Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News July 10, 2017 Issue

Electronic Messaging May Be Subject of New Sweep Examination

Advisory firms should consider preparing for what may be a new SEC sweep exam: electronic messaging. While it is not yet certain that such sweep exams have begun or are scheduled to begin, advisers would be wise to review their policies and procedures, as well as how they use and document such forms of communication as instant messaging, text/SMS messaging, emails sent and received on non-company systems, and personal or private messaging.

Some securities law offices are buzzing about an "information request list" that recently came into their possession. This questionnaire, which has no letterhead or marks identifying whether it originated with the SEC or elsewhere, is a little over two pages and requests 19 types of information, falling into the categories of "background information," "compliance program," "recordkeeping," and "security and privacy of information."

"Such a sweep definitely started back in April," said Willkie Farr partner and former SEC deputy chief of staff James Burns. "The questions reflect several lines of inquiry the staff has been probing. It gives a good sense of some of the points advisers may want to be ready to respond to about their own electronic messaging practices."

"As far as look and feel, this is definitely an SEC document," said Shearman & Sterling partner Nathan Greene.

The SEC itself remained mum on the subject, issuing a formal "no comment" when asked about the questionnaire. The lack of response is somewhat odd, as in the past the agency has publicly announced plans for at least some specialized examinations.

Worth reviewing

Whatever the origin of the document, advisers should give some thought to studying it, if only to see what examiners may one day ask for. Electronic messaging is the kind of topic that the SEC would inquire about, as it encompasses evolving technology and is widely used in a variety of different forms by advisory firms and other financial companies.

Electronic messaging through methods such as instant messaging, texts and more is a problem for advisers "because there is no way to monitor or police it," said Stern Tannenbaum partner Aegis Frumento. "The only answer is to have good policies and procedures, but then you have to answer the question of how you†determine whether itís being followed. Do you spotlight personal employee email accounts? That raises privacy issues, and besides, an employee can then create a second email account."

"Probably the best method is to require certification from employees, so they know that if they are caught, they will have to pay," he said. In addition, he suggested, advisers could send notices to customers saying that advisory firm employees are forbidden to communicate with you except by company email, and that they should notify the adviser if an employee attempts to communicate by other means.

The questionnaire

The information request list makes clear in its opening paragraph that the term "electronic messaging" is not meant to include "email messages that are sent or†received using the adviserís email system and retained by the adviser."

Following is a summary of the 19 items the questionnaire asks for:

  1. Kinds of messaging. A description or definition of the advisersí use of electronic messaging services or platforms, including what is and is not permitted.
  2. Types of devices. A description of the devices that are permitted or not permitted for use in electronic messaging.
  3. Written policies and procedures. Copies of all written policies and procedures addressing the use of electronic messaging.
  4. Informal or unwritten policies and procedures. A†description of such policies and procedures that deal with electronic messaging.
  5. Persons responsible. Names of all individuals responsible for overseeing the adviserís policies and procedures concerning electronic messaging, as well as a brief description of their roles and responsibilities.
  6. Monitoring and review. A description of the adviserís processes for any ongoing monitoring and review of electronic messaging communications.
  7. Evidence of monitoring or review. A description of how the adviser "evidences" any ongoing monitoring or review of electronic messaging, along with examples of relevant reports.
  8. Violations detected. A description of any violations of the electronic messaging policies and procedures or unauthorized use of electronic messaging found by the adviser during the review period, along with a description of the issues involved and actions taken.
  9. Summary of findings. This would be a summary of all findings associated with internal audits or compliance reviews related to the adviserís use of electronic messaging, along with copies of written reports.
  10. Risk assessments. Copies of any risk assessments or risk identifications related to electronic messaging and how the adviser addresses these risks, including indicating which risks are moderate or high.
  11. Maintenance records. Whether the adviser maintains records of the devices and applications that are used for electronic messaging and by whom.
  12. Maintenance records methodology. How the adviser maintains required records relating to electronic messaging.
  13. Third-party vendors. Whether electronic messages are maintained by third-party vendors, along with a description of the process and a copy of any contracts with the vendor.
  14. Retention policies and procedures. Copies of any written policies and procedures related to the retention of electronic messaging.
  15. Transmittal of sensitive information written policies and procedures. Copies of written policies and procedures related to the transmittal of sensitive†information, including non-public information and personal client information via electronic messaging.
  16. Informal policies and procedures on transmittal of sensitive information. A description of these in relation to electronic messaging.
  17. Written policies and procedures addressing security measures. Copies of such policies and procedures designed to ensure the security of sensitive information transmitted via electronic messaging.
  18. Informal policies and procedures addressing security measures. A description of these in relation to ensuring the security of sensitive information transmitted via electronic messaging.
  19. Known breaches. A description of any known breaches in securing information contained in electronic messages, as well as a description of actions taken in regard to those breaches.