Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News November 1, 2004 Issue

The Latest on E-mails: Part 2 of 2

(This article presents the highlights of e-mail related discussions at recent conferences. It is continued from the October 25, 2004 issue of IM Insight.)

Media. NRS consultant John Gebauer said that "one of the most common business practices" that heís seen among all sizes of advisory firms is archiving the database produced by Microsoft Exchangeô or Lotus Notesô or other e-mail platform on a suitable media. He added that while the Advisers Act books and records rule doesnít require "WORM," advisers should create a system "that sortíve acts like WORM" in order to prevent or detect alteration. For example, Gebauer noted that magnetic tapes are rewritable, and suggested that firms create "software or a process around how that information is stored or how that information is accessed."

Also at the NRS conference, OCIE associate director Gene Gohlke touched on the use of a third-party service provider to retain e-mails. If advisers rely on a vendor, he said, they should seek assurances that the vendor will safeguard the information and not use the information in the firmís e-mails for the vendorís marketing purposes. He also suggested that advisers talk to their service providers about how they will assist the adviser in providing e-mails to the SEC and what the time frame for that production would be. He recommended looking at the vendorís service level agreements and performing due diligence on potential vendors. Moreover, due diligence should be performed over time. "The businesses of service providers change," he said. As part of the due diligence process, advisers should ask how the migration of records will be handled. If there is a change of service providers down the road and the old one is not cooperative in transferring records to the new provider, "you can get into pretty dire straights." He also suggested that advisers confirm that their vendor has viable access to alternate communications and pathways, in the event of a power disruption or other event.

Can a firm save required e-mails by printing out all e-mails that contain required information? The short answer: yes, but this may be impractical for all but the smallest firms. Gohlke said that OCIE "would ask what your process is" and that the firm would be "on the hook" if it inadvertently destroyed required records. At the NSCP conference, Gohlke said that a "small adviser shop could choose to print its e-mails out and keep them in a paper format, but it needs to be able to produce relevant e-mails promptly." When making a decision about how e-mails will be stored, he said, consider how they will be produced. Gohlke also noted that if an e-mail is required to be kept, it should be kept along with "all of its attachments."

Destruction of e-mails. Hereís the golden rule: If itís not a required record, you donít have to keep it. But youíd better make sure you are deleting only non-required records. And just because you donít have to keep a record under the Advisers Act books and records rule, doesnít mean there isnít a valid purpose for keeping it. "If a firm does have a process for deleting or destroying e-mails, we very much will then be asking for what is the policy, what is the process that the firm goes through in periodically destroying e-mails to make sure that only those e-mails that can be disposed of are being disposed of, that required information is not being deleted," said Gohlke. "We want to understand what the firmís policy is and how the firm monitors the implementation of that policy. Does it periodically test before a set of e-mails are actually destroyed? Does someone actually go in on a test basis or a sample basis and take a look to see if there might be e-mails within that group that should have been weeded out earlier and maintained?" he asked. "Any time you set about destroying a bunch of records, whether that be on paper or electronically, you want to make sure you are not destroying required information."

NRS consultant Keith Marks said he would be "very skeptical" of having employees in the general population being allowed to destroy e-mails. He noted that there is often confusion about what the books and records rule actually requires. "I think it would be an enormous burden for anybody to try to set up a system" where employees have to figure out "what e-mails Iím going to save and what e-mails Iím not going to save," said Marks.

At the NSCP conference, Gohlke said the "big problem" with destroying non-required e-mails is "how do you as a compliance person make sure that the e-mails being deleted are appropriately those that do not contain required information?" Before a firms decides to destroy non-required e-mails, he said, "it would be very smart for the compliance people" to consider how they can demonstrate to the staff, when asked, that they are only deleting non-required e-mails. "If you canít demonstrate that, then you probably shouldnít be deleting them," he said.

OCIE general counsel John Walsh, at the NSCP conference, said that heís seen "a number of very creative solutions," some managerial, some technical, designed to help make sure that required e-mails are being maintained and only non-required e-mails are being deleted. The solutions, he said, "involve some level of testing, oversight, and training." He also said that in talking to vendors, he has noticed "growing optimism" about their ability to address the types of compliance issues that are raised by electronic records.

Even firms that take the "keep everything" approach should do so with an eye to being able to toss as many e-mails as possible come the expiration of the retention period, said panelists at the NRS conference. Ideally, records with long-tailed retention requirements, such as performance back up and those related to the new personal trading code of ethics rule, should be carved out and stored separately from other e-mails, as should records that the firm wants to hold onto for business purposes. Then, at the end of the retention period, the entire yearís e-mails can be safely deleted.

Responding to OCIE requests. Gohlke said that OCIE is "trying to be judicious" when making e-mail requests. He noted that examiners have a built-in incentive to limit e-mail requests: "If we requested it from you, we have to review it." Advisers that get an e-mail request that seems overly broad should "talk with the staff," said Gohlke. "Indicate what that would mean for the firm." He said that advisers should ask if they can give a set of e-mails as a "starting point," and offer to produce additional e-mails if the examiners want to see more.

At the NSCP conference, Walsh noted that compliance officers sometimes fight a two-front war, with SEC examiners asking for e-mails and the firmís IT department replying that the production request is "impossible." He advised compliance officers not to let themselves get caught in the crossfire: "Get the IT people in the room with the examiners, and say, ĎYou know, we are having some technical glitches here. These are the people who can explain to you why they cannot produce the records that we are legally obligated to have readily accessibleí." The IT folks can then discuss technical work-arounds and whether examiners can be accommodated by a rolling production or by meeting reasonable milestones. He said that heís seen compliance officers do this: "I think it is very effective."

Reviewing for privilege e-mail-by-e-mail "doesnít work very well for anybody," said Gohlke. He suggested that privileged e-mailsí subject lines indicate that the e-mail is privileged. The problem, he said, is when firms donít address the privilege issue until they get the request. "Think about it ahead of time," he said. "Maybe you can identify people who are likely to generate the privileged e-mails," he said.

And be careful about destroying e-mails in the middle of an SEC investigation. Gohlke noted that the SEC has brought e-mail-related enforcement cases "mostly where the SEC was looking into a particular issue, started to trip over some e-mails, asked for e-mails, and then found that firms had destroyed them ... or failed to produce them in the course of an investigation." Firms that have a regulatory issue, he said, may find greater scrutiny on their failure to keep e-mails in the past.

Gohlke urged advisers to read the recent e-mail enforcement cases (hereís one). "They make very good reading," he said. "I think after reading these cases you wouldnít have much qualms or much concern about why the SEC brought these cases," Gohlke added.

More on amnesty . . . At the NSCP conference, an attendee asked Gohlke how examiners would view an adviser that has only recently (perhaps in the last six months) "seen the light" about e-mail retention, and hasnít retained all e-mails going back for the required retention period?

"The first thing you should do is bring up the issue with the exam staff," replied Gohlke. "Explain your situation. Tell them the firm will provide e-mails as far back as you can, but beyond that point you simply donít have them [and why] you donít have them." He said that examinersí reactions will depend on the circumstances. "I know thatís occurred in some of our exams . . . and the matter did not find its way to Enforcement." Added Gohlke: "Iím not saying thatís going to be the case in all the situations." From the examinersí point of view, he said, an adviser that only recently has begun retaining e-mails "was destroying required records."

Added Gohlke: "I realize there wasnít the emphasis on e-mails ó at least on the í40 Act side ó prior to September 2003."