Electronic Communication Compliance: One Size Does Not Fit All
Make sure you’re on top of employee email, instant messages and related electronic communications. Failure to do so may lead not only to violations of SEC books and records requirements, but to questions from examiners or investigators. Be aware, however, that electronic communication compliance is an art as well as a science.
"There’s no one-size-fits-all," said ACA Compliance Group managing director Joshua Broaded. The programs a compliance officer puts in place will vary depending on a wide variety of factors, including the nature of the advisory firm, the type of clients it works with, whether the firm has branch offices, and more. Once the firm’s risks are identified, then an effective electronic communication prevention and monitoring program can be put in place.
Retaining electronic communications falls under Advisers Act Rule 204-2, the Books and Records Rule, which requires advisers to maintain certain books and records in a wide variety of categories. If some of those records are comprised of emails, they must be maintained, as do communications relating to a firm’s investment advisory business found in text messages, instant messages, on Facebook, or simply on paper, said Day Pitney counsel Eliza Sporn Fromberg. In addition, examiners may ask to see email records relevant to specific topics, such as a particular private offering, and advisers will need to have those records easily accessible.
But how can advisers keep track of all the emails employees are sending out? It is not realistic to sift through every employee email. One answer is to simply require that employees maintain all emails, said Mayer Brown attorney Adam Kanter. In doing so, the danger of accidentally discarding important records is removed, and emails on specific topics are there to be found if needed. "No one should have expectations of privacy when it comes to work email," he said.
It’s easier to make sure that there is nothing problematic in electronic communications in the first place than it is to find problems after they occur, but firms need to be proficient at both.
The first step toward prevention, is for a firm to be "committed to running an ethical business," Broaded said. Inappropriate communications often reflect the existence of bad practices at the firm. "Problematic message are often a symptom, rather than a cause, of questionable behavior."
Consider the following steps to prevent electronic communication problems:
Train employees on policies and procedures. If employees are aware of how marketing must be approved within the firm, for instance, it will reduce the likelihood that unapproved content is emailed to prospects, said Broaded. When processes are not clear, compliance lapses can sometimes be identified by looking at the email archives.
Establish escalation protocols. If an employee has a problem, he or she should understand when reporting to a supervisor or to compliance is necessary. This allows any potential problem to be identified and contained. For instance, Broaded said, an employee who experiences a trade error or sends sensitive data to the wrong recipient may be unsure of what to do. By letting the compliance department know what has happened in a timely way, the problem can be minimized.
Reduce the chance of inadvertent data breaches. "Thirty years ago, you would need a dump truck to lose 300,000 pages of records. Today, all it would take is a flash drive or an email," Broaded said. Minimize the chances of inadvertent data losses by limiting access to sensitive information, such as client data, to only those who need to know, he suggested. Also consider disabling the auto-complete feature in Microsoft Outlook to prevent emails from being sent to someone other than intended because of, for instance, similar first names.
Work email here, personal email there. Send out personal emails only on personal email accounts, and work emails only on work email accounts. "I think of it is as separation of church and state," said Kanter. If an employee uses his or her personal email to send out a work-related item, that email then becomes a business record and is subject to SEC review – thereby expanding the number of email accounts you need to keep track of. Nor will most employees want their personal emails reviewed by the Commission. Advisers should educate staff through training to ensure that work emails are sent out only on work email accounts, Kanter said.
Write as if writing for the SEC. Employees writing work emails should make sure, when writing them, that they would be comfortable if they were read by SEC staff. That means emails that do not raise any doubt as to compliance with agency requirements, and that do not raise unnecessary questions. "Anytime you write an email, pretend that you are writing it for the SEC," Kanter said. Broaded suggested having the chief compliance officer or another third party review messages periodically to spot potential issues with tone and content.
Ensure employees are aware of the dangers posed by instant messaging and related services. These programs encourage an almost stream-of-consciousness communication style, and the informality of that style may lead to inappropriate messages, Broaded said.
