1/7/19 - Promontory Currents - The Compliance Predicament: Monitoring Electronic  Communications of Personnel at Regulated Financial Services Entities
Home > News & Insights > Insights & Publications

1/7/19 - Promontory Currents - The Compliance Predicament: Monitoring Electronic Communications of Personnel at Regulated Financial Services Entities

By Jane Jarcho, Conway Dodge, Michael Sullivan, Michael Vorhis, and Libby Cornwell

On Dec. 14, 2018, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert1 to encourage “advisers to review their risks, practices, policies, and procedures regarding electronic messaging and to consider any improvements to their compliance programs that would help them comply with applicable regulatory requirements.” OCIE issued this risk alert following an examination initiative to survey investment advisers’ use of non-traditional methods of electronic communications (including SMS/text, social media, and other third-party applications), personal email, and personal business devices, and to understand the risk and compliance impacts of such practices. Although the risk alert is the result of examinations of investment advisers, OCIE notes that “other regulated financial services entities may face similar challenges with new communication tools and methods.”

The risk alert recognizes that chief compliance officers and their staff are faced with a growing predicament: how to monitor electronic business communications of personnel in a world of ever-increasing avenues of communication.2 No longer do most individuals rely primarily on telephones and email messages to communicate; rather, a proliferation of software applications and social media platforms have become the most common methods of communication. Couple this change with the ubiquity of personal mobile devices and the compliance risk is formidable. There are no rules or guidance that specifically dictate how compliance personnel should undertake this challenge, although certain rules make it clear that the challenge must be addressed. The risk alert highlights practices the staff observed that might be helpful for firms in complying with regulatory obligations. Below is a discussion of the best practices included in the risk alert, along with others that can help compliance professionals mitigate risks in this area. 

Regulatory Requirement for Monitoring Business Communications

The regulatory requirement for monitoring business communications stems from three provisions of the Investment Advisers Act of 1940. First, the books and records rule (Section 204 of the Advisers Act and Rule 204-2 thereunder) requires, among other things, that investment advisers keep written communications by personnel relating to recommendations and advice given to clients. Second, the compliance rule (Rule 206(4)-7 under the Advisers Act) requires investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act. Third, Rule 204A under the Investment Advisers Act requires firms to have in place strong written policies and procedures to prevent the misuse of material nonpublic information. Together, these rules impose a duty to monitor written communications and keep such communications between personnel and clients, between personnel and other business professionals, and among personnel.

Best Practices

Written Policies and Procedures

  • Develop written policies and procedures that inform personnel of the types of electronic communications that are permitted. The use of apps or platforms not specifically permitted should be prohibited. Due to the inevitability of popular new apps and platforms being developed regularly, policies and procedures should include provisions for adding new apps and platforms to permitted methods of communication.
  • Include procedures by which the firm will capture and retain electronic communications for compliance with books and records requirements.
  • If personal mobile devices are permitted for business communications, policies and procedures must address such uses. They should also address issues related to the security and privacy of client information.

Mobile Devices

  • Provide mobile devices to employees for all business communications. Consider limiting access to firm systems through firm-issued devices only. 
  • If permitting access to firm systems such as email through personal devices, require regular updating of devices to protect vulnerabilities. Consider requiring personal devices to be checked for vulnerabilities regularly by information technology staff.
  • Prohibit apps from being downloaded to company-issued devices without an IT review for potential security issues.
  • Equip company-issued and personal devices, if allowed for business communications, with security and monitoring software.

Electronic Communications Monitoring

  • Use software programs or vendors to monitor apps, social media platforms, and websites for unauthorized business communications.
  • Monitor email and other electronic communications for red flags (i.e., phrases such as “take it off line” or “text me”) indicating conversations being moved to nonmonitored or nonreviewable places of communication.
  • Conduct regular or automated internet searches on firm and personnel names to detect unauthorized activities.
  • If personal mobile devices are permitted for business purposes, consider requesting individuals to agree to monitoring or inspection on a periodic or unannounced basis.3

Employee and Client Assistance

  • Provide a confidential reporting method whereby employees can report concerns that other employees may be violating electronic-communication policies.
  • Inform clients by including notices on official client communications that firm personnel should communicate only through listed means of electronic communications and that all other electronic communications are prohibited. Request that all such prohibited communications be reported to compliance.4

Employee Training and Attestation

  • Have, at a minimum, annual training on policies and procedures for electronic communications, including permitted and prohibited apps, social media platforms, and websites.
  • Training should include policies with respect to company mobile devices, and if permitted, personal mobile devices. These should address:
    • Permitted and prohibited apps, social media platforms, and websites
    • Retention of communications
    • Disciplinary consequences for violating policies
    • Information security policies
    • Customer and firm privacy policies 
     
  • Firms should obtain annual attestations that personnel have read and understand policies and procedures related to electronic communications. Reminders and updating of polices, when appropriate, should occur regularly.

The risk alert represents an acknowledgement by OCIE that monitoring business communications in today’s electronic world is challenging for compliance professionals. The best approach is to develop and implement robust, up-to-date policies and procedures for approved and prohibited communications. Additionally, compliance professionals must monitor for unpermitted activity. With this in mind, advisers and compliance personnel at other regulated entities should take a fresh look at their practices, compliance risks, and controls with respect to electronic communications (through ad hoc risk assessments or annual review processes), and specifically consider each of the best-practice examples highlighted above.

Authors

Jane Jarcho is a special adviser in Promontory’s asset-management practice. Conway Dodge and Michael Sullivan are managing directors, and Michael Vorhis is a principal, in Promontory’s Washington office. Libby Cornwell is an associate in the firm’s New York office.


FOOTNOTES

  1. Observations from Investment Adviser Examinations Relating to Electronic Messaging,” Securities and Exchange Commission (Dec. 14, 2018).
  2. Significantly, OCIE’s staff implicitly acknowledged the ability of adviser personnel to conduct business through these evolving communication methods. However, “the staff observed a range of practices with respect to electronic communications, including advisers that did not conduct any testing or monitoring to ensure compliance with firm policies and procedures.”
  3. This best practice is not discussed in OCIE’s risk alert, but is offered for consideration based on our observations of firm practices. Additionally, firms should consult with counsel about any rules or laws limiting such a request before implementing.
  4. This best practice is not discussed in OCIE’s risk alert, but is offered for consideration based upon our observations of firm practices.