On episode 33 of the CCO Buzz we discuss the Securities and Exchange Commission's Office of Compliance Inspections and Examinations ("OCIE") recent published National Exam Program Risk Alert titled, " Observations from Investment Adviser Examination Relating to Electronic Messaging."
CCO Buzz: Hello and welcome back! We are on episode 33 of the CCO Buzz and with the 2019 SEC Exam Priorities fresh in our minds from last week’s podcast, we thought to ourselves what do we discuss next? A bunch of topics came to mind, but today we wanted to talk about the growing frontier and trends that surround technology, but more importantly electronic communications.
We all have to admit, the use of electronic devices for both personal and business communication has become a way of life. I don’t know about you, but my phone is, more or less, within an arm’s reach at all times.
Businesses use desktop computers, laptops, iPads, and smartphones, which allow employees the ability to communicate internally with other employees and externally with prospects, clients and service providers. Employees can send emails, text messages, instant messages, and communicate using social media, third-party platforms and software on their electronic devices.
While cybersecurity protocols may play an important role in this area, there are a few additional compliance regulations surrounding electronic communications that investment advisers must consider. Some of these include:
- Required records – Under Rule 204-2 of the Investment Advisers Act of 1940, advisers must maintain certain business communications.
- Marketing and advertising – Rule 206(4)-1 of the Advisers Act outlines certain prohibitions pertaining to a firm’s marketing and advertising activity.
- Privacy – Regulation S-P requires firms to implement safeguarding protocols for client non-public information.
- Oversight – Rule 206(4)-7 of the Advisers Act mandates firms to perform at least annual reviews of their polices and procedures to ensure their effectiveness in preventing violations.
In December 2018, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations, or “OCIE,” published a National Exam Program Risk Alert titled “Observations from Investment Adviser Examinations Relating to Electronic Messaging”. In the alert, OCIE included a summary of some strong procedures and controls they saw during exams that advisers had in place. A few of these include:
- Allowing only the types of electronic communication for business that can be used in compliance with regulations.
- Prohibiting business use of applications and other technologies that can be misused, such as when an employee has the ability to send messages or otherwise communicate anonymously.
- Implementing policies and procedures for the monitoring, review, and retention of all types of electronic communications used by a firm and its employees.
- Requiring mandatory training to be completed by new and current employees.
- Obtaining written certifications from employees of adherence to policies and procedures and training completion, upon hire and regularly thereafter.
- Providing regular reminders to employees of what is and is not allowed regarding business electronic communications.
- Setting up automated alerts and perform periodic searches to identify any unauthorized business communication or other advisory business being conducted online.
- Contracting with service providers to monitor and archive business electronic communications.
- Setting up a “reporting program” that gives employees the means to report any concerns and/or potential violations.
- Requiring pre-approval before employees can access firm email servers or other business apps from non-business issued (personal) devices.
- And, ensuring that business issued, and any approved personal devices have security applications that allows the adviser to auto push required cybersecurity patches and updates, monitor for prohibited applications, and wipe the devices if lost or stolen.
We must warn you that this is not a complete list, so you’ll want to read the full alert. Importantly, policies, procedures and controls that an advisory firm implements needs to be based on their specific facts and circumstances and address associated risks. In the area of electronic communications there can be several risks, such as:
- The risk of not capturing all electronic business communications;
- The risk that non-public information is not protected when sent electronically;
- The risk that applicable procedures aren’t adequate to prevent violations;
- The risk that employees don’t understand the firm’s requirements, which can cause a violation; and
- The risk that unapproved devices are used for business communications
Now is a good time to review your procedures and controls pertaining to electronic communications and the use of electronic devices to ensure that they are customized and robust. Should you need assistance or have questions, please contact us at firstname.lastname@example.org or at 619-278-0020.
And listeners we want to remind you that the exclusive $100 off discount code to the 2019 Annual Core Compliance Workshop is still active. Use promo code BUZZ2019 at checkout – we hope to see you all there!
Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn or Twitter @CoreCLS. Thank you and we hope you tune into next week’s episode of the CCO Buzz.