E-mails: The Issues Mature
Remember the good old days when the biggest issue surrounding e-mails was simply trying to figure out how to capture and store the darned things? These days, the question has turned to what, exactly, advisers have to do with their e-mails once they’ve got them. IM Insight recently spoke with e-mail expert Caroline Schaefer, associate general counsel of the Investment Counsel Association of America, about the practical e-mail issues facing advisers.
In Schaefer’s view, one of the most pressing issues facing advisers is whether, and how, to use e-mail in conducting so-called “forensic tests.” In case you haven’t heard that term before, it stems from footnote 15 in the SEC’s final compliance program release. There, the SEC said that advisers’ policies and procedures should employ, among other things, “compliance tests that analyze information over time in order to identify unusual patterns.” At industry conferences, SEC staffers have been referring to this as “forensic testing.”
Forensic testing is perhaps best understood by contrasting it to “periodic testing.” While periodic testing involves, for example, looking at specific transactions to see how they played out, forensic testing is “standing back” and looking at trends in transactions over time, explained Schaefer. “While many firms conduct some form of testing on a regular basis, we are all still trying to get our heads around what the SEC’s expectations will be related to forensic testing,” she added. “The SEC has been clear that when they come in, they want to see what the adviser is doing to test its policies and procedures,” said Schaefer. “There’s an expectation that if e-mail is a useful tool, an adviser will be using that tool to ensure that their policies and procedures are being followed within their firm.”
What About Surveillance? If you think there isn’t a big leap to be made between forensic testing and surveillance, you may be right.
According to Schaefer, the SEC staff already expects advisers to review at least some e-mails. “Informally, the SEC has spoken rather frankly with us about the expectation that there’s already a requirement [to surveil e-mails] under the duty to supervise,” said Schaefer. Of course, unlike their broker-dealer counterparts, there’s no official rule that requires advisers to monitor and surveil their e-mails. However, Schaefer noted that OCIE associate director Gene Gohlke, speaking at a recent ICAA workshop, said that whether or not an adviser has surveilled its e-mails “would be looked at in the totality of what the adviser is doing to monitor and test within its firm” and whether those steps are actually responsive to the adviser’s assessed risks.
And it’s not just the staff that’s encouraging advisers to surveil their e-mails. “Today, most practitioners are saying you should be sampling a percentage of your e-mail expressly for violations under the securities laws — not just the Advisers Act,” said Schaefer. She described it as an “amazing change” from eighteen months ago, when most practitioners’ e-mail advice was “figure out what you need to keep and how you need to store it,” with no mention of surveillance.
If you can spend the money and spare the time (big assumptions, we know), surveilling may not be as hard as you think. Schaefer noted that several vendors provide software or outsourcing products “that can organize a firm’s e-mail according to the firm’s individual needs, capture e-mails based on key words, and generate a protocol to randomly sample e-mail.” Some of these products create reports that show what percentage of e-mail has been checked and items that have been flagged. “In the end,” noted Schaefer, “these products produce a report for the firm’s file that says ‘Here’s the check that we performed.’”
Schaefer warned that e-mail surveillance can create “all kinds of tension” within firms. “Having compliance officer Joe sitting in a room randomly reading 10 percent of a firm’s e-mails can make individuals uncomfortable for a variety of obvious reasons,” she said. The tension created for the CCO is similar to the tensions caused by the new Advisers Act code of ethics rule, which requires reporting and review not only of personal transactions but of violations of the code, as well. Schaefer also noted that surveillance “adds the additional burden of the time it will take an employee to review and screen e-mails.”
Of course, forensic testing and surveillance aside, the “traditional” e-mail issues continue to raise thorny issues for many advisers:
Storage. Schaefer noted that some outsourcing services maintain, organize, and categorize a firm’s e-mail. “It actually doubles as contingency planning because if your building burns down,” e-mails are stored at the outsource provider. Moreover, if the SEC comes in and asks for specific types of e-mails for specific periods, “you can easily locate that and turn over that e-mail.”
Schaefer said that one of the biggest storage-related problems that advisers have been facing is going through backup tapes trying to collect old e-mails. Those taping mechanisms “were never intended to be searchable, they were only intended to reboot systems that had been destroyed as part of contingency planning.”
Internal E-mails. Schaefer characterized this as an area that is still “wide open.” She noted that there is nothing on the face of the Advisers Act books and records rule requiring the retention of internal e-mails, but went on to suggest that “if there’s an internal e-mail that is material to a recommendation made for a client account or advice given, it clearly could fall” under the category of required records in Rule 204-2(a)(7).
Outside E-mail Accounts. Schaefer reported that some advisers are dealing with the issue of outside e-mails, such as those through Bloomberg or Hotmail, by adopting a policy that no outside e-mail accounts be used, and then asking employees to certify that they are aware of the policy and will abide by it. She also said that some firms have thought about limiting access to those types of accounts at employees’ desktops, but found that that’s easier said than done if the employee has access to the Internet. “It’s very difficult for an adviser to somehow verify that their employees are not using alternative e-mail accounts.”
She warned that communications sent via instant messaging also are fair game for SEC examiners. Because it is so difficult to collect and store, much less monitor, many firms have banned the use of instant messaging for business purposes.
Educating Employees. Schaefer suggested that advisers educate their employees about the perils of e-mails. But the traditional “Would you want this on the front page of the Wall Street Journal test” may be too abstract, she said. “What may be suitable for one person to appear on the front page of the Wall Street Journal may be very different than the firm’s, from the business reputational standpoint.” Instead, Schaefer suggested that advisers educate their employees about the e-mail issue, and train them to avoid language that could be read out of context. “There’s no tone in e-mail,” she noted. Employees should be encouraged against using e-mail as “stream of conscious communication” and instead to communicate with “an identified purpose.” Firms, she said, should encourage employees to focus e-mail drafting in the same way they would “draft a paper-format memorandum that will be circulated to every person within the firm.” Added Schaefer: “More people are able to relate to that standard.”