Information technology continues to provide amazing benefits to our industry, but it also brings with it a number of risks when it comes to compliance.
Changes in the way mobile and personally owned devices are being utilized for business purposes brings into question whether firms are fully complying with the Books and Records Rule (Advisers Act Rule 204-2) and the Compliance Rule (Advisers Act Rule 206(4)-7).
The staff shared that specific concerns related to registrants’ utilization of electronic communications include, but are not limited to, increased use of messaging to clients and others via:
- Social media
- Text messaging
- Electronic messaging apps
- Personal devices and accounts used for business purposes
The Office of Compliance Inspections and Examinations (OCIE) conducted a limited-scope examination advisory firms’ use of electronic messaging and released a risk alert, capturing the examiner’s observations of strong internal controls used by the financial industry, which in turn will help firms to foster and improve their protocols, systems and policies.
The complete OCIE Risk Alert on “Observations from Investment Adviser Examinations Relating to Electronic Messaging” can be read here.
OCIE’s examination initiative focused on whether, and to what extent, advisers complied with the Books and Records Rule and adopted and implemented policies and procedures as required by the Compliance Rule.
Unfortunately, some examiners found that certain investment advisory firms failed to have any testing or monitoring practices in place to help ensure compliance with firm policies and procedures.
In an effort to assist firms in meeting their record retention obligations under the Books and Records Rule and their implementation and design of policies and procedures under the Compliance Rule, OCIE published 17 practices for firms to consider.
6 Internal Controls to Consider for Electronic Messaging
The following are selected highlights of the staff’s identification of potential internal controls to consider for electronic messaging:
- If firms permit their employees to use social media, personal email accounts, etc., for business purposes, policies and procedures should address protocols for the adviser’s monitoring, review, and retention of such electronic communications, including the transferring of those communications to a storage system which satisfies Rule 204-2.
- Training should be provided related to the firm’s acceptable practices regarding the use of electronic messaging and electronic apps.
- Firms should clearly emphasize in their policies and procedures that policy violations may result in disciplinary actions up to and including dismissal.
- Firms should regularly remind employees of the firm’s policies and procedures regarding electronic messaging, as well as solicit feedback from employees as to what forms of messaging are requested by clients and service providers to help identify potential risks.
- Procedures should be implemented reviewing popular social media sites and conducting periodic internet searches to identify potentially unauthorized electronic messaging activities related to the firm.
- Security apps or other software should be employed on company-issued or personally owned mobile devices prior to utilization for business communications that:
- Automate mandatory cyber security patches to the devices to better protect the devices from hacking or malware
- Monitor for prohibited apps
- Allow for remote “wiping” of the device’s entire local memory in the event a device is lost or stolen
The complete list of suggestions can be found in the OCIE’s Risk Alert – read here.
This Risk Alert Signals the Need for Internal Review
The publishing of this Risk Alert sends a clear signal that investment advisers will be held accountable for employee electronic communications.
We strongly advise firms to review their risks, practices, policies, and procedures governing electronic messaging and consider what improvements are required to bring their compliance programs into agreement with ever-developing regulatory requirements.
Should you need assistance in reviewing your policies and procedures covering the use of technology, or in developing an effective employee training program covering the proper use of electronic messaging, our attorneys are here to help.
For more information on regulatory compliance issues, or any other related legal questions, contact Jacko Law Group, PC. Let our decades of experience work for you.
A Reminder to Our Readers
We’d like to remind our readers to file form ADV in a timely manner with the necessary regulatory bodies, including the SEC and state securities authorities, and to provide the required updated informational brochures to clients. This must be done regardless of the operational status of the SEC. Should you like us to review your Form ADV disclosures and assist with your annual amendment filing requirements, contact Jacko Law Group, PC – click here.