FYI: OCIE has issued a Risk Alert on electronic messaging aimed at reminding IAs of their obligations in light of the increased use of various types of messaging for business-related communications.
The Risk Alert does NOT address firm email, as firms now have decades of experience with that. Rather, the Risk Alert focuses on electronic messaging occurring OUTSIDE the normal firm email system and which could therefore pose greater compliance risks, such as private email, texting, IMs, personal or private messaging through social media, etc., taking place on any firm or personal devices.
From the Risk Alert, it is clear that OCIE expects IAs to be taking steps necessary to properly maintain compliance in this arena, specifically mentioning the Advisers Act Books and Records Rule, the Advertising Rule and the Compliance Rule, as well as cyber security and privacy.
Based on the Risk Alert, it could be gleaned that IAs are expected:
–to understand how personnel (including independent contractors) are using electronic messaging for firm business and through what media and devices.
–to specifically permit and/or specifically prohibit various forms of messaging, depending on how the firm’s systems work in order to make sure the firm can capture, regularly review and properly preserve communications as necessary.
–to inform, train, remind, engage with, get attestations from and take action against personnel as necessary to adequately create, monitor and enforce the firm’s messaging policies and procedures.
–to use outside vendors as necessary to regularly monitor and capture messages, to the extent that personnel are permitted to use outside platforms, devices or systems for messaging.
–to be proactive in overseeing messaging, which might include doing things like running regular Internet searches for impermissible activity, monitoring popular social media sites, loading security apps on firm or permitted personal devices, or setting up an internal reporting mechanism so personnel can confidentially report concerns about their colleagues’ messaging activities.
The Risk Alert contains a list of practices OCIE has observed that may help IAs (and brokers) to meet their obligations in this arena and, for that reason alone, is well worth a read.
* * *