Now that the dust has settled on the SEC’s enforcement action against fifteen (15) broker-dealers and an investment adviser for violations of SEC recordkeeping rules applicable to the use of personal devices and off-channel communications – and FINRA has weighed in too with an enforcement action and advice – broker-dealers and investment advisers that have not already undertaken a review of their personal use and off-channel communication policies should do so now, before 2022 draws to a close.
To assist with that endeavor, here are our top five (5) takeaways from recent enforcement activity.
1. Management Must Express a Unified Opinion on the Use of Personal Devices and Off-Channel Communications.
It is never okay for leadership to instruct its employees to take an action (or refrain from taking an action), and then do the opposite itself. In the case of personal devices and off-channel applications, this means that management cannot use a means of communication to communicate with employees, firm customers, or other parties regarding firm business if management has instructed its employees not to use these means of communication in such a fashion. The same principle applies if the firm has a policy that limits the permissible use of personal devices or digital communications to certain firm employees; that circle of individuals cannot expand the circle through exception or otherwise. The culture of compliance must be maintained by everyone in the firm until the firm’s policies change (in response to new technology for example).
2. Written Policies and Procedures Must Address Personal Devices and Off-Channel Communications Specifically
Broker-dealers and investment advisers sometimes have written policies and procedures that refer generically to the firm’s adherence to applicable SEC and FINRA recordkeeping rules. Such policies and procedures may state something along the lines of: “The Firm requires its associated and supervised persons to use firm-authorized communication devices when communicating with the firm’s customers.” The policies and procedures may not be specific with respect to exactly what devices and off-channel applications are permitted to be used by the firm’s employees, or may make it difficult for an employee to determine which devices and applications (if any) are approved and which are not.
Written policies and procedures must specifically refer to personal devices and off-channel communications and provide clear guidance with respect to the types of devices that are permitted as well as those that are not approved for firm business. The best policies and procedures will also make clear to employees how the firm surveils for compliance with the policy. Investment advisers should take note that the SEC expects advisers to have written policies in this area. The SEC’s examination and investigation of advisers on this issue appears to be continuing.
3. Reasonable Surveillance Tools Must Be Active.
Written policies and procedures should be aligned with the firm’s surveillance capabilities. In other words, a firm will not be able to comply with SEC (and FINRA, if applicable) recordkeeping rules if the firm has not activated a surveillance plan that supports the firm’s written policies and procedures. The surveillance plan does not need to rely on expensive technology; rather, the plan must reflect a realistic assessment of the methodologies the firm can reasonably employ to detect and prevent violations of the firm’s procedures. The surveillance plan also needs to be updated on a regular schedule so it does not get stale with the passage of time, as new technologies are developed that may enable better surveillance.
4. The More Training the Better.
The SEC and FINRA enforcement actions make clear that employees, at least at some firms, are not receiving the training they need to understand their firm’s policy with respect to the use of personal devices and off-channel communications to conduct firm business. Firms should ask themselves whether they have training specific to the use of personal devices and off-channel communications; when the last time that training was provided on a mandatory-attendance basis; and whether the firm can do better in this area. Annual training on this issue may not be enough, particularly at a time when so many employees are working from home at least some of the time and may be accustomed to practices that developed during the pandemic. Firm policies also may have changed since the height of the pandemic; policies that were necessary when work-from-home was required for practically everyone may have been revised as employees were called back to physical offices.
5. Self-Reporting Should Be Considered if Past Errors Exist.
The SEC has warned all broker-dealers and investment advisers to review their policies in this area and to self-report issues of non-compliance to their securities regulator if necessary. It is a truism that no regulated firm wants to self-report an issue to its regulator, but it is also true that a firm cannot get credit for doing the right thing if it does not raise its hand. A failure to self-report may also be viewed negatively by the regulators and make the problem worse.
Every firm should take the time now to make sure that its compliance with applicable recordkeeping rules is ready for inspection.