More On Legal & Compliancefrom The Advisor's Professional Library
- Do’s and Don’ts of Advisory Contracts In preparation for a compliance exam, securities regulators typically will ask to see copies of an RIAs advisory agreements. An RIA must be able to produce requested contracts and the contracts must comply with applicable SEC or state rules.
- RIAs and Customer Identification Just as RIAs owe a duty to diligently protect their clients privacy and guard against theft, firms also play a vital role in customer identification. Although RIAs are not subject to an anti-money laundering rule, securities regulators expect advisors to address these issues in their policies and procedures.
The last time I used a microfilm reader was in the dusty depths of my college library, reviewing newspaper clippings from the 1960s for some God-forsaken reason.
The windowless bunker looked and smelled as if it had been vacuum-sealed since the very period in history I was researching. Fast forward to today, when I perused Rule 204-2(g) of the Investment Advisers Act of 1940 (the “Act”), the rule that explicitly permits advisers to maintain their books and records in “micrographic media, including microfilm, microfiche, or any similar medium.”
Perhaps the SEC is taking the 1940 part of the Act’s title a little too literally…
To its credit, the SEC also explicitly permits books and records to be maintained via “electronic storage media, including any digital storage medium or system that meets the terms of [Rule 204-2(g)].” This definition is purposefully broad so that it can accommodate and exist in harmony with the Electronic Signatures in Global and National Commerce Act (“ESIGN”), passed in 2000. In general, the SEC permits electronic recordkeeping so long as it meets the requirements of Rule 204-2(g).
As a preliminary matter, an advisor should first take a step back and review the very long and very specific books and records that it is tasked with maintaining pursuant to Rule 204-2 of the Act.
Once an advisor confirms that all required books and records are actually being captured and retained for the required period of time (generally five years, unless otherwise noted), the next step is to determine what records are being maintained electronically (and hopefully not in microfiche).
For those records that are being maintained electronically, Rule 204-2(g) of the Act enumerates certain general and specific requirements.
An advisor should review the actual Rule itself, but I will attempt to simplify and translate the requirements below:
- Keep your records organized
SEC examiners don’t want to be left twiddling their thumbs while you hunt and peck on some file server for the documents they’ve requested. Records must have the ability to be produced “promptly,” which generally means 24 hours. Test yourself: throw a dart at a record required to be maintained pursuant to Rule 204-2. If you’re not able to produce a few months’ worth of that record within 24 hours, you may have a larger organizational problem.
- Keep your records complete, legible, and un-altered
Powers of attorney with pages missing or scanned at a 45-degree angle won’t cut it. An account agreement that was hand-signed and scanned to death on a 1995-era telefax at 50 dpi will likely not fit the bill. Journals or ledgers that have been altered or otherwise manipulated mean you have larger issues to address besides a books and records infraction.
- Records should be accessible, viewable, and printable by the SEC
This provisioning can be accomplished in many ways: providing a password-protected CD-ROM or USB drive, setting up a secure FTP site, sending encrypted or password-protected emails, or, for the brave, even setting up a username and password for discreet recordkeeping systems.
- Separately back-up your records
Advisors must “separately store… a duplicate copy of the record” on any electronic medium permitted by Rule 204-2(g). In other words, advisors must avoid a single point of failure when it comes to recordkeeping, and must maintain a separate backup copy of the record in a manner that would survive the inadvertent destruction of the original record.
- Safeguard your records Specifically, records should be safeguarded from “loss, alteration, or destruction.” Keep both physical and electronic safeguards in mind (storage cabinets to servers), and integrate safeguarding techniques into your business continuity plan and privacy protection policies pursuant to Regulation S-P to ensure all policies are consistent. Though the SEC did not specifically impose the “write once, read many” or “WORM” recordkeeping format for advisors (in contrast to broker-dealer recordkeeping rules, which mandates the WORM format), advisors must still safeguard records from alteration (and the SEC has “alternative means to verify the accuracy of adviser… records”). Lastly, maintain records on a need-to-know basis (i.e., to authorized personnel and SEC staff).
Rule 204-2(g) does not specifically speak to cloud storage and any other new-fangled blasphemy, but the same rules and requirements apply.
As priceless as the reaction would be if an examinee wheeled out a microfilm reader and a stack of reels during an SEC exam, perhaps an advisor would be more prudent to embrace technology, carefully apply the electronic recordkeeping requirements to its chosen recordkeeping medium and test its correspondent policies and procedures accordingly.