The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) just delivered a holiday and new year greeting to registered investment advisers … just in case the volatile markets were not enough to keep you on your toes! On December 14th, OCIE issued a Risk Alert related to electronic messaging and on December 20th released its 2019 examination priorities. It may be the busiest time of the year, but when OCIE talks, it is worth listening!
Risk Alert – Observations from Adviser Exams Relating to Electronic Messaging
On December 14, 2018, OCIE issued a Risk Alert to share the results of its limited-scope examination initiative of registered investment advisers. The initiative sought an understanding of enterprise and employee use of various forms of electronic messaging. The Risk Alert addresses the regulatory risks attendant to the use of electronic messaging and the challenges confronting advisers and their employees when complying with the Investment Advisers Act. OCIE was compelled to dig into electronic messaging after noticing the increased use of social media, texting, and other types of electronic messaging apps, and the pervasive use of mobile and personally owned devices for business purposes.
The Risk Alert cited Books and Records Rule 204-2 and Compliance Rule 206(4)-7 as the backdrop to evaluate adviser compliance with the Investment Advisers Act. The Commission reiterated that effective compliance risk management relies upon effective policies, ongoing employee training, robust supervision, and appropriate knowledge and control of electronic devices which the adviser and its personnel use to communicate and conduct business. The following practices are highlighted in the Risk Alert as appropriate internal controls to adopt pursuant to sound compliance risk management.
Policies and Procedures
Pursuant to client and business communications, the SEC expects advisers to adopt and implement effective policies, procedures, and internal controls that:
- Permit only those forms of electronic business communication that the adviser can retain and monitor
- Prohibit technologies and applications that enable anonymous communications and automatic message destruction
- Direct employees to migrate communications from prohibited venues to sanctioned systems … for example, providing instructions for the migration of a social media communication onto the adviser’s email system to ensure compliance
- Govern employee use and adviser supervision of personal devices for social media, instant messaging, texting, personal email, personal websites, and information security
- Make clear that policy violations are taken seriously and can lead to sanctions and/or dismissal
Policies and procedures alone are not enough. The Staff has repeatedly emphasized the importance of training and education of employees on matters related to the adviser’s compliance risk profile and implementation of the compliance program. This education may include general instruction regarding the importance of the employee’s role in achieving a compliant culture (e.g., certifications to the Code of Ethics) or may entail awareness campaigns which focus upon specific risk sets which challenge the adviser, such as cyber risk.
Supervisory procedures are vital to ongoing compliance, particularly as the adviser’s risk profile evolves due to changes in the business model or as a result of the evolution of at-risk business practices such as electronic messaging.
Advisers are urged to leverage software which can substantially improve the adviser’s internal control protocol. Internal controls are designed to ensure that policy and procedure remain relevant to the adviser’s compliance risk profile. Monitoring and measuring are the primary internal control attributes which are to be used by the adviser to facilitate compliance with communication and books and records regulatory requirements. These requirements include the adviser’s capability to monitor and retain all employee communications related to the adviser’s business, without exception.
The capability to flag content changes and key words is cited in the Risk Alert as a sound compliance practice. Running regular Internet searches or setting up automated alerts to flag the adviser’s and employees’ names online are cited as best practices. OCIE encourages advisers to instruct employees to escalate online behavior of a questionable nature as a means to create a compliant culture.
Integral to attaining awareness of employee communication habits is the implementation of a personal device internal control wherein the adviser inventories and authorizes all personal devices to be used when communicating about the business of the adviser. Remote access controls as well as software that pushes security patches, blocks certain sites, and wipes devices should be considered.
It bears repeating that Risk Alerts have become a popular mechanism for the SEC to educate registered firms and their personnel. Forewarned is forearmed!
Follow this link to view the Risk Alert.
2019 Examination Priorities
On December 20, 2018, OCIE issued its 2019 examination priorities … about 30 days earlier than usual. After examining 17% of federally registered advisers in fiscal year 2018, the Staff has set their priority list for 2019. The preview of exam priorities outlined below is worth reading but remember that this list does not encompass all examination areas of focus. In 2019, OCIE will continue to prioritize issues it believes present heightened risk to investors and the integrity of the U.S. capital markets.
OCIE’s latest exam themes include:
- Matters of importance to retail investors, including seniors and those saving for retirement
- Compliance and risk in registrants responsible for critical market infrastructure
- Select areas and programs of FINRA and MSRB
- Digital Assets
- Anti-Money Laundering
Below we highlight only those areas of greatest interest to our investment advisory clients but encourage all registrants to carefully review the full range of exam priorities.
Once again, protecting retail investors remains a top priority for OCIE in 2019. Areas of specific focus will include:
- Adequacy of fee and expense disclosures
- Consistency of fee assessment practices with client agreements
- Conflicts of interest inherent in mutual fund share class selection
- Wrap fee programs, including brokerage practices and disclosures
- Adviser use of affiliated service providers and products
- Appropriateness of recommendations to seniors and the supervision of personnel working directly with seniors
- Suitability of investment and trading strategies relative to meeting client needs
Given the significant growth and risks apparent in the digital asset market, OCIE will continue to monitor the offer and sale, trading, and management of digital assets, and where the products are securities, examine for regulatory compliance. For firms actively engaged in the digital asset arena, OCIE will conduct examinations focused on portfolio management of digital assets, trading, safety of client funds and assets, pricing of client portfolios, compliance, and internal controls.
Cybersecurity is teed up for another year in the regulatory spotlight, albeit without a new SEC cybersecurity rule. The SEC continues to scrutinize adviser cybersecurity risk management efforts in the context of current privacy rules and SEC issued guidance and alerts which the Commission has relied upon to prosecute civil enforcement actions. Advisers are required to proactively identify and manage cybersecurity risks. In this regard, 2019 examinations will focus on:
- Proper configuration of network storage devices
- Information security governance generally, and policies and procedures related to retail trading information security
- Cybersecurity practices at advisers with multiple branch offices, including those that have recently merged with other investment advisers
- Governance and risk assessment
- Access rights and control
- Data loss prevention
- Vendor management
- Incident response
OCIE continues to strive for transparency as it seeks to fulfill its mission to promote compliance, prevent fraud, identify, and monitor risk, and inform SEC policy. Review OCIE’s 2019 Priorities here: https://www.sec.gov/files/OCIE%202019%20Priorities.pdf.