Compliance is such a bogeyman for RIAs. Registered representatives have a compliance officer and branch manager to answer to. And, say what you will about the difficulty of working with a B/D compliance officer or branch manager, the requirement that you clear everything you do provides a clear path for getting answers about the way you conduct your business.
For RIAs, answers are harder to come by. So to get the straight facts about the most pressing RIA compliance issues–including e-mail retention and new rules requiring RIAs to appoint a compliance officer and write compliance policies and procedures–I went straight to the source: Gene Gohlke.
Gohlke, who sports Ph.D. and MBA degrees in business administration from the University of Wisconsin and is also a certified public accountant, manages the Securities & Exchange Commission’s program for the examination of registered investment companies and investment advisors. A 19-year SEC veteran and associate director since 1986, Gohlke serves in the commission’s Office of Compliance Inspections and Examinations. Keep in mind that Gohlke does not set policy or make rules. Only the commission can do that, and what Gohlke has offered in this interview is his opinion. Still, in the 90 minutes he gave me, he offered specifics about what RIAs need to know now.
You recently were quoted saying that advisors had to retain e-mails for as long as 20 years. That quotation was taken out of context. It’s true only in a limited context relating to the calculation of an advisor’s performance. An advisor has to keep information that supports his advertised performance for the period of time that is covered by the performance information, plus five years. For example, say an RIA has a performance composite showing its return for the last 15 years. It must keep supporting documentation showing how the performance calculation was computed for each of those 15-year periods plus five more years. That’s how you’d get up to 20 years.
Are we talking about e-mail only or all performance data? It’s information that supports the performance claim, how is it calculated, and supporting documentation. And e-mails may relate to those numbers.
So how long does e-mail have to be kept? Putting aside e-mail that may relate to performance, if the information in an e-mail is required to be kept by the existing books and records rule, which has applied for years to RIAs, then it’s generally five years. If it relates to performance, then it could be longer. If the information in an e-mail is not such as is covered by the books and records rule, then there is no retention period.
What exactly is covered? What does an RIA need to retain? Matters concerning your business operations; your financial activities, such as your cash receipts and disbursements; communications with clients; transactions in clients’ portfolios, such as if a portfolio manager is placing orders using e-mail from the firm’s trading desk, those e-mails more than likely must be retained; records of personal trading by insiders. Anything an RIA would be required to retain for paper-based information under books and records would be required to be retained if held electronically. The information is identified in the books and records rule.
Does an RIA need a written policy on e-mail storage? Yes. If not now, certainly come Oct. 5, when the new compliance rule goes into effect. That rule requires written compliance policies and procedures, and guidance for a firm’s employees. So it makes a lot of sense to have written policies regarding what information to keep as a firm and what information you can get rid of. E-mails being among that set of information, it’s a very sensible compliance procedure to have written policy for the retention of e-mails.
Do e-mail archives need to be stored on site? You need to keep relevant information for five years. The books and records rule requires that the information be preserved and maintained in a readily accessible place for the entire five-year period. For the first two years, required information must be kept in an appropriate office of the adviser. Once that two-year period is over, required information could be kept off site. But it still has to be produced promptly, meaning within 24 hours.
What if you use Web servers that are offsite from an RIA’s office? Is that okay? We have accommodated them, so as long as the advisor can produce the records in its office, that is the same as storing it in its office. So say an advisor in New York uses an e-mail server that is physically located in South Dakota, that’s okay, so long as the advisor can access the e-mail in its office.
Is it also required that an additional copy of all your e-mail be stored offsite, for disaster recovery purposes? I don’t think there is anything in the books and records rule that says that or gets you there specifically. On the other hand, an advisor is required to keep records for five years, and that information has to be produced promptly when requested. Taking all of that together gets you to the point where an advisor needs to think about things that can happen to its required information and take reasonable steps to make sure it is not destroyed prematurely. The advisor owes a fiduciary duty to its clients. If a lack of planning causes vital client records to be destroyed and hampers an RIA’s ability to perform contracted services to a client, clearly the advisor hasn’t fulfilled its fiduciary duty to the client. So if the advisor doesn’t want to spend the money to have a backup process or doesn’t take the time to think out a business continuity plan, it ought to be making pretty good disclosures to its clients that they are at risk.
Why does the SEC care so much about e-mail but not what RIAs say over the phone? You don’t require that RIAs record all phone conversations with clients. You can say the same thing for an earlier time when communications were on paper. Why did the SEC require certain paper communications to be kept and not all telephonic communication? That’s the way it is. It may be great to have all phone conversations recorded as well. It’s a good question, but all I can say is that that this is where the commission has drawn the line.
