You’ve contracted with a vendor to capture and archive all emails sent to and from employees within your advisory firm. Emails are set to be stored for not less than five years pursuant to the SEC’s recordkeeping requirements and are ready to be turned over when requested during an exam. So now you can relax, right? Wrong: now the fun reallybegins: actually reviewing these emails and testing the integrity of your archiving system.
Emails (and attachments) sent or received by a registered investment advisor are subject to the SEC’s recordkeeping requirements if they concern any of the records required to be kept by Rule 204-2 under the Advisers Act. A full list of such records can be found here.
As an aside, this same logic applies to other forms of electronic communication, such as text messages, instant messages, and messages sent within social media platforms, but email will be referenced throughout this article for simplicity’s sake.
The bottom line is that the SEC may request all electronic communications related to the business of the advisor for a certain period of time, even if such communications were sent through a personal email account. Beyond merely reviewing a sampling of emails themselves, examiners are also likely to inquire how the advisor reviews its own emails.
There is no single prescribed method to conduct email surveillance, which is in line with the SEC’s typical principles-based regulatory framework (as opposed to FINRA’s framework, which is generally considered rules-based or prescriptive). That said, an advisor’s email surveillance system should be reasonably designed to prevent violations of the federal securities laws, just like all of its other policies and procedures. But what does this mean in practice?
Below are steps to take when designing and implementing an email surveillance program:
Step 1: Take Advantage of Technology
Any reputable email archiving vendor will have the ability to automatically flag emails that contain certain words or phrases likely to warrant review. These keywords or key phrases should be customizable by the advisor, which allows the advisor to control which words or phrases are flagged and to adjust keywords and key-phrases as the business changes or new risks emerge.
Conversely, the vendor should also have the ability to exclude certain words or phrases from being flagged automatically and drowning the reviewer with unnecessarily-flagged emails. The most common excluded phrases are known email disclaimers or footers, which may contain keywords like “attorney,” “FINRA,” or “guaranteed.”
Step 2: Know What to Review
Reviewing email can be an incredibly effective cure for insomnia, but don’t snooze through common problems often revealed in emails:
- Undisclosed client complaints
- Insider trading or selective disclosure
- Distribution of marketing materials not conforming to the Advisers Act, the rules promulgated thereunder, or applicable no-action letters (e.g., Clover Capital)
- Promissory claims or guarantory performance language
- Suspicious emails from clients who may have had their email account hacked
- Undisclosed matters requiring disclosure on an advisor’s U4
- Breaches of non-public personal information or failure to follow privacy policies
- Failure to place the client’s best interests first or other fiduciary failings
Step 3: Know How Much to Review
Again, there is no prescribed formula for determining how many emails to review, but enough should be reviewed for an advisor to be able to defend it as reasonable.
Perhaps the most important takeaway here is to review as many emails as are called for in the advisor’s policies and procedures; if the policies and procedures call for a review of 5% of all emails each month, don’t review 3% every quarter. Note: policies and procedures are not required to specify exact percentages or quantities to review.
Step 4: Document the Review
Unless an advisor can prove the firm actually reviewed emails, the review never happened. The email archiving vendor should provide a means by which to electronically “evidence” the review and create an audit trail, but be sure to follow the vendor’s instructions to create a clean record proving the advisor did actually look at all those fantasy football emails flying back and forth.
Another option is to create a review log with date stamps and initials by the reviewers.
Step 5: Lose the Idea of Delegating Liability
One of the most common questions I’m asked is whether email surveillance can be delegated. The answer is yes, but the advisor tasked with primary review responsibility retains liability for any supervisory failures associated with the delegated review.
With delegation comes due diligence.
Step 6: Trust but Test
Finally, advisors should periodically test the integrity of their email archive to ensure all emails are actually being captured and are being archived for the defined period of time. It is not ideal to find out about technological glitches from the SEC, in email archiving or otherwise.
If reasonably designed and carefully constructed, an email surveillance system can not only meet regulatory requirements but serve as a tool to effectively oversee the firm and its employees.
See also these most recent Chris Stanley posts: