The Securities and Exchange Commission may not care how many selfies advisors post on Snapchat. But the agency definitely expects advisory firms to know and have solid controls in place regarding any electronic communications that are reaching customers.
As a new alert from the SEC Office of Compliance Inspections and Examinations makes clear, examiners are paying close attention to advisors and staff who text, send instant messages and use personal emails to communicate with clients. The National Exam Program Risk Alert is available here: (https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Electronic%20Messaging.pdf).
The alert is based on SEC examiners’ observations made during exams regarding investment advisor electronic messaging practices. During the course of the exams, SEC staff found some firms did not conduct any testing or monitoring to ensure compliance with communication policies and procedures.
The SEC concerns stem from the increasing volume of electronic messaging without clear compliance controls, said Robert Cruz, senior director of the Information Governance Practice at Smarsh, a Portland, Ore.-based electronics communications solution provider.
In fact, regulators are now watching firms closely to see if they have set up active monitoring of internal communications across all communication and social media platforms, especially when workers share interactive content or mirror their desktops with someone else, Cruz added.
While prohibiting the use of these alternate communication channels may seem like a viable option to reduce risk, a firm that puts such prohibitions in writing runs the risk that staff members may violate the prohibitions, Cruz said.
The SEC Risk Alert cautions advisors to:
Regularly review popular social media sites to identify if employees are using the media in a way not permitted by the advisor’s policies;
Set up automated alerts to notify the advisor when an employee’s name or the advisor’s name appears on a website to identify potentially unauthorized advisory business being conducted online;
Require employees to obtain prior approval from the advisor’s IT or compliance staff before they can access firm email servers or other business applications from personally owned devices.