SEC Unauthorized Electronic Communications Sweep Key Takeaways

Author

Vivek Pingili

Publish Date

Type

Article

Topics
  • Compliance
  • SEC
  • RegTech
  • ComplianceAlpha

In an earlier article, we did a deep-dive into the U.S. Securities and Exchange Commission’s (SEC’s) enforcement activity and sweep enquiries in the investment banking space regarding how banks are monitoring, archiving, and safeguarding business-related electronic communications undertaken by their employees (including via such employees’ personal mobile devices). In particular, the SEC seems focused on assessing if, and to what extent, employees are conducting business using off-channel modes of communications (e.g., channels where communications are not being supervised or maintained by the registrant and/or are vulnerable to cybersecurity attacks) and how banks are monitoring for, and managing, such risks. 

Since then, and in relatively quick order, the scope of the SEC’s enquiries have expanded to investment advisers. In Q1 2021, multiple investment advisers received, either on a one-off basis, or as part of wider-scope exams, information requests along the below lines. This development underscores the SEC’s evolving sense of the critical nature of the risks arising from employees’ increasingly wide-spread use of mobile electronic communications apps to conduct business.

  • Please explain the steps taken by the Adviser to monitor, review, and retain electronic communications related to the Adviser’s business. Electronic communications include, but are not limited to, email, text messages, messaging apps, instant messages, Bloomberg messaging, and private messaging on social media sites. In your response, please address the following: (1) whether supervised persons are permitted to use personal devices for firm business or are permitted to use any form of electronic communication other than Adviser email accounts for business purposes; (2) if so, what steps the Adviser takes to approve the use of such personal devices or additional means of electronic communications; and (3) what steps the Adviser takes to ensure that supervised persons only use approved means of electronic communications to conduct firm-related business. Please also explain the Adviser’s policies on use of Dropbox, Google Drive, and other forms of cloud storage by supervised persons.
  • Non-Approved Communications - Has the Adviser received any reports (or is otherwise aware) since its registration with the Commission of non-approved means of electronic communications or cloud storage being used by supervised persons for firm-related business? If so, please provide details and describe the steps that the Adviser has taken in response to any such issues.

Key takeaways

In the private fund space, our electronic communications review team has noticed a significant uptick in the type of activities that bring into play the risks the SEC is focused on. Certainly, in the current remote working environment, that still remains in existence at many private fund managers, we have noticed for some time, and continue to notice, a significant blurring of the lines between business and personal communications (including the use of non-approved communication channels to conduct business) by many employees. 

These risks further underscore the need for private fund managers to more effectively track, archive, and surveil their employees’ business-related communications across all communication channels being utilized. 

While the initial (and natural) reaction to such regulatory scrutiny may be to aggressively clamp down on employees’ use of various electronic communication channels (internal and external), such as Microsoft Teams and WhatsApp (and monitor for such violations), it is worth reflecting that such an approach is increasingly becoming antiquated and, as such, is unlikely to manage risk effectively in the longer-term. For one, the use of non-email-based apps for business communications has significantly increased across the investment management industry, and trying to reverse course on this trend is likely futile. Second, the ability to archive non-email communication channels has significantly expanded over the past several years. Many private market fund managers’ policies restricting business communications exclusively to firm-provided email accounts were often drafted years ago when the state of archiving capabilities was quite different from what it is today. 

As such, we recommend that private fund managers re-visit their historic policies by:

  1. Comprehensively polling their employees on what apps employees and their industry contacts are using to conduct business 
  2. Working with their archiving vendors to determine if communications via these apps can be archived

For example, since the onset of COVID-19, we have seen numerous private fund managers become comfortable with employees using Microsoft Teams’ chat feature to correspond internally on business matters and have discovered they can (and are) effectively archiving these communications.

Further, as evidenced by recent regulatory scrutiny, the need to supplement old school electronic communication reviews with machine-learning based holistic surveillance tech tools has become increasingly critical. These tools, such as ACA’s holistic surveillance tool, combine behavioral and natural language processing (NLP) machine-learning algorithms to detect potential inappropriate employee behavior early in an effort to prevent (or at least minimize) damage. Another advantage of these tools is they can holistically integrate surveillance of business communications across all apps into a single unified view such that these communications can be understood in context, and risky behavior patterns more readily detected, irrespective of what apps are used or even how these apps are accessed (e.g., via firm-provided desktops/other devices or personal hand-held devices). This is a significant advantage over “reviewing” communications app-by-app in isolation.

Additionally, with the increased adoption of Bring Your Own Device (BYOD) programs at many private fund managers over the past few years, these managers should ensure they have adequately implemented enterprise-level technological controls on both firm-issued and personal handheld devices to prevent employees from inappropriately copying, downloading or otherwise moving sensitive work-related data from work accounts set up in applications used to conduct business (such as Microsoft Outlook, Teams, WhatsApp, etc.).

Further, given the significant increase in cyber-attacks (especially since the onset of the COVID-19 pandemic), private fund managers should:

  1. Reiterate to employees the significant risks associated with emailing sensitive work documents to their personal email addresses (or other inappropriate email accounts) for any reason (such as the perceived convenience of working from one’s personal computer while away from the office) 
  2. Periodically monitor such risks via the email review process 
  3. Set up technological filters and controls to detect and prevent such activities where inappropriate

Finally, employees should be reminded that to the extent they receive or initiate communications through unauthorized electronic communication channels (whether via their personal devices or firm-issued devices), they should not delete these communications without the prior approval of their compliance departments and should forward these communications to their firm-provided email accounts or other firm-approved communication channels that are subject to archiving. This latter step will ensure these business communications are archived one way or the other.

On demand webcast

In this fast-evolving regulatory landscape, it is more important than ever for private fund managers to undertake multiple steps to better understand, monitor, and manage risks arising from employees’ mobile electronic activities. Further, for our practical insights into the challenges of, and effective solutions for, monitoring such activities, please click here to access our recent webinar. 

How we help

ACA’s surveillance solutions are designed to help you manage your firm-wide risk in a way that meets regulatory expectations and industry best practices. Our offerings combine consulting, managed services, and technology to provide a holistic solution for developing and executing a comprehensive and truly risk-based surveillance program. 

For questions or to discuss how ACA can help your firm strengthen its surveillance program, increase efficiencies through technology, and ensure your regulatory obligations are met, reach out to your ACA consultant or contact us here.

Download our Private Markets and Hedge Fund Quarterly Updates 

This is just one of the many insightful articles included in our Quarterly Updates. Download the full newsletters to learn more: