NEW YORK(Thomson Reuters Regulatory Intelligence) - The practice of electronic messaging expanding among registered investment advisers and firms must clearly define how they approach the use of services, platforms and permitted devices.
A defined approach to all written communications delivered electronically will aid in creating relevant policies and procedures that define the firm’s monitoring program, refine record-keeping practices and ensure information security and privacy.
The scope of electronic messaging is expanding rapidly and no longer limited to email. Advisers must be prepared to address practices including instant messaging, text/SMS messaging and personal or private messaging.
Electronic messaging falls under Rule 204-2 of the Investment Advisers Act(here It must be maintained and preserved in an easily accessible place for not less than five years; the first two years must be retained in an appropriate office of the adviser.
The retention requirement is paired with the ability to evaluate and supervise the communications for compliance. The rule requires periodic reviews, which will usually translate into daily, monthly or quarterly reviews, depending on the firm’s volume.
The SEC takes interest in electronic communications during an examination and will most likely request a copy of the firm’s policies and procedures on the topic, along with any documents supporting the supervision and review of the communications.
The SEC also may request written information concerning the firm’s approach to electronic messaging. The SEC will most likely expect a description of the adviser’s and its associated person’s use of electronic services and platforms, including what is and is not permitted.
The description should also include any differences in the use by personnel. For example, an investment advisory representative may be permitted to use different services or platforms than a trader.
The SEC may also request written information concerning the devices that are permitted or prohibited. A firm should outline whether a firm uses company-owned devices or employs a bring-your-own-device (BYOD) policy, or some combination.
The description may include the differences in what can be used with a firm-provided device versus a personally owned device. This will usually include smartphones and tablets but a firm should also include company-owned computers and those owned personally. In addition, a firm may want to describe what types of applications are used with those devices.
An exam team may also request a detailed inventory of what devices are used and by whom.
Importantly, a firm that has decided to limit electronic communication to email must have policies and procedures to support that, including a process for the firm supervising this limited prohibition.
Without a defined approach, a firm’s policies and procedures will most likely be inadequate to effectively supervise the firm activities. Therefore, a firm must have a custom or tailored set of policies and procedures that meet the current approach to all types of electronic messaging, including any third-party services or platforms used at that time.
The written policies should include the parameters for supervision of the firm’s electronic communications, but also act as an easily understood guide for representatives to refer to when using different forms of electronic communication.
The policy must include how the communications are reviewed and retained, including the process for when a message requires additional review or is flagged by a firm’s system. The policy must also identify all persons responsible for overseeing the firm’s electronic messaging and a brief explanation of each person’s role, if necessary.
In many cases, an SEC exam team will ask the firm to provide examples of any relevant exceptions reports, activity reports, etc., used in the review process.
In addition, firms must be prepared to present during examinations any detected violations of the policy and actions taken by the adviser as a result.
Advisers have learned that a failure to keep evidence of continuing compliance activities can cause problems at exam time. Records of the capture and review of electronic communication must be retained and easily accessible during an examination.
A firm should be able to exhibit how and what communications are being captured, how many are reviewed and what happens if flagged. A firm must also include how long such electronic messages are maintained and where they are stored. If a firm’s electronic messages are maintained by a third-party, a firm must be prepared to describe its process and provide copies of any agreements or contracts with the vendor.
The records should also include what was done with a flagged communication after discovery and what additional steps were taken to determine the extent of any problems.
An adviser must take appropriate steps to ensure that the firm’s electronic communications data is safe from cyber-attacks. Therefore, a firm must have written policies and procedures addressing the transmittal of sensitive information over electronic messaging.
If a firm prohibits the transmittal of sensitive information over electronic messaging it must also be prepared to explain this to an SEC examiner, providing ways the prohibition is being enforced.
For example, if a third-party vendor system is used for any portion of electronic messaging compliance and it’s held on an outside server, it must be part of the firm’s cyber security risk assessment.
To address the risk in this situation, an adviser will perform initial and ongoing due diligence on the third-party and monitor the firm to ensure that it’s performing up to the adviser’s standards.
(By Jason Wallace, Regulatory Intelligence, in San Diego)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Aug 27. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters