Boys will be boys. Brian Hamburger has a client whose employees used email to conduct "bar-stool" conversations--that is, the kind of conversations that really should be conducted only in bars. "When you go to traditional Wall Street firms, it's still an old boys club, but what once went on around the water cooler is now happening via email," says Hamburger, the managing director of MarketCounsel, a compliance consulting firm in Englewood, N.J. But as this client eventually found out, conducting ribald conversations electronically is not a good idea.
Under Securities and Exchange Commission regulations, electronic communications are subject to the records and retention rules and can be reviewed by regulators. Not all emails need to be retained, but most firms simply archive every email sent or received. The problem, says Hamburger, is that regulators can ask for all saved emails even though not all are subject to the retention rules. And as noted, the content of some emails can be downright embarrassing or even cast the firm in a negative light. Hamburger has had clients whose emails could be interpreted as being racially or sexually discriminatory. One client's emails detailed his extramarital affairs.
In addition to emails and instant messaging, many financial advisors are now setting up blogs, posting videos on YouTube.com and downloading to audio sharing sites such as PodcastAlley.com and Podcast.net. The reason is obvious: Going electronic allows advisors to reach out to current clients and find new ones According to the Pew Internet & American Life Project, in 2006, 73 percent of American adults--approximately 174 million people--used the Internet. Pew surveys show that 90 percent of Internet users use email.
But SEC compliance rules were drafted in the age of snail mail, telephones and face-to-face meetings. New communications technologies are creating enormous challenges for advisors just to keep up with compliance risks. And it's even harder than ever for small firms to keep up on a day-to-day basis, says Gary Watkins, a partner in ACA Compliance Group in Richmond, Va. Adds Matt Smith, president of LiveOffice LLC in Torrance, Calif.: The number-one challenge in the industry today is advisors' knowing what the retention requirements are with respect to electronic communications and fulfilling those requirements.
Contributing to the challenge is the fact that there is no official guidance from the SEC. The commission is supposedly working on guidance regarding electronic communications, but has not yet announced when that guidance will be issued, says Watkins. Meanwhile, SEC staff has indicated that both email and instant messaging are subject to the books and records rules, although it is permissible to delete spam.
The relevant retention rules for electronic and digital communications are located in section 204-2 of the Investment Advisers Act. Advisors are required to retain any non-paper communication--sent or received--that would have been required to be kept had it been in paper form. For example, all instant messages between a trader and an advisor must be maintained. Not all e-communications need to be retained, Hamburger points out, so the challenge is deciding what to keep.
In addition to archiving electronic communications, advisors must also be able to retrieve the material and keep backups of the archives in different locations in the event of disasters, says Smith.
Communications deemed to be advertising must also be retained. The Advisers Act generally defines advertising as any communication sent to more than one person, says Janaya Moscony, the president of SEC Compliance Consultants, Inc., in Phoenixville, Pa. Furthermore, the rules applicable to advertising apply whenever advertising is sent electronically--including blast emails and Web pages. This means, among other things, no testimonials, says Moscony.
Before the mutual fund scandals, regulators did not review electronic communications, Watkins says. Because emails proved to be crucial in those scandals, however, emails are now reviewed as part of the regular inspection process, he says.
While there are no specific archiving requirements for email, most advisory firms adopt the policy of maintaining all email for five years with a backup copy off-site. Retaining all email is a best practice currently available, argues Frank Watson, the president of Fairview Investment Services in Raleigh, N.C. which provides back-office compliance support for advisors. "It's really the best way to make sure you have all the correspondence that the SEC wants you to save," he says. "If you have it set up where your employees are making the decisions as to which email to retain, then you probably are not keeping all the emails the SEC requires."
Of course, retaining all emails can present some sticky situations as noted earlier. Unless it is privileged communication, SEC or state examiners can ask to see any retained email, even if it is not covered by Rule 204-2. Watkins notes that simply saving all emails could also expose an advisor to more scrutiny during an audit. For example, in reviewing a firm's email, the SEC may discover that the company engaged in inappropriate conduct such as sharing material, non-public information.
Moreover, by failing to screen and making all electronic communications available to regulators, firm-wide intelligence-- such as a recommended list of securities--could be leaked, Hamburger says.
Beyond casting a negative light on the firm or exposing trade secrets, maintaining all e-communications including those not required to be maintained, can create problems for firm computer systems. Email has become so commonplace that simply saving every emailed message that comes in or out of a business eats up a tremendous amount of disk space, notes Watkins. Beyond spam, he adds, it's not unusual to get analyst reports via email. These use a tremendous amount of disk space, and there is actually no requirement to save them.
Many firms contract with third parties to archive email. However, the system is never perfect. For example, Watkins had a client whose third-party provider could not produce the advisor's e-mails for the SEC inspectors because of a system glitch. The SEC issued a deficiency letter, citing the firm--not the provider--for not adequately maintaining records. The client now uses another provider, says Watkins. And aware that the SEC comes down harder the second time a deficiency occurs, the client periodically requests the new provider to reproduce emails.
There are ways to handle the flood of electronic communications. At a minimum, says Watkins, firms should auto-delete all spam so it is eliminated from firm systems. The SEC generally asks for all e-mails between specific dates, Hamburger explains, so advisors should delete unnecessary communications as they come in. That way, when the request to review is made, advisors do not have to give regulators everything ever sent or received.
Part of the problem can also be resolved through old-fashioned employee education. All employees should be made aware that every e-communication sent through business accounts is subject to review by both the firm and regulators, says Moscony. Personal communications should be made through personal accounts, and no business should be conducted through personal accounts, she adds.
The point, explains Moscony, is to make people more cognizant of what they are writing in emails. Furthermore, she says, workers need to understand that if they are using a personal email account at work, and the SEC suspects that the worker has conducted business through the personal account, the commission could request to see those records.
Of course, when a problem presents itself, vendors naturally step in and create solutions to solve them. But the resulting solutions for screening and archiving e-communications, however, have garnered mixed reviews. Watson argues that the technology for retaining and deleting electronic communications often fails to accurately identify which communications must be retained and which can be deleted.
Since 2001, LiveOffice has offered AdvisorMail applications that Smith says can be used by firms as small as one-man shops to those with over 20,000 email addresses. AdvisorMail Lite--for firms with fewer than 15 email addresses--is priced at $1,500 annually plus a $2,000 set-up fee. Regular AdvisorMail, for firms with more than 15 email addresses, is custom priced. Both offer the same functionality, says Smith. AdvisorMail archives email and stores it in WORM format ("write-once, read-many") in multiple backup locations in a searchable system. Periodic reports are sent to chief compliance officers showing--among other things--the number of emails sent, the number reviewed and the number flagged for potential violations. This allows larger firms to prove that email was reviewed for possible violations, says Smith. AdvisorMail also provides a backup email server should the client's server go down.
MarketCounsel interviewed 48 service providers to find a solution for its advisory compliance program clients--most of them shops with fewer than 20 persons. Large enterprise-class solutions with stand-alone servers installed on-site commanded $20,000 and up. This was not a good solution for clients, says Hamburger, because of both space and cost. Other solutions were paltry. "They were the technical equivalent to two cans and a string," Hamburger relates, but the price was right.
MarketCounsel eventually built its own solution by contracting an enterprise-class provider to scale down its product. Mailbanc, launched in the summer of 2007, is a separate division of MarketCounsel. It has three levels: "Messaging Defense" stops all spam, virus and Internet-born attacks. "Message Surveillance" works using key words. For example, a firm might flag the word "guarantee." If "guarantee" appears in an email, the firm can halt the message and review it. If stopped before going out, it doesn't qualify as a written communication and does not need to be saved. The third level is "Message Archiving." This level captures and retains emails. Message Archiving and Defense cost less than $30- a-month per user. All three levels are less than $40 per month per user.
Fairview helps firms to set up procedures to retain emails and helps locate vendors if the advisor does not want to retain emails in-house. Fairview then reviews emails to weed out spam and potential violations of pertinent laws, and prepares reports for the chief compliance officer. "We go in and review emails of all employees on a weekly basis and do a screening of all traffic to spot potential violations," says Watson. If Fairview finds overtly personal emails, it encourages clients to remind employees that email is being screened.
There is some good news, however, and according to Moscony, it is that the SEC has backed away from blanket requests for emails. As recently as a year ago, it was not unusual for SEC inspectors to routinely ask for all email records. In the last year, however, these requests only arise when inspectors suspect some cause for concern, such as insider trading.
But advisors still need to be prepared for the request. They must ask themselves if they have an organizational culture where certain emails could prove embarrassing, says Hamburger, and if so, they must do something about it.
"It's often awkward to apply antiquated rules to a new electronics age," Hamburger says.
Elayne Robertson Demby, JD, has covered executive compensation, employee benefits, and financial issues for more than 10 years.