Was the new get-tough policy on e-mail developed in response to the mutual fund scandal because so much of what was learned about fund company malfeasance was uncovered by studying e-mail? Yes. A number of the arrangements for market timing and late trading were found on e-mails, but not necessarily written down or recorded in any type of traditional paper-based records. So it was not too much of a leap to say that as part of our examinations, we would look at e-mails.
Many advisors may have been using e-mail for five or six years, but may not until now have had a retention system in place. Do these rules apply only going forward? If an RIA has been using e-mails for the last five years, and it has a policy of cleaning off its e-mail server after any e-mail is 60 days old, then it most likely has been routinely destroying certain information that it was required to keep. It has a problem.
But I think it is probably not uncommon for an RIA to not have done anything about e-mail retention until recently. That could be, but the books and records rule requires that certain information be kept. Yes, I understand the rule is written in the context of records produced on paper. But what it really covers is information. If that information happens to be in an e-mail or instant message, the recordkeeping rule still applies to it. That didn’t just change in September. It’s been that way for many years. Advisors may not have interpreted that way, but certainly on the broker/dealer side of things, for some time now, the NASD has required that broker/dealers retain e-mail. So there is some precedent on the B/D side. Advisors have had a duty to keep information in e-mail that is covered by the books and records rules ever since they started using e-mail.
At what point will you begin, or have you already begun, citing advisors who don’t retain e-mails? We are doing that right now.
Are you simply citing this in a deficiency letter? That is a fairly common way of how it is being handled, particularly if we don’t find any other material problems. But I don’t ultimately make those calls. And whether that policy will change or will continue is also not my call.
B/Ds are moving to filter e-mail sent by their registered representative. On the RIA side of things, e-mail does not have to be screened by a compliance officer before it’s sent. Is the SEC moving in that direction? There is no current requirement to do that.
If an RIA archives to his hard drive or to a tape backup, is that okay? Or does the e-mail archive have to be written to non-rewritable CDs or another storage medium that is not rewritable? It can be a medium that is rewritable but the adviser should have built in adequate protections so that required information is not erased prematurely.
Does the SEC have written policies regarding e-mail compliance? What are they and how specific are they? Other than to the extent one can say that the books and records rules are written and apply, there are no written rules for RIAs specifically covering e-mail. But there probably will be in the near future.
There are new rules regarding compliance officers and internal compliance controls. Can you give us an overview? They are lengthy rules. They say that, as of Oct. 5, every registered advisor is required to have written compliance policies and procedures that are effective. The procedures must assist in making sure that compliance problems don’t happen. And if bad things do happen, these procedures will assist in identifying those bad things and lead to their correction, and ensure appropriate remedial action will be taken. The entire thrust is to focus the attention of advisors on the need for good compliance procedures and then require certain steps to make sure that the procedures, in fact, do work, and that the advisor takes the necessary time and effort to implement the procedures.
What action is required now to comply? The rules require that an RIA have effective compliance procedures across its entire advisory business. Between now and Oct. 5, an RIA would need to evaluate what is its business.Who are its partners? Who are its affiliates? How does it conduct its business? Who are its clients? Does it have certain clients who pay performance fees, while others pay fees based on assets under management? Where in its business are there potential conflicts of interest? Where in its business and its relationships can bad things happen to its advisory clients? Then, based on that type of risk identification process, an advisor should determine controls and management techniques to ensure to the extent possible that those bad things don’t happen, and that conflicts of interest are managed so that the result is consistent with the disclosure the firm has made to its clients. After having done all that, if the advisor says, “Well, my existing procedures cover all of that. My existing procedures do everything the rule requires,” then there is probably not much more the advisor has to do except appoint a chief compliance officer that has the responsibility for making sure on a continuing basis that the advisor’s compliance processes are effective.
If an advisor has been attentive to having good compliance, and has a good compliance culture, the new rule may not have much of an impact on that RIA. On the other hand, for an advisor that has been less attentive to having good compliance, the rule could have a substantial impact. The RIA will have to go through all of its business arrangements and look for conflicts, figure out what the firm has put in place to prevent and quickly identify problems, and put additional control procedures in place. It may be necessary to institute new reporting requirements, new exception reports, and new management reports to ensure that by Oct. 5 its compliance procedures are effective.