplied services currently may not be available or practical in many circumstances, the number and capabilities of such vendors are expanding.
The Risk Alert also suggests other possible procedures for training and supervision of advisory personnel in their use of Electronic Messaging, including requiring advisory personnel to obtain prior approval and load certain security apps, software, or virtual private networks before accessing firm email servers or other business applications from personal devices.
Reading Between the Lines
Of course, investment advisory firms — and also broker-dealers — should consider the extent to which the procedures cited in the Risk Alert may be appropriate to the firms’ current practices. But perhaps more importantly, the Risk Alert implicitly affirms the industry trend toward expanded uses of Electronic Messaging and signals a non-dogmatic and (hopefully) helpful attitude by the SEC staff in policing compliance in this area.