SEC’s Recent Enforcement Sweeps Targeting Off-Channel Communications of Fund Advisers
In this time of continuing digital transformation, the use of smartphones and messaging apps, such as WhatsApp, Signal, iMessage, Facebook Messenger, WeChat, and Telegram, has become increasingly popular in business practice. The COVID-19 pandemic, which reinforced working from home, further elevated the use of personal devices for business. From a compliance standpoint, allowing employees to use personal devices and messaging apps for work communications triggers a number of legal and regulatory concerns.
1. SEC’s Recent Enforcement Sweeps against Fund Advisers and Industry Response
In early February 2023, a number of news outlets reported that, in a targeted sweep, the SEC had recently asked a number of large and well-established private equity and hedge fund firms to review their employees’ cell phone messages to determine whether such employees conduct investment advisory business through text messages or messaging apps on platforms or devices that are not authorized or preserved by such advisers, often referred to as “Off-Channel Communications.”
The SEC previously focused on Off-Channel Communications in its October 2022 enforcement sweep when it sent requests to multiple SEC registered investment advisers (“RIAs”) regarding their policies and procedures for Off-Channel Communications. On January 31, 2023, ten trade associations including Managed Funds Association, National Venture Capital Association, Investment Company Institute, and American Investment Council wrote a joint letter to SEC Chair Gary Gensler to lobby against such sweep (the “Industry Letter”).
2. Nuanced Changes
Since 2021, preservation of Off-Channel Communications has become an enforcement priority of the SEC. On a number of occasions in 2021 and 2022, the SEC charged certain broker-dealers for failure to preserve such communications, imposing record-high penalties for such violations.
The Off-Channel Communications sweeps against multiple RIAs noted above were conducted on the heels of these charges against broker-dealers. In the past, the SEC typically conducted examinations of RIAs’ electronic recordkeeping or discovered recordkeeping deficiencies for Off-Channel Communications when investigating RIAs in connection with other securities law violations; this time, the SEC’s enforcement sweeps directly targeted RIAs’ recordkeeping compliance of Off-Channel Communications.
3. Regulatory Complexities for Fund Advisers
(1) RIAs’ Communication Recordkeeping Obligations under the Advisers Act
Rule 204-2 (the “Books and Records Rule”) under the Investment Advisers Act of 1940, as amended (the “Advisers Act”) requires an RIA to keep originals and/or copies of certain enumerated books and records relating to its investment advisory business.
Communications required to be maintained under the Books and Records Rule include (a) originals of written communications received, and copies of written communications sent, by an RIA relating to (i) investment advisory communications and advice, (ii) receipt, disbursement or delivery of funds or securities, (iii) placing or execution of any order to purchase or sell any security, and (iv) predecessor performance and the performance or rate of return of investments or securities recommendations (with limited exceptions); and (b) copies of communications that the RIA disseminates directly or indirectly to ten or more persons (other than persons associated with such RIA). An RIA is required to maintain and preserve the above communications in an easily accessible place for at least five years, with the first two years in an appropriate office of the RIA.
Rule 206(4)-7 under the Advisers Act (the “Compliance Rule”) requires an RIA to (i) adopt written policies and procedures reasonably designed to prevent violations of the Advisers Act by the RIA and its supervised persons, (ii) conduct an annual review of such policies, and (iii) designate a Chief Compliance Officer.
Section 203(e)(6) of the Advisers Act (the “Supervision Section”) authorizes the SEC to sanction an RIA if the RIA or any of its associated persons has failed reasonably to supervise supervised persons in an appropriate manner designed to avoid violations of certain federal regulations such as the Advisers Act.
(2) Different Compliance Standards between Broker-Dealers and RIAs
In the Industry Letter, the associations argued that, unlike broker-dealers, RIAs are not required to preserve all communications relating their “business as such.” Rather, with respect to communications, RIAs are required to preserve only such business information enumerated under the Books and Records Rule, arguably limiting the SEC’s authority to access certain communications.
The Industry Letter also voiced concerns as to whether an RIA’s breach of its more stringent internal recordkeeping policy would constitute an Advisers Act violation. Ambiguities could be better resolved through regulatory guidance, after input from industry participants; in addition, the principle of proportionality envisages proper enforcement alternatives.
(3) Special Challenges: “Originals” for Electronic Communications
Written communications received by an RIA that are required to be retained under Rule 204-2(a)(7) should be “originals” of such communications, which may pose special challenges for electronic communications received by the RIA’s employees on their personal devices.
