Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News October 25, 2004 Issue

The Latest on E-mails: Part 1 of 2

At the NRS Fall Compliance Conference in New Orleans earlier this month, OCIE associate director Gene Gohlke participated in a wide-ranging discussion of e-mail issues. Joining him: NRS consultants Keith Marks and John Gebauer, as well as Kenneth Wagner, director of compliance at J.J.B. Hilliard/W.L. Lyons. Here are the highlights:

The amnesty period is ending. If you havenít been capturing your e-mails in the past, youíd better do so going forward, warned Marks. "I think the SEC is going to come across a lot of firms that donít have full e-mail retention over the last five years," he said. "I donít necessarily think they are going to be surprised by that." However, he added, "I think thereís definitely going to be a cut-off this year." While the staff may show some leniency on past e-mail retention practices, going forward, "thereís going to be every expectation that . . . your e-mail systems should be documented and ready for production to the SEC," he said.

Keep all e-mails or sort out non-required records? Marks indicated that most advisers seem to be concluding that "the only thing that can be reasonable is to keep everything."

Monitoring. Is there is a requirement to monitor e-mail? "I would say yes," said Gohlke. Of course, there is no explicit requirement that advisers monitor e-mail, but Gohlke noted that under the new compliance program rule, advisers are supposed to have effective compliance programs. For example, he said, e-mail surveillance might be necessary to confirm that an adviser has reasonable controls in place so that employees arenít destroying client letters.

Keyword searches. The fact that some SEC examiners have asked for keyword searchable files in examination requests doesnít necessarily mean that the SEC thinks that all e-mails must be keyword searchable. Gohlke said particularly when doing mini-sweeps, examiners have "wanted to see if the firm could narrow down the e-mails that were requested to those . . . that had something to do with the subject matter that we were looking at." That, he said, is "why we would ask" advisers to use a specific set of words. "Firms might have indexed it in other ways, but we were thinking well, if the firm had the ability internally to keyword search, they could do that and then identify those e-mails that came out of that search and only produce those e-mails." He said he didnít consider that "as really being an indexing approach," but rather as "just a way of taking the vast bulk of e-mails and narrowing the group down to something that was relevant to what we were looking at."

If e-mails cannot be sorted by client name or number, is that acceptable? "Probably it is," said Gohlke. "Again, some of this is so fact and circumstances specific itís hard to say definitely yes or definitely no." If e-mails are indexed by criteria such as sender, recipient, or date and subject, but not also by client, "that would probably be just fine," said Gohlke. "If it isnít indexed in any way," and "just everythingís on the server," perhaps organized by date, "well, maybe that isnít indexed appropriately or sufficiently, because how does one find a specific e-mail?" he said. "We find e-mails indexed in a whole bunch of different ways," he added. The ability to go back and pull e-mails out by sender or receiver "seems to be critical because many times weíre asking for e-mails for specific persons," he said. "The firm does need to be back to be able to go back and pull those e-mails."

"I donít see anything in the rule that says you have to be able to do a keyword search," Gohlke reiterated. "Weíre requesting it . . . just to narrow down the set of e-mails that we come back with." He did add, however, that the ability to keyword search may be necessary to implement the firmís compliance program. "If you as CCO and other managers within the firm have no way of surveilling whatís in all the e-mails that your employees" are sending internally or externally, "arenít you taking a risk that there might be securities laws violations embedded in those e-mails that arenít coming to any appropriate managerís attention, if you do not have the ability to keyword search your e-mails in some way?" While not required by the rule, he said, isnít having a search capability "part of a good compliance program?"

Marks replied that he didnít think "itís the only answer" but described it more as one possible "reasonable solution to supervision."

Itís okay to treat different employeesí e-mails differently. A conference attendee asked whether it would be reasonable to identify persons within the firm that are likely, and unlikely, to generate required records, and to treat their e-mails differently. Gohlke replied that "that policy would seem to make sense." But he said that before disposing of e-mails from persons in the "unlikely" category, advisers should sample the e-mails to confirm that those persons have not, in fact, generated required records.

To wit: "I would think in any firm, if you are going to follow this approach of saying there are some number of people in our firm that are more likely than others to create or to get or to be near required records, and then thereís this whole other group of people in our firm that may occasionally come into contact with a required record but itís highly unlikely, perhaps one way to segment the number of people in the firm and be able to get rid of some e-mails is to take the set that are highly unlikely to be near or have access to or be involved with required records and say ĎOkay, weíll sample their e-mail and determine whether they might in fact be required records. For the other set of people who are much more close to the required records, ĎWell, we just keep all their e-mailsí."

Gohlke noted that there are statistical approaches that can be used to be 95 or 99 percent confident that what you have in your sample is representative of the population. "Itís not rocket science to apply them," he said. Of course, as Marks put it, "the question is, if you do a sample and you test 2,000 e-mails and you find two that are required records and these people arenít supposed to be producing required records, what do you do then?"

Next week: Media formats for retention, destruction, and responding to OCIE requests.