Prevention, while extremely important, is not an end in itself. Depending on the nature of a firm’s business, client base, investments, culture and more, monitoring is needed to catch electronic communication problems that already exist. Expect examiners to look into employee electronic communications, depending on the topics they are scrutinizing, and how advisers are monitoring them.
One such area to be aware of is conflicts of interest. These may involve outside business activities, family members who work in the financial sector and affiliate activities. Identify these potential sources of compliance problems to guide you as you customize a monitoring program for your firm, Broaded said.
Some advisers, such as those managing hedge funds, where there is a greater chance of insider trading and other problems, may have more of a need to monitor emails than those managing mutual funds, Kanter said. Another group facing challenges that he identified are smaller advisers, since they may lack the resources of large advisers to perform monitoring, and therefore run the risk of not knowing what is being emailed. Such advisers should look into purchasing software programs to help them do so, he said. As for maintaining a firm’s ever-growing repository of emails, many advisers and fund managers employ a third-party email archiving service, said Fromberg.
Advisers must be prepared to follow up on anything they turn up, Kanter said. Failure to do so could be worse than not monitoring the emails at all, as it would be the equivalent of saying that you found a problem, but chose to do nothing about it.
Monitoring best practices
Simply performing random email checks, without any criteria to guide the monitoring, "does not work very well," said Broaded. Monitoring that is tailored to a firm’s profile, including its client base, types of investments, size, and culture will produce more meaningful results.
Only after a firm has correctly identified its profile and risk areas, Broaded said, should it then decide whether electronic communication monitoring is necessary in various areas, a list that he said includes: recent major developments, new hires (confirming that they are included in the firm’s archival platform, for instance), terminated employees (including confirming that access has been disabled), branch offices, employees with past histories of compliance violations, sensitive transactions or holdings (such as holdings where conflicts of interest may exist), investment allocations, trade errors, valuation errors and manipulation of valuation, use of unapproved marketing materials, communications with competitors, interactions with paid industry experts, client or investor complaints, gifts and entertainment, political contributions, and use of personal email accounts.
Once your firm’s profile and risk areas have been identified, consider the following methods of further tailoring electronic communication monitoring:
Spot check for buzz words. Search for certain buzz words or slang phrases that might be indicators of sensitive topics, said Kanter. For instance, compliance officers monitoring for any signs of insider trading might do a search for a phrase such as "hot tip" or "fraud." Emails containing such phrases are not necessarily problematic – for instance, an employee might jokingly write, "Wow, this investment is really a fraud" (although the employee should be told not to use email in this way), said Fromberg – but by flagging the phrase, you will be able to investigate why it was used, and reach the conclusion that nothing improper occurred. This sort of check can be performed daily, weekly, monthly or quarterly, depending on the need of the adviser or fund manager. Play it smart, though, and "don’t publicize the list of words that you will be looking for," said Kanter, as that would cause anyone who is engaged in improper activity to use different phrases.
Have electronic client complaints reported to compliance. It’s not uncommon to have displeased clients send an email that states, "I’m not happy with x, y and z," said Fromberg. Whether these are complaints about significant or trivial matters, all should be reported to compliance, she said. A trivial matter that is repeatedly complained about may no longer be trivial.
Be on the lookout for unfounded promises. Flag any emails where a promise is made to a client, as in "Hey, that investment is a sure thing," said Fromberg. Similarly, carefully review any emails that make claims about past performance, a perennial SEC red-flag issue.
Make judgments based on the jobs your employees do. Not all employees will need to have their emails equally monitored, as not all handle sensitive matters or are in a position to engage in improper activity. For instance, suggested Kanter, marketing employees and portfolio managers are each, for separate reasons, good candidates for email review. Marketing staff are regularly in contact with potential clients and must be careful about the promises they make and information they provide. Portfolio managers, who oversee investment decisions, are another candidate.
Document your reviews. Make written records of the reviews your firm undertook, when they were performed, what they uncovered and any resulting actions taken, said Fromberg. Show those to examiners. It does no good to tell examiners about reviews if you cannot provide evidence that they actually occurred, she said.