OCIE Risk Alert Relating to Electronic Messaging

On December 14, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert to remind registered advisers of their compliance obligations when using various forms of electronic messaging — including text messaging, instant messaging and personal or private email — to conduct business. The Risk Alert follows OCIE’s limited-scope examination initiative to understand the forms of electronic messaging used by registered advisers and their personnel and the associated risks and compliance challenges. 

Based on findings during its exam initiative, OCIE identified suggested improvements to registered advisers’ systems, policies and procedures to help advisers comply with the Advisers Act books and records rule and other compliance obligations, including:

• permitting only forms of electronic communication for business purposes that can be retained in compliance with the books and records rule;
• prohibiting business use of apps and other technologies that allow for anonymous communication, prohibit third-party backup or automatically destroy messages;
• requiring employees to move business-related messages received using a prohibited platform to an approved electronic system;
• where an adviser allows the use of personal mobile devices for business purposes, adopting and implementing written policies and procedures regarding the use of and information security on such devices;
• adopting and implementing policies and procedures regarding the use of social media, personal email accounts and personal websites for business purposes, providing related training and requiring attestations of compliance;
• contracting with software vendors to monitor and archive social media posts, emails or personal websites used for business purposes, where permitted by the adviser, and regularly review popular social media sites and run Internet searches to identify potential unauthorized advisory business being conducted online; and
• requiring employees to obtain prior approval, load certain security apps or other software or use virtual private networks in order to access the adviser’s email servers or other business applications from devices.

In light of the SEC’s continued focus on electronic messaging, registered advisers should consider their existing policies and procedures in light of the risks and concerns set forth in the Risk Alert.

If you have any questions about the matters addressed in this Kirkland AIM, please contact the following Kirkland attorneys or your regular Kirkland contact.