Post Top Ad

Your Ad Spot

Blog Archive

Thursday, December 20, 2018

SEC Risk Alert: Best Practices for Social Media, Retention and Electronic Recordkeeping

By Cory Roberson, Principal at FIN Compliance and FIN Lancer

December 14, 2018.  The SEC Office of Compliance Inspections and Examinations (OCIE) issued a risk alert based on its observations of practices surrounding electronic messaging systems, records retention, and monitoring techniques used by investment advisors.

Books, Records and Electronic Archiving

According to Rule 204-2 of the Investment Advisors Act (“Books and Records Rule”), firm’s are required to retain certain documentation relating to their investment advisory business, including financials and corporate documents.

Paper or Electronic Formats are ok

On May 30, 2001, shortly following the passing the Electronic Signature Act (“E-Sign act”), the SEC permitted advisors to store these physical records on electronic storage mediums.  

How long must a firm retain its records?  

Existing Clients -
At least 5 years (2 years stored onsite and 3 years offsite)

Old Clients –
At least 5 Years from the date of last fiscal year end transactional activities

Other business/financial records -
Some records (such as financials) may be retained for a longer period.

What records must be retained by a firm?

Section(a)(7) of this rule requires advisors to keep original records of communication sent by an advisor relating to:

Recommendations or advice “made or proposed.” 
Records relating to the receipt/disbursement of funds and securities.
Records that show the order or execution of security transactions (e.g. Trade blotter).
Records summarizing the performance or rate of return of managed. accounts/transactions.

Section(a)(11) of this rule requires advisers to:

Retain copies of each notice/advertisement.
Retain communications circulated to ten or more persons.
Supervise its personnel for records management and the distribution of materials.

Annual Review of procedures required for SEC-Registrants

Rule 206(4)-7 (“Annual Review Rule”) requires advisers to adopt a compliance program, which involves the creation and review of policies and procedures designed to address firm risks and adhere to guidelines stated in the Investment Advisors Act of 1940.

According to the review-based guidelines, the advisor should maintain its required records, secure them from unauthorized tampering, and protect them from destruction.  In addition, the advisor much conduct this review at least once a year.

Challenges ahead to monitor electronic devices

Moreover, the commission discusses several challenges that advisors must meet for monitoring mobile and personally owned devices for compliance with its guidelines.  According to the OCIE, these challenges include the “increasing use of social media, texting, and other types of electronic messaging systems, and the pervasive use of mobile and personally owned devices for business purposes”. 

OCIE Findings of Electronic Messaging using third party devices

OCIE’s examiners surveyed advisors about electronic messaging systems and then conducted a review of policies and procedures to assess firm risks.

Electronic messaging systems (“typical uses”) can include any of the following:

Electronic business communications (including text transcribed electronically),
Text messaging,
Instant messenger services,
Personal email, and
Personal or private messaging.

What communications were reviewed?

In its observations, the OCIE included communications conducted on adviser’s systems, third-party applications (“apps”), those sent using the adviser’s equipment, and/or mobile devices that are used by personnel for business purposes.  Note: Email use of advisers’ systems was excluded from these observations as the OCIE didn’t deem it to pose as many threats.

Best Practices for compliance with Electronic record keeping

Following its review, OCIE staff provided the following suggestions for firms to:

Allow only forms of electronic communication (used for business purposes) that can be monitored by the firm systems for compliance.  
Prohibit business use of third-party applications that can be altered, misused, or not monitored for compliance.
Create procedures for moving messages to monitored systems anytime business communication is received from a prohibited application.  In addition, train employees on how to adhere to those procedures.
Create procedures for electronic media uses when/if firms allow personal devices for business use.
Create procedures for social media, electronic record keeping, and the personal use of devices for business purposes (when applicable).
Include a statement for repercussions of violations to these procedures (e.g. warning, notice, or dismissal).

Employee Training

Firms should:
Maintain compliance training on policies and procedures.
Obtain attestation from employees (e.g. signed statements from employees that they’ve received training on electronic messaging).
Remind employees of electronic messaging rules.
Gauge employees for feedback on risks.

Compliance Reviews

For advisors who permit business use of social media on personal devices:
Retain a tech vendor for the (1) retention, (2) monitoring, and for (3) the capabilities to review a series of “red flag” keywords.
Regularly review social media sites for compliance.
Run regular internet searches/setup automated alerts.
Establish a reporting program for employees to alert management for concerns.

Cybersecurity/Data Protections

Advisors should:
Require employees to seek approval from IT/management before logging into firm systems from personal devices.
Require employees to add security software/patches to computers before logging into firm systems from personal devices. 
Require employees to only access firm systems using a secure VPN.


The OCIE recommends that all advisers review its practices regarding electronic messaging and update them based on their observations for compliance with Rule 204-2 “Books and Records Rule” and similar state guidelines.

Ref. SEC Risk Alert (PDF):

Our Mission: “Serving the Investment Community to Make a Social Impact

Contact:  Cory Roberson/650-305-2688/

Compliance and Business Management

FIN Compliance ( is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019).  Access all services on one site:


FIN Missions ( provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.

No comments:

Post a Comment

Post Top Ad

Your Ad Spot