No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Financial Services

SEC Sanctions Warn Investment Firms That Good Intentions Aren’t Enough on Messaging Apps

Agency’s recent actions suggest current policies on private messaging apps fall short

by Mark J. Tarallo
May 24, 2022
in Financial Services
sec messaging apps investment firms

Think your firm’s policies will protect against sanctions for failing to meet the books and records requirements? If your rules explicitly forbid private text or social media messaging apps but do not also describe how such a policy will be enforced, your company may be at risk.

Employee use of messaging services and communication tools such as WhatsApp, Signal and Telegraph, as well as personal text messages and private emails, are a significant compliance issue for investment firms, as the tools are difficult to preserve as books and records.

The SEC has recently sanctioned multiple firms and is investigating others over preservation practices related to apps, and it’s likely this will remain an area of emphasis for the SEC and state regulators.

In at least one instance, a firm was sanctioned despite having adopted policies and procedures that banned unapproved devices, strictly prohibited services such as WhatsApp, and clearly instructed employees to use only company hardware and software for business matters.

The SEC believed that despite having these policies in place, the firm had failed in implementation because supervisors did not also take active steps to prevent and detect employees’ use of messengering platforms to ensure that recordkeeping and communications policies were being followed.

Review the risks, then revise the policies

Given the recent emphasis on these issues, firms should review the SEC’s Office of Compliance Inspections and Examinations risk alert relating to electronic recordkeeping.

While the risk alert doesn’t constitute a “safe harbor,” it does provide helpful guidance that adviser firms should consider adopting when designing policies and procedures.

SEC risk alert
The risk alert is based on results of examinations of investment advisers conducted by the OCIE. Pursuant to Rule 206(4)-7 under the Advisers Act, advisers must adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and rules thereunder. Each adviser should identify specific compliance factors creating risk exposures for the firm and its clients in light of the adviser’s particular operations, and then design policies and procedures that address those risks.

Based on this SEC guidance, companies should:

  • Permit only those forms of electronic communication for business purposes that the adviser determines can be used in compliance with the books and records requirements of the Advisers Act.
  • Specifically prohibit business use of apps and other technologies that can be readily misused because they allow an employee to communicate anonymously, allow for automatic destruction of messages, or prohibit third-party viewing or backup.
  • Require in-firm procedures that in the event an employee receives a message via a prohibited form of communication, the employee must move those messages to another electronic system that the adviser determines can be used in compliance with its books and records obligations. The policy should include specific instructions to employees on how to do so.
  • Adopt and implement policies and procedures addressing advisers’ use of personally owned mobile devices for business purposes.
  • Adopt and implement policies and procedures for the monitoring, review and retention of electronic communications for business purposes via social media, personal email accounts, or personal websites.
  • Include a statement in policies and procedures informing employees that violations may result in discipline or dismissal.

The risk alert also provides some suggestions for supervisory review, including:

  • For advisers who permit use of social media, personal email, or personal websites for business purposes, contracting with software vendors to monitor posts, emails, or websites; archive such business communications to ensure compliance with record retention rules; and ensure that they have the capability to identify any changes to content and compare postings to a lexicon of keywords and phrases.
  • Regularly reviewing popular social media sites to identify if employees are platforms in a way not permitted by the adviser’s policies. Such policies include prohibitions on using personal social media for business purposes or using it outside of the vendor services the adviser uses for monitoring and record retention.
  • Running regular internet searches or setting up automated alerts to notify the adviser when an employee’s name or the adviser’s name appears on a website to identify potentially unauthorized advisory business being conducted online.
  • Establishing a reporting program or other confidential means by which employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications. Particularly with respect to social media, colleagues may be connected or friends with each other and see questionable or impermissible posts before compliance staff notes them during any monitoring.

In addition, when dealing with personal devices, companies should implement steps such as barring employees from using any unapproved personal devices and limiting access to company systems from personal devices, pre-installing security and compliance apps on such personal devices, and only allowing remote access to company files through a VPN or other secure network.

And make sure it sticks

From an employee training perspective, the risk alert recommends requiring personnel to complete training on the adviser’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging and electronic apps and the adviser’s disciplinary consequences of violating these procedures; obtaining attestations from employees at the commencement of employment with the adviser and regularly thereafter as to such training; and providing regular reminders to employees of what is permitted and prohibited.

Given recent guidance from the SEC that this will continue to be an area of focus for enforcement, it is important for advisers to review recent SEC enforcement actions as well as the risk alert and to update as needed any policies and procedures relating to personal electronic devices and electronic messaging. This will be a critical area going forward, and firms that do not devote the necessary attention to these issues are putting themselves at risk.

Firms must consider their specific operations when assessing risks and compliance issues, as no one size fits all in this context. Firms will need to focus on the supervisory aspects of adopting and enforcing these policies, as the SEC has made clear that they may view non-compliance as a supervisory issue.

As private messaging services and other means of communication proliferate, firms must be willing to update their policies as needed to address changes in technology.


Tags: Social Media Risk
Previous Post

‘Interlocking Boards’ Likely Targets of Increased Antitrust Investigations

Next Post

Insiders Warn: Governments Are Clueless About the Money Laundering Risks They Face

Mark J. Tarallo

Mark J. Tarallo

Mark J. Tarallo is a partner in Nutter’s Corporate and Transactions Department. He represents clients in a broad array of corporate matters, including mergers and acquisitions, venture capital financings, private equity transactions, and securities offerings. Mark works with clients of all sizes ranging from startups to publicly listed international companies.

Related Posts

whistleblower congress

Blowing the Whistle: Exploring Federal Protections After Twitter Testimony

by Katherine Krems
September 28, 2022

Twitter’s been in the news of late thanks to Elon Musk’s (failed?) takeover bid, but another recent bit of Twitter...

musk free speech tweet

As Musk’s Tweet Inadvertently Illustrates, the Letter of the Law Has Its Limits

by Christian Hunt
May 11, 2022

Aspiring Twitter owner and current Tesla CEO Elon Musk has indicated that if he succeeds in buying the social media...

elon musk twitter

Know Your Customer? Know Your Human. Compliance Lessons from Elon Musk’s Promised Assault on Twitterbots

by Peter Viksnins
May 11, 2022

Twitter’s new boss is waging war on bots. How he gets it done may offer lessons for GRC professionals. The...

b and w a person uses a smart phone with social media

Can an Employee Be Fired for Sharing a Questionable Social Media Post?

by Jennifer Spencer
February 1, 2022

Can an employee get fired for what they post on social media? It depends. While employers have broad leeway to...

Next Post
world bank offices new york

Insiders Warn: Governments Are Clueless About the Money Laundering Risks They Face

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT