The Office of Compliance Inspections and Examinations (OCIE) issued a new National Exam Program Risk Alert (the “Alert”) last week on electronic messaging. OCIE conducted an undisclosed number of limited scope examinations of investment advisers to determine the risks and controls surrounding the use of electronic messaging by advisers and their personnel. The examinations purposefully excluded business account emails in order to focus on the use of messaging and personal emails for business purposes.
There are three main Advisers Act rules that cover the use of electronic communications:
- Rule 204-2 for recordkeeping and archiving of communications
- Rule 204-2(a)(11) for communications to ten or more people
- Rule 206(4)-7 for the adoption of written policies and procedures regarding the use of electronic communications
One of the main issues the Staff found during its examinations was the lack of testing or monitoring of electronic communications in relation to firm procedures. The Staff also discovered effective oversight methods that included the use of customized policies and procedures, routine employee training, supervisory reviews, and controls over device use.
Key highlights of the practices identified by OCIE as effectively used by firms are as follows:
- Expressly prohibiting the use of messaging platforms that allow for anonymous communications, auto-destruction, or third-party access or back-ups
- Written procedures governing how personal devices are to be utilized for business if the firm has a BYOD policy, including the monitoring, review, and retention of electronic communications on personal devices
- Staff favors the use of disciplinary measures (including termination) for employees that violate internal policies
- Use of written attestations from employees regarding their electronic messaging habits on a regular basis
- Supervisory procedures over communication application vendors that include monitoring services and archiving/retrieval
- Activating automated alerts from internet search engines to include the Adviser and/or employee names to identify unauthorized activity
- Colleague reporting systems (similar to an internal whistleblowing program) to allow for internal reporting by colleagues in a confidential manner
- IT control over personal devices in the form of required approvals for usage, loading specific security apps and update controls, and the use of VPN’s