Emails (as well as their attachments) fall under the regulatory definition of “written messages” and, therefore, are subject to the archiving requirements defined within the Books and Records Rule. Likewise, CCOs are expected to ensure that the content of these electronic communications remain within regulatory guidelines and consistent with the fiduciary standard to which they are held.
Email Archiving & Surveillance in a NutshellSo what does your firm need to do with email? The Books and Records Rule for RIA firms states that “written messages” are subject to archiving requirements. Specifically, written messages must be kept (with some exceptions) for a period of five years, the most recent two of which must be stored on-site or immediately accessible from your office. (As is the case with all books and records, cloud-based systems that are accessible from on-site are considered "on-site".) Email messages that fall under the Books and Records Rule are those sent by employees of registered investment advisors that fall into any of these categories:
- Compliance Program
- Client Management
- Business Management
- Potentially others, depending on your firm’s specific business practices.
Email messages and attachments must be archived in a manner that preserves their original record state. It is the CCO's responsibility to ensure that all email records are maintained and protected from any alternation or destruction. Similar to your other books and records, regulators allow for cloud-based, electronic storage of email messages and attachments. The key is that you can demonstrate your ability to:
- reasonably safeguard them from loss, alteration or destruction,
- prevent unauthorized access from individuals outside your firm, and
- retrieve archived messages in their original recorded state based on keyword searches, employees and/or specific time frames.
While the Books and Records Rule requires that you keep copies of your email messages and attachments, there is no specific requirement to monitor or periodically search emails. With that said, your firm’s chief compliance officer (CCO) is expected to follow procedures to detect risks and prevent bad conduct, so it is considered a best practice to conduct some level of proactive surveillance.
CCOs would therefore want to implement some periodic review of the messages that are sent and received, so as to ensure compliance with SEC (or state) regulations, like adherence to your Code of Ethics and advertising constraints, among others. The frequency and depth of review should be based on the structure and complexity of your firm’s business.
Through the Regulator’s EyesRegulators will focus on two aspects of your email system: the quality of your archive, and your surveillance process. In their view, these tasks are designed to protect your business and clients from unauthorized access or disclosure of sensitive data, and also to ensure that your firm is actively monitoring its staff and addressing issues internally. Regulators expect you to be able to retrieve any email sent or received that may be used to substantiate your finances, support the decisions made on behalf of your clients, or validate that you are always adhering to your fiduciary duty.
Recently, the SEC Commissioners’ opinion has also clarified that a firm’s obligation to produce electronic records includes employees’ personal email messages, Instant Messages (IMs), text messages and personal computer hard drives when they are used for business purposes.
Thinking through an advisor complaint will help define the expectations that will be placed on your firm during an examination. Regulators are required to respond to every complaint lodged against an RIA, and in that response, they may request any and all emails sent and received between the firm and the client involved. As such, you want to be confident that those records exist and are ready to retrieve. A complete history of all communications through the past five years in a readily accessible archive will allow you to promptly respond to the regulator’s request and reach a resolution. Additionally, the regulators will wonder why it reached this point, and look to your policy and process of email surveillance and the business practices that surround them. Regulators want to ensure that you are reasonably monitoring your employee’s communications that are subject to the Books and Records Rule, to verify you have a satisfactory level of prevention to internally address potential issues before they escalate. In response, you will want to provide reports and supporting documentation of email surveillance performed by the firm.
Most states enforce the Books and Records requirement on registered investment advisors in a manner consistent with the SEC, but you are under the oversight of state regulators, you’ll want to familiarize yourself with their requirements as well.
CCO Best Practices for Email Archiving & Surveillance
- Create another inventory list of all possible avenues of communication, including your company email system(s), CRM to the extent it can send and receive messages, social media websites, standard mail through a post office, text and instant messaging, cloud-based file sharing like DropBox, and others.
- Consider creating an approved technology and device list, so as to limit unauthorized use of communications and limit the scope of your firm’s technology usage for the purposes of monitoring and regulatory examination. For example, requiring that business communications and documents are transmitted only through company-owned computers or devices.
- Don’t be surprised when regulators request to review personal email or messages sent, received or stored on personal devices, such as personal cell phones, so as to ensure that there is no business usage of those devices, and prepare your employees for those requests.
- Don’t approach email surveillance and archiving as a compliance chore. The best practice in the long term is foster strong relationships between compliance and the individuals that are subject to your firm's compliance program. For instance, ensure that compliance is represented in any discussions related to operational or technology changes.
- Periodically conduct email surveillance by searching for keywords (e.g. “complaint”, “performance”, “guarantee”, “superior”, “great performance”, “guaranteed performance”.)
- Integrate your email surveillance and archiving requirements into your firm’s technology architecture to generate a culture of compliance among your technology operations, and keep current with any changes in your technology policies and procedures.
- Perform due diligence on vendors that provide your firm with applicable communication streams, such as cloud-based email archiving service providers, to verify they have appropriate physical, electronic and procedural safeguards. Document the results of this due diligence and include in your annual CCO report.
The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program. Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.
Michael D. Conlon
Photo Courtesy of: http://www.flickr.com/photos/epublicist/