This article originally appeared in the Investment Advisor Association’s (IAA) February newsletter. Learn more about IAA here.
Books and records compliance is chic again. By now, every compliance professional should be aware of the dual-settled enforcement actions announced in late 2021 by the SEC and the CFTC against a registered broker-dealer and related entities for charges that included failure to supervise communications as well as recordkeeping violations stemming from the use of personal devices by firm personnel for business communications and the corresponding failure by the firm to maintain, preserve and produce to regulators those records.
In conjunction with the announcement of the SEC’s action, the Division of Examinations (DOE, formerly the Office of Compliance Inspections and Examinations) fired another warning shot when it “...encourage[d] registrants… to scrutinize their document preservation processes and self-report failures such as those outlined [in the enforcement action]...”. The SEC’s enforcement action was the latest in a series of the warnings highlighting the regulatory dangers of using third-party text messages, personal emails, and other forms of electronic communications for business purposes.
Previously, the SEC’s DOE and FINRA had only issued risk alerts and regulatory notices, or announced examination priorities on the subject of books and records in compliance. While books and records violations may be commonly cited as deficiencies in regulatory examinations, less common is the filing of stand-alone charges for violations of the books and records obligations, hefty monetary penalties, the imposition of an independent consultant, and an admission of wrongdoing—a signal to the industry that the regulatory tide has turned.
Much has been written about the risks, the problems, and the regulatory scrutiny. However, fabricating an effective compliance response appears to have been stymied by the lack of viable, practical, and compliant solutions to the recordkeeping, monitoring, cybersecurity, and compliance program obligations that are raised when a registrant’s supervised persons use, or are permitted to use, text messages and personal emails to conduct the registrant’s business. This article provides a non-exclusive framework for those responsible for compliance and supervision to craft a path to a defensible and reasonably designed solution, regardless of whether the goal is to enhance the compliance program and/or to evaluate whether to take advantage of the SEC’s invitation to self-report violations.
Lessons Learned from the Current Guidance
This SEC case involved a registered broker-dealer that is subject to the federal securities laws and rules enacted thereunder as well as FINRA rules governing the retention and supervision of books and records, including electronic communications. In addition, broker-dealers are subject to FINRA Rule 3310, which requires the establishment, maintenance, and enforcement of written procedures to super-vise the types of business in which it engages, as well as the activities of its associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations and FINRA rules. FINRA has provided important guidance related to broker-dealer books and records compliance with particular focus on the retention and supervision of electronic books and records, use of personal devices for business communications, instant messaging, and blogs and social networking websites.
Although this case was against a dual registrant in its broker-dealer capacity, it should have equally significant compliance-related implications for advisers. Advisers are subject to the Investment Advisors Act of 1940 (Advisers Act) and rules and regulations thereunder pertaining to retention and supervision of all business-related books and records. The SEC’s DOE has provided guidance that an advisor should allow its personnel to use forms of electronic communication for business purposes that the advisor determines are compliant with the books and records requirement of the Advisors Act. Business use of apps or other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allow for automatic destruction of messages, or prohibit third-party viewing or back-up should be prohibited. The DOE’s alert further states that the advisor’s procedures should provide that when an employee receives a business-related electronic message using a form of communication prohibited by the firm for business purposes, the employee is required to move such message to another electronic system that the advisor has determined can be used in compliance with its books and record obligations. Advisers that permit the use of personally owned mobile devices for business purposes must adopt and implement policies and procedures addressing such use with respect to, for example, social media, instant messaging, texting, personal email, personal websites, and information security. Advisers that permit their personnel to use social media, personal email accounts, or personal websites for business purposes must also adopt and implement policies and procedures for the monitoring, review, and retention of such electronic communications, including a statement informing employees that violations may result in discipline or dismissal.
“Business use of apps or other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allow for automatic destruction of messages, or prohibit third-party viewing or back-up should be prohibited.”
The implications of this case for all registered firms are significant. Financial industry regulators, such as the SEC and FINRA, will increase their examination and investigation focus on compliance with books and records retention and supervision, including electronic communications and the use of personal devices and personal communication accounts. It is crucial that all registered firms immediately assess and confirm whether they have policies, procedures and controls in place that are reasonably designed to avoid violations of the applicable laws, rules, and regulations.
Steps for Designing and Implementing a Compliant Response
- Be skeptical about any assertion that there is 100 percent compliance with a registrant’s blanket prohibitions against the use of text messages and personal email for business purposes. In an age of COVID-related workarounds, remote work environments, and “bring your own devices,” the reality is that many view text messages as a more convenient, efficient, and timely alternative to communicating compared to archivable emails. This preference is not solely driven by firm personnel, but also by clients and investors – particularly those who are outside of the U.S.
- Realize that the compliance program must be risk-based, reasonably designed, tested periodically, and documented. In other words, the risk of non-compliant behavior or other failings by the firm’s persons, processes, or systems is unlikely to be reduced to zero. To mitigate the most serious regulatory consequences for material compliance breaches, the compliance culture, training, testing, documentation, and program enhancement regime must be robust and uncompromising.
- Review the adequacy of the written supervisory and compliance policies and procedures and whether they are reasonably designed to ensure that electronic communications, including those found on personal electronic devices (including cell phones), are preserved as required by the relevant rules.
