With recent increase in the usage of electronic communication, we thought it necessary to touch on what the SEC is focusing their attention on. RIAs use various forms of electronic communication and its important to remember to comply with the Investment Advisers Act. There are certain obligations when personnel engage in electronic messaging. Here are some helpful tips for advisers to improve systems, policies, and procedures:
Policies and Procedures
- Only allow use of electronic communications that your firm can confirm will be used in compliance with the books and records requirements of the Advisers Act.
- Specifically prohibit business use of apps and other technologies that can be readily misused by allowing an employee to send messages or communicate anonymously, allowing for automatic deletion of messages, or prohibiting third-party viewing or back-up.
- If an employee receives an electronic message using a form of communication prohibited by the firm for business purposes, require the proper procedures be followed for the employee to move those messages to another electronic system that your firm determines can be used in compliance with your books and records obligations, and include specific instructions to your employees on how to do so.
- If your firm permits the use of personally owned mobile devices for business purposes, you should be implementing policies and procedures addressing such use of social media, instant messaging, texting, personal email, personal websites, and information security.
- If your firm permits personnel to use social media, personal email accounts, or personal websites for business purposes, you should be implementing policies and procedures for the monitoring, review, and retention of electronic communications.
- You should have a statement in policies and procedures informing employees that violations may result in discipline or dismissal.
Employee Training and Attestations
- Your firm should require personnel to complete training on the firm’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging and electronic apps and the firm’s disciplinary consequences of violating these procedures.
- Obtain attestations from personnel at the commencement of employment with the firm and regularly thereafter that employees (i) have completed all of the required training on electronic messaging, (ii) have complied with all such requirements, and (iii) commit to do so in the future.
- Provide regular reminders to employees of what is permitted and prohibited under the firm’s policies and procedures on electronic messaging.
- Ask for feedback from personnel as to what forms of messaging are requested by clients and service providers so the firm can assess risks and determine how those forms of communication may be incorporated into the firm’s policies.
- If your firm permits use of social media, personal email, or personal websites for business purposes, you need contracts with software vendors to (i) monitor the social media posts, emails, or websites, (ii) archive business communications to ensure compliance with record retention rules, and (iii) ensure that they have the capability to identify any changes to content and compare postings to a lexicon of key words and phrases.
- Be sure your firm is regularly reviewing popular social media sites to identify if employees are using the media in a way not permitted by your firm’s policies. For example, using personal social media for business purposes or using it outside of the vendor services the firm uses for monitoring and record retention.
- Run regular internet searches or set up automated alerts to notify your firm when an employee’s name or the adviser’s name appears on a website to identify potentially unauthorized advisory business being conducted online.
- Create a reporting program or other confidential way employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications.
Control over Devices
- Your firm should require employees to obtain prior approval from the firm’s information technology or compliance staff before they are able to access firm email servers or other business applications from personally owned devices.
- There should be certain security apps or other software on company-issued or personally owned devices prior to allowing them to be used for business communications. Software is available that enables advisers to (i) “push” mandatory cybersecurity patches to the devices to better protect the devices from hacking or malware, (ii) monitor for prohibited apps, and (iii) “wipe” the device of all locally stored information if the device were lost or stolen.
- You should only allow employees to access your email servers or other business applications by virtual private networks or other security apps to isolate remote activity to help protect the firm’s servers from hackers or malware.
Are you concerned with your policies and procedures or that your employees are not trained accordingly? Is it time to pass the baton to the pros? Fill out our Compliance Consulting Questionnaire or Schedule your Consultation Call today!