Approaching Sarbanes-Oxley compliance and SEC rules.
As most financial advisors know, the Sarbanes-Oxley Act (SOX) and SEC rules on electronic communication (such as SEC rule 17a-4) have produced new challenges and, potentially, increased operational expenses. Depending on whether you are affiliated with a broker-dealer or operate as an independent RIA, the increased workload and corresponding expenses could prove to be a difficult hurdle to overcome. The SEC issued an interpretative release in April 2000 that further clarified the rules for the use of electronic media. One interpretation, voiced by Stuart Roth, managing director of MPI Professionals, a consulting firm that specializes in financial services technology solutions, is that "compliance is not exclusively about data, though quality data is critical to reaching your goal (of appropriate compliance). What matters is not the data itself, but how you manage the processes that define what you do with data." Simply said, the financial practitioner is going to have to develop systems and processes for handling, storing and retrieving electronic communications that are both efficient and effective. And, the retrieved item must be shown to be in a largely unalterable form (tamper-proof).
If you work with a broker-dealer, they may impose a predefined system or mandatory standard for you to follow. If you are an independent RIA, you will need to either build a system or purchase one. Either way, you may be required to prove that your system or process for handling, storing and retrieving electronic communications is unalterable. As an example, a (.pst) file or other public folder in Microsoft Outlook is not compliant under new regulations. For some, this meant developing a system that could reproduce e-mails in a pdf format. However, recent clarifications by the SEC suggest that this may not be enough. If you are clever enough, you may be able to figure out how to alter a pdf, even if the document is protected.
Before you rush out to purchase a new, compliant e-mail server for your office, consider the following numbers. If you have an office with eight financial advisors who routinely use the e-mail system, instant messaging, etc., it is likely that they each might produce up to 15 to 20 outgoing e-mails per day. It is also likely that the firm could be receiving a similar number of incoming e-mails per day. Given this volume of communication, taking into account the storage of instant messages and e-mail attachments, the firm could be looking at storing as much as a whopping 62.4 gigabytes of information per year in a secure unalterable form that can be properly indexed and retrieved quickly. This raises enormous cost implications, not to mention onsite storage headaches.
One obvious solution is to use a third-party source for e-mail archiving and retrieval that has no vested interest in the outcome (of an SEC or NASD audit, for instance) and can offer virtually unlimited storage. Fortunately, a number of companies stand ready to help with various product and service offerings.
iLumen (www.iLumen.com) offers a turnkey, high-end e-mail management system called Assentor Mailbox Manager. Assentor is designed for the larger firm or broker-dealer to use with financial advisors, which retains all the freedoms and benefits of a personalized infinite mailbox. It stores company e-mails and builds a proprietary indexing system for relatively easy retrieval of e-mails. For compliance managers, Assentor permits word and phrase searches (lexical analysis) that can be customized to look for specific key words or phrases that might trigger potential compliance problems, such as the words guarantee or promise.
Fortiva (www.Fortiva.com) offers a similar set of e-mail archiving and retrieval tools. However, like iLumen, Fortiva's products are primarily designed for the larger firms.
ZipLip (www.ziplip.net) offers an e-mail archiving and offsite storage and retrieval solution that can be used by smaller firms or even the one-person-type shop. ZipLip offers such features as pre-and post-review sampling, lexical analysis and screening, Exchange and notes journaling, offsite storage and instant message archiving, among others.
Yet another company, LiveOffice Corp. (www.advisormail.net) offers a unique ASP platform (Web-based) called AdvisorMail. AdvisorMail is designed with robust e-mail, instant messaging and attachment storage and retrieval tools that are easy to use and can be fully customized to meet the needs of your organization. If you are a smaller firm, the more affordable AdvisorMail Lite has been designed to handle the unique needs of the smaller financial practice while retaining the power of the full AdvisorMail system. AdvisorMail claims to satisfy all SEC, NYSE and NASD regulatory requirements for e-mail, instant messaging surveillance, archiving and retrieval.
AdvisorMail stores every e-mail, attachment and instant message sent or received by your firm. It stores e-mails and instant messages in explicitly defined folders. It features filtering and sorting tools that enable simple retrieval of archived data, and creates a time-stamped audit trail for every e-mail and instant message. On request, it can transfer data offline to client-designated media such as a CD-Rom or DVD. With both pre- and post-review compliance tools (similar to ZipLip), the firm can customize settings to choose whether to quarantine an e-mail or allow it to be sent, while placing a copy of it into a post-review file for later review.
One neat feature with AdvisorMail is its ability to autohighlight compliance violations within e-mails and attachments (for screen review). There is also an easy process for approval or rejection of e-mails that are flagged by the system.
With all of the products discussed above, when offered as a Web-based solution, there is no software to load and/or set up, and the system takes up virtually no space on a local sever or hard drive. Even though the cost of these solutions could range from $200 per month or more depending on the size of your firm, amount of storage required, etc., consider, if you will, the cost of not having this kind of protection in place in the event of an SEC or NASD audit.
We have all heard the stories of Enron and Martha Stewart. In the case of Banc of America Securities, in March 2004 the SEC fined BAS for insider trading issues. However, the SEC also found that BAS repeatedly failed to promptly furnish documents, including internal e-mails, requested by its staff as part of the investigation. BAS ultimately agreed to a $10 million dollar civil penalty. The simple fact is that these high-profile cases have prompted SEC and NASD auditors to now direct their attention to smaller firms. Financial advisors who fail to heed these warnings by ignoring the need for proper e-mail archiving and retrieval systems are putting their practices at great risk.
David Lawrence is a practice
efficiency consultant and is president of David Lawrence and
Associates, a practice consulting firm based in Lutz, Fla.