- Review and update as necessary the categories of business records that are required to be maintained under the relevant books and records provisions, without regard to where those records are located or how they are stored.
- Take inventory of how firm personnel are communicating for business purposes. Short-hand phrases such as 511 (too much information), 121(private chat initiation), AYOR (at your own risk), CM (call me), CFS (care for secret?), and other commonly used and ever-evolving text phrases and emojis—yes emojis—should be part of the firm’s compliance monitoring lexicon. Rather than the policy covering the use of text messages generally, include the use of WhatsApp, WeChat, Telegram, Facebook Messenger, Snapchat, Line, Signal, Google Hangouts, Element, Wire, and other popular text messaging services, as well as the use of personal emails. Considering obtaining periodic certifications from firm personnel attesting to the use of only firm-approved electronic means of communicating business.
- Verify, through testing and screening of electronic communications for red flags, if non-firm-approved modes of communications are being utilized. Most firms are already screening for popular email services such as @google, @yahoo, and @msn, etc. The text messaging apps and services mentioned in Number 5, above, should also be included in the screening protocols.
- Give careful consideration as to whether an outright prohibition against the use of text messages is a realistic and practical solution, or if providing training and mechanisms to address accidental or occasional use is appropriate. Making a faithful attempt to comply with the firm’s recordkeeping obligations is a more prudent, risk-based, and reasonable approach.
- To the extent the firm determines to permit incidental and non-substantive use of modes that are not automatically archived, or if the firm relies on its personnel to determine what particular communication is business-related or substantive, the firm must provide clear instructions to guide the personnel’s judgment.
- With knowledge of the required recordkeeping time periods in mind, establish and rigorously follow a clearly defined and compliant document management policy. Be aware of litigation holds, court orders, and other scenarios that may make it necessary to adjust the firm’s standard document management practices.
“Advisors that permit the use of personally owned mobile devices for business purposes must adopt and implement policies and procedures addressing such use with respect to, for example, social media, instant messaging, texting, personal email, personal websites, and information security.”
- Provide periodic training and reminders to firm personnel on existing and enhanced policies and procedures related to the use of text messages and personal emails. Such training should highlight the risk of falling prey to ransomware, malware, keystroke loggers, business email compromises, and other security breaches.
- Evaluate vendor-provided technology solutions that, while not yet perfect may help address practical business realities and the firm’s recordkeeping and compliance program responsibilities. The evaluation should include thorough testing for cybersecurity vulnerabilities and the protection of confidential information. Also, consider plug-ins that alert to external or non-approved addresses.
- To the extent that material non-compliance is found, update the compliance breach log and document any disciplinary, retraining, and remedial actions taken, including actions taken against non-compliant super-visors. Include additional testing in the periodic or annual reviews of the compliance program.
- Ensure that senior managers, compliance personnel, and supervisors are not only messaging a compliant culture, but are also acting in accordance with the firm’s policies and procedures. Determine, for example, whether supervised persons are listing non-approved modes of contacting them in email signatures, out-of-office messages, business cards, or voicemail greetings.
- Implement off-boarding procedures to capture required records that may be stored on devices of exiting employees or on firm-owned equipment that is being retired, wiped or upgraded.
- Consult with legal counsel at the earliest point when cooperation and self-reporting of violations to the SEC is being considered. Seek guidance on what cooperation actually means, whether enforcement or examinations staff should receive the self-report, and how to position the firm to get maximum credit for self-reporting in any subsequent examination or enforcement action, among other considerations.
- Ideally, begin voluntary and meaningful remedial actions before self-reporting violations to the regulators, assuming that doing so will not result in a material delay.
In addition to these 16 considerations, advisers should also realize that the use of text messages and personal emails for business purposes not only implicates the firm’s books and records obligations, but also the compliance program generally, prohibitions against use of material non-public information, privacy and information security, and cybersecurity—not to mention the potential for significant reputational harm if inappropriate communications are made public.
1 See DOE (formerly Office of Compliance Inspections and Examinations or OCIE) National Exam Program Risk Alert – Observations from Investment Adviser Examinations Relating to Electronic Messaging (Dec. 14, 2018) (DOE Alert), available on the SEC website.
2 See Rule 17a-3 (17 CFR 240.17a-3) and Rule 17a-4 (17 CFR 240.17a-4) under the Securities Exchange Act of 1934; and FINRA Rule 4510.
3 See FINRA Regulatory Notice 07-59 – “FINRA Provides Guidance Regarding the Review and Supervision of Electronic Communications” and FINRA 2019 Report on Examination Findings and Observations – Digital Communication.
4 See FINRA Regulatory Notice 11-39 – “Social Media Websites and the Use of Personal Devices for Business Communications.”
5 See FINRA Notice to Members 03-33 – “Clarification for Members Regarding Supervisory Obligations and Recordkeeping Requirements for Instant Messaging.”
6 See FINRA Regulatory Notice 17-18 – “Guidance on Social Networking Websites and Business Communications.”
7 See 17 CFR 275.204-2 Books and records to be maintained by investment advisors.
8 DOE Alert.
This article is for general information purposes and is not intended to be and should not be taken as legal or other advice.