Electronic Communications Monitoring – A No-Brainer for CCOs
In the five months since the SEC’s Office of Compliance Inspections and Examination (“OCIE”) issued request letters to registrants focused on advisers’ use of electronic communications, compliance officers have been reviewing their policies and procedures, determining how employees are using third-party communications platforms to conduct firm business, and ensuring adequate archival and retention of electronic records.
Several of the requests were focused on monitoring of firm electronic communications. OCIE sought information related to compliance processes for ongoing monitoring and review of electronic messaging as well as documentation around any such monitoring, explicitly including relevant exception reports and summaries of any findings. These requests indicate that registrants should incorporate review of electronic communications into their supervisory procedures if they have not done so already. This is a marked departure from the notion of electronic communications reviews as a “best practice” to a perceived expectation of the regulator.
If that is not motivation enough, the review of electronic communications, in ACA’s opinion, is a “no brainer” for compliance officers for a wide range of reasons:
Electronic Communications Reviews Can Help Drive the Firm’s “Culture of Compliance”
In conducting electronic communications review, the majority of communications “flagged” are non-material compliance issues that present an opportunity for the Chief Compliance Officer to follow up with an employee regarding a compliance-related policy or procedure. For example, a CCO or outsourced reviewer may see an email indicating that an employee forwarded an article to a personal email address. While this may not be considered a required record, it serves as an opportunity for the CCO to remind the employee of the firm’s policy regarding use of personal email for work-related communications. In another example, perhaps an instant message is flagged due to casual mention of a golf outing that was attended recently. This presents chance to follow up with the employee to ensure that the event was properly vetted or reported per firm gifts and entertainment policies, to the extent applicable. Over time, each of these instances serves to remind employees of the level of importance the firm places on its compliance policies and, in turn, drives the overall “culture of compliance,” a term frequently utilized by the regulator.
Conducting Ongoing Reviews Can Help Registrants Prepare for an Examination
During the course of an examination, an adviser can reasonably expect that OCIE will request certain electronic communications in either the initial request or a supplemental request. Sometimes these requests are narrow in scope and limited to a particular phrase or employee, but other times the requests can be broad and expansive, covering most, if not all, firm employees. When it comes to examinations, it is better to be ahead of any potential issues (to the extent possible) so a response can be prepared and the firm is not caught off-guard. Ongoing monitoring of electronic communications gives compliance officers a mechanism to (i) determine how employees are utilizing electronic communications to conduct firm business on an ongoing basis, (ii) address any potential concerns in real-time, and (iii) continuously adjust actions so as to deter any future misuse of firm communications platforms. Additionally, now that the evidence of such reviews has been requested by the regulator, compliance officers who conduct these reviews and document their methodology and findings can rest assured knowing they will not have to scramble to the extent such a request is made during their firm’s examination.
Electronic Communications Compliance Reviews are an Excellent Tool for Monitoring Firm Risks
Rule 206(4)-7 requires each investment adviser registered with the SEC to establish and maintain policies and procedures reasonably designed to prevent violations of the Advisers Act, and according to guidance released in May 2006, such policies and procedures should be based on each adviser’s unique set of risks. When it comes to quality control and forensic testing specifically, the SEC asks if advisers “conduct periodic tests to detect instances in which your policies and procedures may be circumvented or where there may have been attempts to take advantage of the gaps in your policies or procedures.”1 The review of electronic communications is arguably the most effective tool in determining whether or not employees are trying to circumvent firm policies. Especially as the use of informal messaging (i.e. Slack, Skype, text messaging) increases, communications tend to likewise become more casual in nature. The lessons taught when it comes to e-mail conduct may not necessarily naturally extend to the more casual communications of employees. Compliance officers should train employees on the implications of every type of communication approved for business purposes and conduct reviews to ensure compliance with firm policies and procedures.
Compliance reviews of electronic communications seems to be a “no brainer.” The regulator is requesting documentation around reviews conducted by compliance but also the communications themselves. Risks associated with unauthorized use of electronic communications grows every day with the seemingly nonstop introduction of new platforms and technologies. Compliance officers can utilize reviews to drive the firm’s “culture of compliance,” monitor firm risks, review policies and procedures, and tailor the compliance program on an ongoing basis.