(4) Bearings on Different Parties
In the event an RIA allows its employees to use text messages or messaging apps to conduct business on their personal devices, the RIA will need to take more proactive measures to ensure such communications do not compromise the RIA’s compliance with its regulatory and contractual obligations, as well as its business interests, including:
- obligations under Regulation S-P and Regulation S-ID to protect the confidentiality of individual investors’ and customers’ personal information;
- contractual obligations to protect certain counterparty confidential information;
- the SEC’s requirements under the Books and Records Rule for proper preservation of regulated messaging communications of current and former employees;
- employees’ privacy under federal regulations, such as the Computer Fraud and Abuse Act and the Stored Communications Act, and applicable state laws, and
- the RIA’s need to protect its own intellectual property and trade secrets stored in its employees’ personal devices.
4. Getting Prepared: The Time is Now
The SEC requires that RIAs appropriately conduct their business communications within only “official” channels, maintain those channels, preserve necessary records and, upon SEC request, be able to access and provide relevant records.
RIAs may define their “official” channels differently. For example, certain RIAs may prohibit altogether the use of text messages or messaging apps for business communications. Other RIAs may provide business phones and/or computers to employees for business related communications. Still other RIAs may allow employees to use personal devices under their “bring your own device” policies. Different approaches bring distinct recordkeeping challenges and may impact business operations in varied ways.
In light of growing SEC scrutiny, the following are a few suggestions for RIAs.
(1) Follow Current Rules
RIAs should ensure their policies and practice regarding electronic communications comply with all applicable regulatory requirements, especially the Books and Records Rule, the Compliance Rule and the Supervision Section.
(2) Learn from Common Deficiencies
Common deficiencies identified in the SEC’s previous enforcement actions include: (i) broker-dealers had adopted policies but failed to monitor the proper implementation and adherence to such policies; (ii) supervisors failed to supervise other employees, or the supervisors themselves violated such policies; and (iii) broker-dealers did not properly preserve electronic communications. RIAs should examine the adequacy and effectiveness of their policies and determine whether they should be revised and/or implemented and enforced more stringently.
(3) Adopt Best Practices
On December 14, 2018, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert regarding RIAs’ electronic messaging. The risk alert provided a list of best practices in terms of (i) policies and procedures (for example, prohibiting business use of apps that can be readily misused; guiding employees to move messages from unauthorized platforms to authorized platforms; and informing employees that violations may result in discipline or dismissal); (ii) employee training and attestations at the commencement of employment and regularly thereafter; (iii) supervisory review (for example, contracting with software vendors to monitor and archive employees’ business communications; and establishing a reporting program to encourage employees to report each other’s noncompliance); and (iv) control over devices (for example, loading security software and requiring employees to obtain prior IT approval before using personal devices or apps for business communications; and allowing employees to use personal devices or apps only by virtual private networks or other security apps to help protect the RIAs’ servers from hackers or malware). For details, see here.
(4) Learn from Remedial Measures
In response to the SEC’s enforcement charges, the charged broker-dealers agreed to retain a compliance consultant who would, among other things, conduct comprehensive reviews of their (i) policies and procedures regarding retention of electronic communications on personal devices; (ii) training dedicated to ensure personnel are complying with preservation requirements of electronic communications, including those on personal devices; and (iii) frameworks for addressing non-compliance by their employees. RIAs with questions regarding the efficacy of their current policies and procedures, or how best to monitor ongoing compliance with such policies and procedures, should consider engaging a compliance consultant.
(5) Prepare for the Unprepared
Areas of inquiry included in the SEC’s previous sweeps and examinations include: (i) a review of the RIA’s organizational structure, especially names of personnel who are covered in the RIA’s Form ADV brochure supplement and their direct reports, and personnel in charge of making investment decisions, communicating with investors and executing transactions; (ii) the sufficiency of the RIA’s documented policies and procedures regarding “official” channels for personnel to conduct business-related communications; (iii) the adequacy of the RIA’s preservation of its communications; and (iv) the sufficiency of documentation evidencing the RIA’s annual review of its policies and procedures.
In the event an RIA is a subject of an SEC inquiry, the response can be time-consuming and costly, and confidential information (belonging to the RIA, its employees, investors, clients and/or third parties) stored in employees’ personal devices may be subject to forensic imaging. When RIAs formulate their policies and procedures, it is important to bear such potential risks in mind.
Digital transformation, remote work and client preference may render the use of text messages or messaging apps unavoidable in an RIA’s business. The SEC’s strong focus on Off-Channel Communications is ongoing ― even if the direct sweeps slow or discontinue, the SEC may nevertheless request an RIA’s electronic records when conducting examinations and/or investigating other violations. Accordingly, all RIAs are well advised to conduct a comprehensive review of their current policies to ensure they are appropriate for their operations and employee communications.
For more information on the topic discussed, contact:
BulletPoint® is a newsletter of Tannenbaum Helpern Syracuse & Hirschtritt LLP’s Investment Management practice. It is an alert covering recent regulatory and tax developments impacting the financial services industry. To subscribe for the newsletter, send email to email@example.com.