Approaching Sarbanes-Oxley compliance and SEC rules.
As most financial advisors know, the Sarbanes-Oxley
Act (SOX) and SEC rules on electronic communication (such as SEC rule
17a-4) have produced new challenges and, potentially, increased
operational expenses. Depending on whether you are affiliated with a
broker-dealer or operate as an independent RIA, the increased workload
and corresponding expenses could prove to be a difficult hurdle to
overcome. The SEC issued an interpretative release in April 2000 that
further clarified the rules for the use of electronic media. One
interpretation, voiced by Stuart Roth, managing director of MPI
Professionals, a consulting firm that specializes in financial services
technology solutions, is that "compliance is not exclusively about
data, though quality data is critical to reaching your goal (of
appropriate compliance). What matters is not the data itself, but how
you manage the processes that define what you do with data." Simply
said, the financial practitioner is going to have to develop systems
and processes for handling, storing and retrieving electronic
communications that are both efficient and effective. And, the
retrieved item must be shown to be in a largely unalterable form
(tamper-proof).
If you work with a broker-dealer, they may impose a
predefined system or mandatory standard for you to follow. If you are
an independent RIA, you will need to either build a system or purchase
one. Either way, you may be required to prove that your system or
process for handling, storing and retrieving electronic communications
is unalterable. As an example, a (.pst) file or other public folder in
Microsoft Outlook is not compliant under new regulations. For some,
this meant developing a system that could reproduce e-mails in a pdf
format. However, recent clarifications by the SEC suggest that this may
not be enough. If you are clever enough, you may be able to figure out
how to alter a pdf, even if the document is protected.
Before you rush out to purchase a new, compliant
e-mail server for your office, consider the following numbers. If you
have an office with eight financial advisors who routinely use the
e-mail system, instant messaging, etc., it is likely that they each
might produce up to 15 to 20 outgoing e-mails per day. It is also
likely that the firm could be receiving a similar number of incoming
e-mails per day. Given this volume of communication, taking into
account the storage of instant messages and e-mail attachments, the
firm could be looking at storing as much as a whopping 62.4 gigabytes
of information per year in a secure unalterable form that can be
properly indexed and retrieved quickly. This raises enormous cost
implications, not to mention onsite storage headaches.
One obvious solution is to use a third-party source
for e-mail archiving and retrieval that has no vested interest in the
outcome (of an SEC or NASD audit, for instance) and can offer virtually
unlimited storage. Fortunately, a number of companies stand ready to
help with various product and service offerings.
iLumen (www.iLumen.com) offers a turnkey, high-end
e-mail management system called Assentor Mailbox Manager. Assentor is
designed for the larger firm or broker-dealer to use with financial
advisors, which retains all the freedoms and benefits of a personalized
infinite mailbox. It stores company e-mails and builds a proprietary
indexing system for relatively easy retrieval of e-mails. For
compliance managers, Assentor permits word and phrase searches (lexical
analysis) that can be customized to look for specific key words or
phrases that might trigger potential compliance problems, such as the
words guarantee or promise.
Fortiva (www.Fortiva.com) offers a similar set of
e-mail archiving and retrieval tools. However, like iLumen, Fortiva's
products are primarily designed for the larger firms.
ZipLip (www.ziplip.net) offers an e-mail archiving
and offsite storage and retrieval solution that can be used by smaller
firms or even the one-person-type shop. ZipLip offers such features as
pre-and post-review sampling, lexical analysis and screening, Exchange
and notes journaling, offsite storage and instant message archiving,
among others.
Yet another company, LiveOffice Corp.
(www.advisormail.net) offers a unique ASP platform (Web-based) called
AdvisorMail. AdvisorMail is designed with robust e-mail, instant
messaging and attachment storage and retrieval tools that are easy to
use and can be fully customized to meet the needs of your organization.
If you are a smaller firm, the more affordable AdvisorMail Lite has
been designed to handle the unique needs of the smaller financial
practice while retaining the power of the full AdvisorMail system.
AdvisorMail claims to satisfy all SEC, NYSE and NASD regulatory
requirements for e-mail, instant messaging surveillance, archiving and
retrieval.
AdvisorMail stores every e-mail, attachment and
instant message sent or received by your firm. It stores e-mails and
instant messages in explicitly defined folders. It features filtering
and sorting tools that enable simple retrieval of archived data, and
creates a time-stamped audit trail for every e-mail and instant
message. On request, it can transfer data offline to client-designated
media such as a CD-Rom or DVD. With both pre- and post-review
compliance tools (similar to ZipLip), the firm can customize settings
to choose whether to quarantine an e-mail or allow it to be sent, while
placing a copy of it into a post-review file for later review.
One neat feature with AdvisorMail is its ability to autohighlight
compliance violations within e-mails and attachments (for screen
review). There is also an easy process for approval or rejection of
e-mails that are flagged by the system.
With all of the products discussed above, when
offered as a Web-based solution, there is no software to load and/or
set up, and the system takes up virtually no space on a local sever or
hard drive. Even though the cost of these solutions could range from
$200 per month or more depending on the size of your firm, amount of
storage required, etc., consider, if you will, the cost of not having
this kind of protection in place in the event of an SEC or NASD audit.
We have all heard the stories of Enron and Martha
Stewart. In the case of Banc of America Securities, in March 2004 the
SEC fined BAS for insider trading issues. However, the SEC also found
that BAS repeatedly failed to promptly furnish documents, including
internal e-mails, requested by its staff as part of the investigation.
BAS ultimately agreed to a $10 million dollar civil penalty. The simple
fact is that these high-profile cases have prompted SEC and NASD
auditors to now direct their attention to smaller firms. Financial
advisors who fail to heed these warnings by ignoring the need for
proper e-mail archiving and retrieval systems are putting their
practices at great risk.
David Lawrence is a practice
efficiency consultant and is president of David Lawrence and
Associates, a practice consulting firm based in Lutz, Fla.
(www.efficientpractice.com).