SEC cracking down on texting with clients

A new Risk Alert publication issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE) encourages advisers to “review their risks, practices, policies, and procedures regarding electronic messaging.”

The guidance from SEC comes after a growing number of advisory firms, broker/dealers and other providers have rolled out FINRA-reviewed texting solutions to their reps. In the Risk Alert, regulators remind advisers of their duties under the Advisers Act Rule 204-2, known as the “Books and Records Rule.” OCIO further encourages firms to proactively consider “improvements to their compliance programs that would help them comply with applicable regulatory requirements.”

According to the Risk Alert, OCIE examiners have noticed an increasing use of various types of electronic messaging by adviser personnel for business-related communications. Many of the solutions have been reviewed by FINRA, but the SEC notes that its own Books and Records Rule is distinct from any FINRA regulations and applies to digital as well as print communications.

Section 204-2(a)(7), for example, requires advisers to make and keep originals of all written communications received and copies of all written communications sent by such investment adviser relating to any recommendation made or proposed to be made and any advice given or proposed to be given; any receipt, disbursement or delivery of funds or securities; the placing or execution of any order to purchase or sell any security; or the performance or rate of return of any or all managed accounts or securities recommendations, subject to certain limited exceptions.

The OCIO Risk Alert also points to Advisers Act Rule Section 206(4)-7, known as the “Compliance Rule.” This rule requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and the communications and recordkeeping rules thereunder. According to the Compliance Rule’s adopting release, OCIO explains, each adviser should identify compliance factors creating risk exposures for the firm and its clients in light of the adviser’s particular operations, and then design specific policies and procedures that address those risks.

“The Commission has stated that an adviser’s policies and procedures should address, to the extent relevant to the adviser, the accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction, among other things,” OCIE says. “The Compliance Rule also requires an adviser to review, no less frequently than annually, the adequacy of the adviser’s compliance policies and procedures and the effectiveness of their implementation.”

OCIE believes a number of changes in the way mobile and personally owned devices are used “pose challenges for advisers in meeting their obligations under the Books and Records Rule and the Compliance Rule.” These changes include the increasing use of social media, texting, and other types of electronic messaging apps, and the “pervasive use of mobile and personally owned devices for business purposes.”

The OCIE staff specifically excluded email use on advisers’ systems from its review and subsequent Risk Alert. The stated reason is that firms have had decades of experience complying with regulatory requirements with respect to firm email, “and it often does not pose similar challenges as other electronic communication methods because it occurs on firm systems and not on third-party apps or platforms.”

The full text of the Risk Alert includes additional suggestions, such as establishing a reporting program or other confidential means by which employees can report concerns about a colleague’s electronic messaging, website or use of social media for business communications. Particularly with respect to social media, colleagues may be “connected” or “friends” with each other and see questionable or impermissible posts before compliance staff notes them during any monitoring. OCIE further recommends that firms set strict and specific policies regarding the control over mobile and personal devices.