Congratulations!
You've contracted with a vendor to capture and archive all emails sent to and from employees within your advisory firm. Emails are set to be stored for not less than five years pursuant to the SEC's recordkeeping requirements and are ready to be turned over when requested during an exam. So now you can relax, right? Wrong: now the fun reallybegins: actually reviewing these emails and testing the integrity of your archiving system.
Emails (and attachments) sent or received by a registered investment advisor are subject to the SEC's recordkeeping requirements if they concern any of the records required to be kept by Rule 204-2 under the Advisers Act. A full list of such records can be found here.
As an aside, this same logic applies to other forms of electronic communication, such as text messages, instant messages, and messages sent within social media platforms, but email will be referenced throughout this article for simplicity's sake.
The bottom line is that the SEC may request all electronic communications related to the business of the advisor for a certain period of time, even if such communications were sent through a personal email account. Beyond merely reviewing a sampling of emails themselves, examiners are also likely to inquire how the advisor reviews its own emails.
There is no single prescribed method to conduct email surveillance, which is in line with the SEC's typical principles-based regulatory framework (as opposed to FINRA's framework, which is generally considered rules-based or prescriptive). That said, an advisor's email surveillance system should be reasonably designed to prevent violations of the federal securities laws, just like all of its other policies and procedures. But what does this mean in practice?
Below are steps to take when designing and implementing an email surveillance program:
Step 1: Take Advantage of Technology
Any reputable email archiving vendor will have the ability to automatically flag emails that contain certain words or phrases likely to warrant review. These keywords or key phrases should be customizable by the advisor, which allows the advisor to control which words or phrases are flagged and to adjust keywords and key-phrases as the business changes or new risks emerge.
Conversely, the vendor should also have the ability to exclude certain words or phrases from being flagged automatically and drowning the reviewer with unnecessarily-flagged emails. The most common excluded phrases are known email disclaimers or footers, which may contain keywords like "attorney," "FINRA," or "guaranteed."
Step 2: Know What to Review
Reviewing email can be an incredibly effective cure for insomnia, but don't snooze through common problems often revealed in emails:
- Undisclosed client complaints
- Insider trading or selective disclosure
- Distribution of marketing materials not conforming to the Advisers Act, the rules promulgated thereunder, or applicable no-action letters (e.g., Clover Capital)
- Promissory claims or guarantory performance language
- Suspicious emails from clients who may have had their email account hacked
- Undisclosed matters requiring disclosure on an advisor's U4
- Breaches of non-public personal information or failure to follow privacy policies
- Failure to place the client's best interests first or other fiduciary failings
Step 3: Know How Much to Review
Again, there is no prescribed formula for determining how many emails to review, but enough should be reviewed for an advisor to be able to defend it as reasonable.
