The Securities and Exchange Commission’s exam division is warning registered investment advisors to review their electronic communication procedures, as recent exams showed advisors failed to ensure compliance with SEC rules.
In its Risk Alert released Friday, OCIE staff said a recent exam initiative focused on whether and to what extent advisors complied with the Books and Records Rule and adopted and implemented policies and procedures as required by the agency’s Compliance Rule.
During the course of the initiative, OCIE examiners “observed a range of practices with respect to electronic communications, including advisors that did not conduct any testing or monitoring to ensure compliance with firm policies and procedures.”
OCIE surveyed RIAs to learn the types of electronic messaging used by firms and their personnel, and reviewed firms’ policies and procedures to understand how advisors were addressing the risks presented by evolving forms of electronic communication.
“Electronic messaging” or “electronic communication” included written business communications conveyed electronically using, for example, text messaging, instant messaging, personal email and personal or private messaging.
OCIE included communications conducted on the advisor’s systems or third-party applications or platforms or sent using the advisor’s computers, mobile devices issued by advisory firms, or personally owned computers or mobile devices used by the advisor’s personnel for the advisor’s business.
OCIE encourages advisors “to review their risks, practices, policies and procedures regarding electronic messaging and to consider any improvements to their compliance programs that would help them comply with their regulatory requirements.”
Examiners then offered advisors examples of practices that may assist advisors in meeting their record retention obligations — specifically as it relates to policies and procedures; training and attestations; supervisory review; and control over devices.
For instance, OCIE recommended that advisors prohibit business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or backup.
Advisors should also be “regularly reviewing popular social media sites to identify if employees are using the media in a way not permitted by the advisor’s policies.”
Such policies included prohibitions on using personal social media for business purposes or using it outside of the vendor services the advisor uses for monitoring and record retention, OCIE said.
Advisors should also “stay abreast of evolving technology and how they are meeting their regulatory requirements while utilizing new technology.”
OCIE’s exams were limited to RIAs; however OCIE stressed that other types of regulated financial services entities may face similar challenges with new communication tools and methods.
— Related on ThinkAdvisor: