Data Security Law Blog

Texting Clients and Using Social Media? SEC Issues Compliance Reminder to Investment Advisers

 

Investment advisers may want to think twice before texting clients any advice in the New Year. 

In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.

Advisers Act Rule 204-2—called the “Books and Records Rule”—requires advisers and their personnel to make and maintain records relating to their investment advisory business, which includes keeping “[o]riginals of all written communications received and copies of all written communications sent” relating to (i) recommendations and advice, (ii) the receipt or disbursement of funds, (iii) purchasing or selling a security, or (iv) the performance of a managed account or securities recommendation. The Books and Records Rule contains limited exceptions.

The alert specifically calls out “text/SMS messaging, instant messaging, personal email, and personal or private messaging” as being covered by the rule, as are other communications conducted on the adviser’s network or via third-party applications or platforms or “sent using the adviser’s computers, mobile devices issued by advisory firms or personally owned computers or mobile devices used by the adviser’s personnel” for business purposes.

Social media also received attention in the alert. An advisor who links to a “notice, circular, advertisement, newspaper article, investment letter, bulletin or other communication” on their LinkedIn or other social media platform should heed Advisers Act Rule 204-2(a)(11), which requires an adviser to keep a copy of each commentary they circulate to ten or more persons.

Rather than expecting compliance in the abstract, Advisers Act Rule 206(4)-7—called the “Compliance Rule”—requires advisers to be proactive and “[a]dopt and implement written policies and procedures reasonably designed to prevent violation” of the Advisers Act and its rules. Citing to this requirement, the alert includes the following recommendations to advisers concerning policies and procedures they may want to implement for use of electronic communications:

  • Prohibit forms of electronic communications that easily allow for messages to be sent anonymously, to be automatically destroyed, or prohibits third-party viewing or back-up.
  • Require a procedure for moving an electronic message received from a client to another system that is in compliance with its books and records obligations.
  • Adopt and implement policies concerning the use of personal devices if such devices are used for business purposes.
  • If the use of social media, personal email, or personal websites for business purposes is permitted, implement policies and procedures for the monitoring, review, and retention of such electronic communications.
  • Train personnel on the policies and procedures in place on the use of electronic messaging and the disciplinary consequences for violations.
  • Regularly review social media sites and run Internet searches to identify potential violations of the adviser’s policies and procedures.
  • Establish a confidential reporting program so employees can report their concerns “about a colleague’s electronic messaging,” including use of social media or impermissible posts.
  • Require the downloading of security software on company-issued or personally owned devices prior to allow them to be used for business purposes. Such software can (i) require cybersecurity updates, (ii) monitor for prohibited apps, and (iii) “wipe” a lost or stolen device of information.

“OCIE encourages advisers to review their risks, practices, policies, and procedures regarding electronic messaging and to consider any improvements to their compliance programs … [and] to stay abreast of evolving technology and how they are meeting their regulatory requirements,” said the alert.