An important and modern advancement of the SEC’s “Books and Records Rule” is the storage and review of email activity by Registered Investment Advisors (RIAs).
Emails, and their attachments, fall under the regulatory definition of “written communications” and therefore are subject to the archiving requirements defined within the Books and Records Rule. Additionally, CCOs are expected to ensure that the content of these electronic communications remain within regulatory guidelines and consistent with the fiduciary standard to which they are held by documenting periodic reviews of the archive.
Email Archiving & Surveillance in a Nutshell
Your RIA needs to ensure that email with clients is preserved in an archive and regularly reviewed for compliance concerns, specifically violations of the fiduciary duty and misleading or other inappropriate communications. The Books and Records Rule for RIAs states that “written communications” are subject to archiving requirements of all RIAs. Specifically, written messages with clients must be kept (with some exceptions) for a period of five1 years, the most recent two of which must be stored on-site or immediately accessible from your office. As is the case with all books and records, cloud-based systems that are accessible from on-site are considered "on-site" since files and information stored there can be produced without traveling to another location. Email messages that fall under the Books and Records Rule are those sent or received by employees of RIAs that fall into any of these categories:
And more generally, communications with clients regarding:
Email messages and attachments must be archived in a manner that preserves their original record state. It is the CCO's responsibility to ensure that all email records are maintained and protected from any alteration or destruction. Additionally, it is the CCO's responsibility to ensure that client communications are conducted on an email system that is being archived (that is, no personal email accounts) to ensure that future communications will be archived. The CCO should also be familiar with the email archiving system used and know how to retrieve items from it for review or to produce for regulators upon request. Similar to your other books and records, regulators allow for cloud-based, electronic storage of email messages and attachments. The key is that you can demonstrate your ability to:
Technology controls of archived email should be understood and reviewed periodically to ensure that they are reasonably configured to minimize risk of loss or destruction. Access should be reviewed as well to ensure that only those responsible for administration or review have access to edit or view the archive. Note: Your “Inbox” does not demonstrate the proper archiving standard expected by regulators because anyone who has access to that inbox has the ability to alter or destroy messages or attachments.
While the Books and Records Rule requires that you keep copies of your email communications and attachments, there is no specific language in the Adviser's Act to monitor or periodically search emails. However, CCOs are expected to follow procedures to detect risks, prevent and correct violations of the compliance program, so it is considered a best practice to conduct some level of proactive surveillance in order to demonstrate that as CCO you are providing supervision to your supervised persons regarding their adherence to the RIA's compliance program.
CCOs would therefore want to implement some periodic review of the messages that are sent and received, so as to ensure compliance with SEC (or state) regulations that impose fiduciary and supervisory duties, like adherence to your Code of Ethics and advertising constraints, among others. The frequency and depth of review should be based on the structure and complexity of your RIA's business, and the CCO's familiarity or involvement with the client communications of a particular supervised person. If the CCO works closely with one but remotely with another, it would be reasonable for the CCO to apply greater supervision of the remote person's email archive messages. Finally, the CCO should document these surveillance reviews of the email archive and capture information at least regarding the time period reviewed, the number of messages in the time period, the number of messages reviewed, whether or not issues where found, and the resolution to those issues.
Through the Regulator’s Eyes
Regulators will focus on two aspects of your email system: the quality of your archive, and your surveillance process. In their view, these tasks are designed to protect your business and clients from unauthorized access or disclosure of sensitive data, and also to ensure that your RIA is actively monitoring its supervised persons and addressing issues internally. Regulators expect you to be able to retrieve any email sent or received that may be used to substantiate your finances, support the decisions made on behalf of your clients, or validate that you are always adhering to your fiduciary duty. The documentation of your surveillance activities should reasonably demonstrate that as CCO you are applying supervision to the communications between your supervised persons and your clients.
Recently, the SEC Commissioners’ opinion has also clarified that a RIA's obligation to produce electronic records includes employees’ personal email messages, instant messages, text messages and personal computer hard drives when they are used for business purposes. This is why it is critical to ensure that approved mediums for written communications are included in your archive.
Thinking through an advisor complaint will help define the expectations that will be placed on your RIA during an examination. Regulators are required to respond to every complaint lodged against an RIA, and in that response, they may request that you produce any and all written communications, including emails, sent and received between the RIA and the client involved. As such, you want to be confident that those records exist and are ready to retrieve. A complete history of all communications through the past five1 years in a readily accessible archive will allow you to promptly respond to the regulator’s request and reach a resolution. Additionally, the regulators may wonder why it reached this point, and look to your policy and process of email surveillance and the business practices that surround them. Regulators want to ensure that you are reasonably monitoring your employee’s communications that are subject to the Books and Records Rule, to verify you have a satisfactory level of prevention to internally address potential issues before they escalate. In response, you will want to provide reports and supporting documentation of email surveillance performed by the CCO of the RIA.
Most states enforce the Books and Records requirement on RIAs in a manner consistent with the SEC, but you are under the oversight of state regulators, you’ll want to familiarize yourself with their requirements as well.
CCO Best Practices for Email Archiving & Surveillance
The Books and Records Rule generally requires records to be kept for five or more years, from the end of the fiscal year in which an entry was last made to the record, with the most recent two years being accessible from the RIA's primary office location.