On April 3, 2024, the US Securities and Exchange Commission (“SEC”) brought its first enforcement action against a “stand-alone” SEC registered investment adviser (“RIA”) for violations of, among others, Section 204 of and Rule 204-2(a)(7) under the Investment Advisers Act of 1940 (“Advisers Act”) arising from off-channel communications (“April Enforcement Action”).¹ While the SEC has already brought a number of prior enforcement actions as part of its “off-channel communications” initiative, each of those prior actions were brought against broker-dealers, firms that were dually registered as RIAs and broker-dealers, or, in two instances, against RIAs affiliated with broker-dealers as part of an action against those broker-dealers,² for, among other things, violations of the recordkeeping requirements under the Securities Exchange Act of 1934 and the Advisers Act.³

Notably, this action was published less than three months after the SEC’s last enforcement actions for similar violations,⁴ signaling the consistent and heightened regulatory interest in this topic since at least 2021. Similar to the prior actions, the primary issue from an Advisers Act perspective is a failure to retain records that are required to be retained under the Advisers Act. However, in this enforcement action, the SEC also focused on the RIA’s compliance policies and procedures, which expressly and specifically addressed electronic communications and recordkeeping, and which employees (including senior officers and managers) repeatedly violated. According to the SEC, the firm had adopted policies regarding the retention of business-related records, including electronic communications, in compliance with Advisers Act recordkeeping requirements. The policies specifically provided that the RIA would “retain all electronic communications that it sends and receives.” The SEC noted that the firm’s approved communication methods were designed to do just that. 

The policies also prohibited employees from using non-firm communication services for any business purpose; provided that the use of unapproved electronic communication methods, including on their personal devices, was not permitted; and provided that they should not use personal email, any form of text messaging, iMessage, or PIN-to-PIN messaging to transmit work-related messages. Although the firm’s policies permitted employees to make temporary use of alternative communication methods during emergencies or technological disruptions, the policies also required employees to report such use and copy those communications to their business email accounts so that the communications could be archived. 

Under the firm’s policies, the firm was permitted to access employees’ personal devices and review them for any off-channel communications.⁵ In addition, according to the SEC, the firm’s policies “were designed to ensure that supervisory employees supervised and trained employees in the communications and recordkeeping policies.” These policies included: notice to employees that their electronic communications were subject to surveillance by the firm, and that all communications were required to be retained; mandatory annual compliance policy training for all employees, including senior officers; and annual written acknowledgement from employees that they read, understood, and abided by the RIA’s compliance policies. 

In practice, however, the SEC found that the RIA failed to implement procedures to monitor whether its employees were following these policies. Over a period of three years (during which the firm responded to SEC record requests and document subpoenas),⁶ employees sent and received thousands of business-related messages using off-channel communications in violation of the firm’s policies.⁷ For example, three senior officers and a managing director used personal devices to send and receive thousands of text messages related to firm business, including communications within the scope of Rule 204-2(a)(7).⁸

The use of these off-channel communications was not approved or reported as provided in the compliance policies, and the communications were not archived or retained.⁹ Further, no employee copied their business messages for retention. According to the settlement order, numerous messages related to matters within the scope of Advisers Act Rule 204-2(a)(7), such as communications related to recommendations made or proposed to be made, and advice given or proposed to be given about securities.

In addition, even though the RIA had the authority to do so under the communication policies, the RIA did not access employees’ personal devices to determine whether they were complying with those policies. In the SEC’s view, because the RIA did not monitor or collect off-channel communications, it failed to keep these messages as its policies and procedures required.

The SEC found that the RIA violated Section 204 of the Advisers Act and Rule 204-2(a)(7) thereunder, as well as and unlike prior orders, Section 206(4) and Rule 206(4)-7 thereunder.¹⁰ In addition, the SEC found that the RIA failed reasonably to supervise certain of its employees, with a view to preventing them from aiding and abetting violations of the foregoing, within the meaning of Advisers Act Section 203(e)(6). 

The SEC ordered the RIA to pay a civil monetary penalty of $6.5 million, and similar to prior orders, engage a compliance consultant. In terms of remedial efforts, the SEC noted that the RIA had revised its policies and procedures prior to the entry of the enforcement action against it. Under the revised policies, the firm provided employees with firm-issued cell phones (which automatically upload communications to the firm’s archiving system for retention) to reduce opportunities for off-channel communications.

As was the case with prior enforcement actions, the off-channel communications at issue in this case were conducted on the personal devices of the firm’s employees. The use of personal devices for business communications create numerous regulatory and legal challenges related not only to recordkeeping and monitoring, but also, as the SEC pointed out in this case, challenges in responding to regulatory examinations, inquiries, and investigations. Compounding the issues in this case were the firm’s own policies and procedures, which included words that operated as a sword rather than a shield, as well as the compounding fact of senior and supervisory personnel being personally involved in the violations. 

