SEC Sanctions Warn Investment Firms That Good Intentions Aren’t Enough on Messaging Apps

Employee use of messaging services and communication tools such as WhatsApp, Signal and Telegraph, as well as personal text messages and private emails, are a significant compliance issue for investment firms, as the tools are difficult to preserve as books and records.

The SEC has recently sanctioned multiple firms and is investigating others over preservation practices related to apps, and it’s likely this will remain an area of emphasis for the SEC and state regulators.

In at least one instance, a firm was sanctioned despite having adopted policies and procedures that banned unapproved devices, strictly prohibited services such as WhatsApp, and clearly instructed employees to use only company hardware and software for business matters.

The SEC believed that despite having these policies in place, the firm had failed in implementation because supervisors did not also take active steps to prevent and detect employees’ use of messengering platforms to ensure that recordkeeping and communications policies were being followed.

Review the risks, then revise the policies

Given the recent emphasis on these issues, firms should review the SEC’s Office of Compliance Inspections and Examinations risk alert relating to electronic recordkeeping.

While the risk alert doesn’t constitute a “safe harbor,” it does provide helpful guidance that adviser firms should consider adopting when designing policies and procedures.

Based on this SEC guidance, companies should:

• Permit only those forms of electronic communication for business purposes that the adviser determines can be used in compliance with the books and records requirements of the Advisers Act.
• Specifically prohibit business use of apps and other technologies that can be readily misused because they allow an employee to communicate anonymously, allow for automatic destruction of messages, or prohibit third-party viewing or backup.
• Require in-firm procedures that in the event an employee receives a message via a prohibited form of communication, the employee must move those messages to another electronic system that the adviser determines can be used in compliance with its books and records obligations. The policy should include specific instructions to employees on how to do so.
• Adopt and implement policies and procedures addressing advisers’ use of personally owned mobile devices for business purposes.
• Adopt and implement policies and procedures for the monitoring, review and retention of electronic communications for business purposes via social media, personal email accounts, or personal websites.
• Include a statement in policies and procedures informing employees that violations may result in discipline or dismissal.

The risk alert also provides some suggestions for supervisory review, including:

• For advisers who permit use of social media, personal email, or personal websites for business purposes, contracting with software vendors to monitor posts, emails, or websites; archive such business communications to ensure compliance with record retention rules; and ensure that they have the capability to identify any changes to content and compare postings to a lexicon of keywords and phrases.
• Regularly reviewing popular social media sites to identify if employees are platforms in a way not permitted by the adviser’s policies. Such policies include prohibitions on using personal social media for business purposes or using it outside of the vendor services the adviser uses for monitoring and record retention.
• Running regular internet searches or setting up automated alerts to notify the adviser when an employee’s name or the adviser’s name appears on a website to identify potentially unauthorized advisory business being conducted online.
• Establishing a reporting program or other confidential means by which employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications. Particularly with respect to social media, colleagues may be connected or friends with each other and see questionable or impermissible posts before compliance staff notes them during any monitoring.

In addition, when dealing with personal devices, companies should implement steps such as barring employees from using any unapproved personal devices and limiting access to company systems from personal devices, pre-installing security and compliance apps on such personal devices, and only allowing remote access to company files through a VPN or other secure network.

And make sure it sticks

From an employee training perspective, the risk alert recommends requiring personnel to complete training on the adviser’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging and electronic apps and the adviser’s disciplinary consequences of violating these procedures; obtaining attestations from employees at the commencement of employment with the adviser and regularly thereafter as to such training; and providing regular reminders to employees of what is permitted and prohibited.

Given recent guidance from the SEC that this will continue to be an area of focus for enforcement, it is important for advisers to review recent SEC enforcement actions as well as the risk alert and to update as needed any policies and procedures relating to personal electronic devices and electronic messaging. This will be a critical area going forward, and firms that do not devote the necessary attention to these issues are putting themselves at risk.

Firms must consider their specific operations when assessing risks and compliance issues, as no one size fits all in this context. Firms will need to focus on the supervisory aspects of adopting and enforcing these policies, as the SEC has made clear that they may view non-compliance as a supervisory issue.

As private messaging services and other means of communication proliferate, firms must be willing to update their policies as needed to address changes in technology.