By Cory Roberson, Principal at FIN Compliance and FIN Lancer
December
14, 2018. The SEC Office of
Compliance Inspections and Examinations (OCIE) issued a risk alert based on its observations
of practices surrounding electronic messaging systems, records retention, and
monitoring techniques used by investment advisors.
Books,
Records and Electronic Archiving
According to Rule 204-2 of the Investment Advisors Act
(“Books and Records Rule”), firm’s are required to retain certain documentation
relating to their investment advisory business, including financials and corporate
documents.
Paper
or Electronic Formats are ok
On May 30, 2001, shortly following
the passing the Electronic Signature Act (“E-Sign
act”), the SEC permitted advisors to store these physical records on electronic
storage mediums.
How long
must a firm retain its records?
Existing Clients -
At least 5 years (2 years stored onsite and 3
years offsite)
Old Clients –
At least 5 Years from the date of last fiscal
year end transactional activities
Other business/financial
records -
Some records (such as financials) may be
retained for a longer period.
What
records must be retained by a firm?
Section(a)(7) of this rule
requires advisors to keep original records of communication sent by an advisor
relating to:
Recommendations or advice “made or proposed.”
Records relating to the receipt/disbursement
of funds and securities.
Records that show the order or execution of security
transactions (e.g. Trade blotter).
Records summarizing the performance or rate
of return of managed. accounts/transactions.
Section(a)(11) of this rule requires
advisers to:
Retain copies of each notice/advertisement.
Retain communications circulated to ten or
more persons.
Supervise its personnel for records
management and the distribution of materials.
Annual
Review of procedures required for SEC-Registrants
Rule 206(4)-7 (“Annual
Review Rule”) requires advisers to adopt a compliance
program, which involves the creation and review of policies and procedures
designed to address firm risks and adhere to guidelines stated in the Investment
Advisors Act of 1940.
According to the review-based
guidelines, the advisor should maintain its required records, secure them from
unauthorized tampering, and protect them from destruction. In addition, the advisor much conduct this
review at least once a year.
Challenges
ahead to monitor electronic devices
Moreover, the commission discusses
several challenges that advisors must meet for monitoring mobile and personally
owned devices for compliance with its guidelines. According to the OCIE, these challenges
include the “increasing use of social media, texting, and other types of
electronic messaging systems, and the pervasive use of mobile and personally
owned devices for business purposes”.
OCIE Findings of Electronic Messaging
using third party devices
OCIE’s examiners surveyed advisors
about electronic messaging systems and then conducted a review of policies and
procedures to assess firm risks.
Electronic messaging systems
(“typical uses”) can include any of the following:
Electronic business communications (including
text transcribed electronically),
Text messaging,
Instant messenger services,
Personal email, and
Personal or private messaging.
What
communications were reviewed?
In its observations, the OCIE
included communications conducted on adviser’s systems, third-party
applications (“apps”), those sent using the adviser’s equipment, and/or mobile
devices that are used by personnel for business purposes. Note:
Email use of advisers’ systems was excluded from these observations as the OCIE
didn’t deem it to pose as many threats.
Best
Practices for compliance with Electronic record keeping
Following
its review, OCIE staff provided the following suggestions for firms to:
Allow only forms
of electronic communication (used for business purposes) that can be monitored
by the firm systems for compliance.
Prohibit business
use of third-party applications that can be altered, misused, or not monitored
for compliance.
Create procedures
for moving messages to monitored systems anytime business communication is received
from a prohibited application. In
addition, train employees on how to adhere to those procedures.
Create procedures
for electronic media uses when/if firms allow personal devices for business use.
Create procedures
for social media, electronic record keeping, and the personal use of devices for
business purposes (when applicable).
Include a statement
for repercussions of violations to these procedures (e.g. warning, notice, or dismissal).
Employee Training
Firms
should:
Maintain compliance
training on policies and procedures.
Obtain attestation
from employees (e.g. signed statements from employees that they’ve received
training on electronic messaging).
Remind employees of
electronic messaging rules.
Gauge employees for
feedback on risks.
Compliance Reviews
For
advisors who permit business use of social media on personal devices:
Retain a tech vendor
for the (1) retention, (2) monitoring, and for (3) the capabilities to review a
series of “red flag” keywords.
Regularly review
social media sites for compliance.
Run regular
internet searches/setup automated alerts.
Establish a reporting
program for employees to alert management for concerns.
Cybersecurity/Data Protections
Advisors should:
Require employees
to seek approval from IT/management before logging into firm systems from
personal devices.
Require employees
to add security software/patches to computers before logging into firm systems
from personal devices.
Require employees
to only access firm systems using a secure VPN.
Summary
The OCIE recommends that all
advisers review its practices regarding electronic messaging and update them based
on their observations for compliance with Rule
204-2 “Books and Records Rule” and similar state guidelines.
Ref. SEC Risk
Alert (PDF):
https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Electronic%20Messaging.pdf
Our Mission: “Serving
the Investment Community to Make a Social Impact”
Contact: Cory Roberson/650-305-2688/cory@riareview.com
Contact: Cory Roberson/650-305-2688/cory@riareview.com
Compliance and Business Management
FIN Compliance (FinCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring: E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019). Access all services on one site: FINCompliance.io.
Impact
FIN Missions (FINmissions.com) provides business support group sessions for other entrepreneurs. In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.
No comments:
Post a Comment