Going forward, RIAs should expect additional enforcement actions of this nature as well as enhanced regulatory scrutiny of this topic during examinations and investigations. The prior enforcement actions (of which there have been approximately 40 settled cases since 2021, with penalties ranging from $1.25 million to $125 million) provide a roadmap of “lessons learned,” particularly the section in the orders regarding the use of compliance consultants. Further, in a recent speech,¹¹ the Deputy Director of the SEC’s Division of Enforcement outlined additional factors that the staff considers in determining penalties (which also would likely be relevant to enforcement decisions as a threshold matter), some of which include: 

• the size of the firm, including the firm’s revenue from its regulated business and the number of registered professionals, “to ensure that the penalties are adequate to serve as a deterrent against future violations.”;
• the scope of the violations (e.g., how many individuals communicated off-channel, and how many off-channel communications were there?);¹² 
• the firm’s efforts to comply with its recordkeeping obligations and to prevent off-channel communications (in this regard, the staff would focus on, for example, the timely adoption of “meaningful” technological or other solutions);
• self-reporting, which is, according to the Deputy Director, “the most significant factor in terms of moving the needle on penalties”; and 
• cooperation.¹³

In sum, RIAs have received fair warning at this point, and should critically evaluate their policies and procedures in light of this enforcement action, as well as those before it, and institute appropriate monitoring and other controls regarding the use of personal devices and off-channel communications. In addition, RIAs should consider engaging a service provider to conduct a formal review or a “mock” examination of its electronic communication and recordkeeping policies, procedures and internal controls, which would not only provide a substantive review of the same but also would test the RIA’s ability to respond to a “mock” regulatory request quickly and accurately.

¹ Advisers Act Release No. 6581 (April 3, 2024). The SEC further found that the RIA also violated Advisers Act Section 204A and Rule 204A-1, but these violations were based on facts unrelated to the recordkeeping violations. 

² See, e.g., Press Release, SEC, “Sixteen Firms to Pay More Than $81 Million Combined to Settle Charges for Widespread Recordkeeping Failures” (Feb. 9, 2024) [February 2024 Cases]; Press Release, SEC, “SEC Charges 10 Firms with Widespread Recordkeeping Failures” (Sept. 29, 2023); Press Release, SEC, “SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures” (Aug. 8, 2023); and Press Release, SEC, “SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures” (Sept. 27, 2022).

³ Specifically regarding the Advisers Act, the RIAs in those cases were found to have violated, among others, Rule 204-2(a)(7), which generally requires RIA to retain written communications related to investment recommendations and advice. 

⁴ See February 2024 Cases referenced in footnote 2 above. The civil penalties in this group of actions ranged from $1.25 million to $16.5 million. See our Legal Update, WhatsApp All Over Again: The SEC Brings More Recordkeeping Charges Against Broker-Dealers And Investment Advisers For Off-Channel Communications (Feb. 13, 2024). 

⁵ Note that the policies did not require the firm to access the personal devices or review them.

⁶ Similar to prior orders, much of the conduct at issue occurred during the height of the COVID-19 pandemic, from January 2019 through December 2021.

⁷ The messages reflected discussion between and among senior officers, managing directors, employees, fund investors, and other financial-industry participants.

⁸ Interestingly, the SEC stated that at least three senior officers had their personal devices set to automatically delete messages after 30 days. As a result, the RIA and SEC staff could not quantify the actual number and subject matter of all off-channel communications at the RIA. However, messages retrieved from devices of other personnel that communicated with these senior officers were not set to auto-delete, which confirmed that business-related messages (including communications required to be kept under the Advisers Act) had in fact been auto-deleted.

⁹ As mentioned above, the firm’s policies permitted employees to make temporary use of alternative communication methods during emergencies or technological disruptions, provided that they reported such use and copied the communications to their business email accounts so that the communications could be archived. 

¹⁰ Section 206(4) and Rule 206(4)-7 require RIAs to adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act and the rules thereunder.

¹¹ Remarks at SEC Speaks 2024, Sanjay Wadhwa, Deputy Director, Division of Enforcement (April 3, 2024).

¹² Notably, in this present case, the SEC specifically pointed out that they were unable to determine this given the auto-delete function on a number of the devices at issue. See footnote 8 above.

¹³ According to SEC Chair Gary Gensler, “meaningful” cooperation involves “more than showing up for testimony or producing documents under subpoena. It means going above and beyond to self-report, cooperate, and remediate.” Gary Gensler, Chair, SEC, Partners of Honest Business and Prosecutors of Dishonesty: Remarks Before the 2023 Securities Enforcement Forum (Oct. 25, 2023).

[View source.]