Mon, Feb 14, 2022
This article originally appeared in the Investment Adviser Association’s (IAA) February newsletter. Learn more about IAA here.
Books and records compliance is chic again. By now, every compliance professional should be aware of the dual-settled enforcement actions announced in late 2021 by the SEC and the CFTC against a registered broker-dealer and related entities for charges that included failure to supervise communications as well as recordkeeping violations stemming from the use of personal devices by firm personnel for business communications and the corresponding failure by the firm to maintain, preserve and produce to regulators those records.
In conjunction with the announcement of the SEC’s action, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, “...encourage[d] registrants… to scrutinize their document preservation processes and self-report failures such as those outlined [in the enforcement action]." The SEC’s enforcement action was the latest in a series of the warnings highlighting the regulatory dangers of using third-party text messages, personal emails, and other forms of electronic communications for business purposes.
Previously, the SEC’s DOE and FINRA had only issued risk alerts and regulatory notices, or announced examination priorities on the subject of books and records in compliance. While books and records violations may be commonly cited as deficiencies in regulatory examinations, less common is the filing of stand-alone charges for violations of the books and records obligations, hefty monetary penalties, the imposition of an independent consultant, and an admission of wrongdoing—a signal to the industry that the regulatory tide has turned.
Much has been written about the risks, the problems, and the regulatory scrutiny. However, fabricating an effective compliance response appears to have been stymied by the lack of viable, practical, and compliant solutions to the recordkeeping, monitoring, cybersecurity, and compliance program obligations that are raised when a registrant’s supervised persons use, or are permitted to use, text messages and personal emails to conduct the registrant’s business. This article provides a non-exclusive framework for those responsible for compliance and supervision to craft a path to a defensible and reasonably designed solution, regardless of whether the goal is to enhance the compliance program and/or to evaluate whether to take advantage of the SEC’s invitation to self-report violations.
This SEC case involved a registered broker-dealer that is subject to the federal securities laws and rules enacted thereunder as well as FINRA rules governing the retention and supervision of books and records, including electronic communications. In addition, broker-dealers are subject to FINRA Rule 3310, which requires the establishment, maintenance, and enforcement of written procedures to super-vise the types of business in which it engages, as well as the activities of its associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations and FINRA rules. FINRA has provided important guidance related to broker-dealer books and records compliance with particular focus on the retention and supervision of electronic books and records, use of personal devices for business communications, instant messaging, and blogs and social networking websites.
Although this case was against a dual registrant in its broker-dealer capacity, it should have equally significant compliance-related implications for advisers. Advisers are subject to the Investment Advisers Act of 1940 (Advisers Act) and rules and regulations thereunder pertaining to retention and supervision of all business-related books and records. The SEC’s DOE has provided guidance that an adviser should allow its personnel to use forms of electronic communication for business purposes that the adviser determines are compliant with the books and records requirement of the Advisers Act. Business use of apps or other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allow for automatic destruction of messages, or prohibit third-party viewing or back-up should be prohibited. The DOE’s alert further states that the adviser’s procedures should provide that when an employee receives a business-related electronic message using a form of communication prohibited by the firm for business purposes, the employee is required to move such message to another electronic system that the adviser has determined can be used in compliance with its books and record obligations. Advisers that permit the use of personally owned mobile devices for business purposes must adopt and implement policies and procedures addressing such use with respect to, for example, social media, instant messaging, texting, personal email, personal websites, and information security. Advisers that permit their personnel to use social media, personal email accounts, or personal websites for business purposes must also adopt and implement policies and procedures for the monitoring, review, and retention of such electronic communications, including a statement informing employees that violations may result in discipline or dismissal.
“Business use of apps or other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allow for automatic destruction of messages, or prohibit third-party viewing or back-up should be prohibited.”
The implications of this case for all registered firms are significant. Financial industry regulators, such as the SEC and FINRA, will increase their examination and investigation focus on compliance with books and records retention and supervision, including electronic communications and the use of personal devices and personal communication accounts. It is crucial that all registered firms immediately assess and confirm whether they have policies, procedures and controls in place that are reasonably designed to avoid violations of the applicable laws, rules, and regulations.
In addition to these 16 considerations, advisers should also realize that the use of text messages and personal emails for business purposes not only implicates the firm’s books and records obligations, but also the compliance program generally, prohibitions against use of material non-public information, privacy and information security, and cybersecurity—not to mention the potential for significant reputational harm if inappropriate communications are made public.
Source:
1 See DOE (formerly Office of Compliance Inspections and Examinations or OCIE) National Exam Program Risk Alert – Observations from Investment Adviser Examinations Relating to Electronic Messaging (Dec. 14, 2018) (DOE Alert), available on the SEC website.
2 See Rule 17a-3 (17 CFR 240.17a-3) and Rule 17a-4 (17 CFR 240.17a-4) under the Securities Exchange Act of 1934; and FINRA Rule 4510.
3 See FINRA Regulatory Notice 07-59 – “FINRA Provides Guidance Regarding the Review and Supervision of Electronic Communications” and FINRA 2019 Report on Examination Findings and Observations – Digital Communication.
4 See FINRA Regulatory Notice 11-39 – “Social Media Websites and the Use of Personal Devices for Business Communications.”
5 See FINRA Notice to Members 03-33 – “Clarification for Members Regarding Supervisory Obligations and Recordkeeping Requirements for Instant Messaging.”
6 See FINRA Regulatory Notice 17-18 – “Guidance on Social Networking Websites and Business Communications.”
7 See 17 CFR 275.204-2 Books and records to be maintained by investment advisers.
8 DOE Alert.
This article is for general information purposes and is not intended to be and should not be taken as legal or other advice.
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.