newyork1.jpg

The Life of a CCO: Third in a series

How to Design an Appropriate Electronic Communications Review

A frequent question we receive from both established and newly registered advisers concerns the proper review of electronic communications. We understand that no one really wants to read someone else's private and sometimes very personal emails. But, it has to be done and your "supervised persons" should be well aware that there can be no expectation of privacy when using your business' electronic communication platforms (emails, instant messaging, text, etc).

As with all elements in your compliance program, training is important. All supervised persons should receive at least annual training and it goes without saying that training should include your policies around electronic communications. Your written policies and procedures should clearly spell out what is acceptable and not acceptable use of electronic communications. The dangers of using email should be explicit. Educating employees to understand why it is necessary to review emails and instant messages is important.

Email review is key in order to demonstrate adequate supervision. If a "smoking gun" exists in an email, and no email review or inadequate email review was performed, the likelihood of a "failure to supervise" and often an associated "aiding and abetting" enforcement action occurring is significantly increased. If on the other hand, adequate email review was performed but the "smoking gun" email was not found, then it becomes much more difficult to bring such an enforcement action against an adviser, its CCO and senior management. See our CCO Communique on June 20, 2012 concerning Adequate Supervision.

The SEC does not expect every email or instant message to be reviewed. It does expect, however, that every review be thought out and performed by knowledgeable personnel who can identify red flags.

Email review should be risk-based but also cast a wide enough net across the entire firm. Depending on the business, the risks can be varied. You should have a process to identify which business areas warrant additional or specifically targeted supervision. Below are a few examples of emails you should consider for review:

  • External email communications of your sales people, especially if they are compensated based on production. Such communications would likely be considered high risk due to the inherent conflict of interest associated with how the sales people are compensated and should be reviewed frequently.
  • Trading activity. If you have traders, you would likely want to spend some extra time reviewing their emails and instant messages with their sell-side counterparts.
  • If you have supervised persons who have relatives or close friends who work for another adviser or for a broker dealer, you may want to review some of those communications.
  • Anyone who has disciplinary history may also warrant additional review.

Email review is a powerful compliance tool and should be used not only to check for violations of the securities laws such as trading while in possession of material non-public information, but also to test for compliance with specific firm policies and procedures. For example, email review can be used as one of various tests to ascertain whether your gifts and entertainment policies are being followed. The reviewer might have a gift log available and by searching emails for references to dinner, lunch or golf outings etc., one may be able to verify whether the events have been properly logged as prescribed by your policies and procedures. 

Performing reviews can be very time-consuming and the tips below may be helpful in abbreviating the time involved. For the purpose of this discussion, we are assuming you are using an email archiving service. If you are not using a service, you should determine if the points discussed below could be incorporated into your methodology.

  • The review should, for most advisers, include a combination of "lexicon-based" and "random sampling" reviews. Lexicon-based reviews are based on sensitive words or phrases which may indicate problematic correspondence. Selecting key-words and phrases should be meaningful and based on a firm's business model and on the risks involved (products, clients, trading activities, marketing activities, etc).
  • The list should include industry "jargon" and slang. The various email archiving firms offer examples of key-word lists. These lists can be quite extensive but they are a great starting point. Select those words that are relevant to your business. It is almost as important to define your exceptions. You may, for instance, want to have a rule that "flags" the word "trouble". However, you do not necessarily want to capture instances of phrases such as "Having trouble viewing this email?" Also, having the ability to ignore disclaimer language is a good feature but not all email archiving firms can provide this. In such cases, searching the word "confidential" poses unique challenges as there are countless ways the word can be used in disclaimer language. Building a robust set of rules takes trial and error.
  • Once you incorporate a key-word list into your system, it is in your best interest to start immediately establishing your expectations regarding frequency of review. It is best to review your "hits" daily and amend appropriately. If you leave this for any length of time, you may well have tens of thousands of hits – it adds up very quickly.You may determine that it is not necessary to review each and every key-word "hit" in order to ensure an effective review. However, the rationale for reaching such a conclusion should be documented and based on reasonable inferences drawn from your reviews. You will most likely be required to walk an SEC examiner through the same process. Note that procedures should exist to keep the key-word list confidential. Those that are bent on circumventing the system will take special care not to use words for which a "flagging" rule has been set up. The key-word list should be reviewed periodically to determine if the list should be amended.
  • As mentioned, key-word reviews should be supplemented by random sampling of electronic correspondence. Random sampling refers to the use of a sampling technique, whereby some reasonable percentage of email, instant messages or other communications is reviewed. When random sampling is performed in conjunction with the use of key-words, the goal is to cast a wider net and be able to demonstrate that you increased your coverage to include all possible emails, not just those with key-word hits. Random sampling involves choosing an appropriate sample size. There is no prescribed percentage of electronic communication that should be reviewed. The correct percentage depends on each business' unique factors such as number of outgoing, incoming and internal emails, products offered, client base, trading activities, marketing activities, etc. For instance, high-risk employees, either due to previous disciplinary issues or due to their job function should warrant additional scrutiny.

Documentation of email reviews, as with all facets of your compliance program, is important. Documentation should include the rationale for determining the appropriate sample size and the key words chosen as well as the frequency of reviews. In addition, it should be clear who performed the review, what was reviewed, and how any issues were resolved. Most archiving systems have detailed "hard-coded" audit history which allows for easy review of what messages were reviewed, when, by whom, if any action was taken, etc. They also usually provide statistics including percentage of emails reviewed for specific dates.

As discussed, review of electronic communications is a powerful compliance tool and can be used to test various components of your compliance program. Email review should not be static. Instead, it should be a dynamic process changing with the firm. We assist clients in performing their email reviews. Please contact us if you need any assistance in creating an appropriate email review policy, performing related employee training or creating an email key-word list.

Newsletter

Get the latest compliance news and insights - delivered weekly. The SEC3 Communique covers all compliance topics. CCO3 focuses on Mutual Fund CCO topics.
tip: check both to keep informed!

Communiques

SEC3 Newsletter

Commentary: How Compliance Officers & Firms Can Help Limit CCO Personal Liability This article originally appeared on the Thomson Reuters Regulatory Intelligence subscription service for compliance and risk professionals and is... read more »

Wishing One-and-All a Happy, Healthy and Prosperous New Year

We hope each of you found some peace and tranquility in the company of loved ones this holiday season and want to wish one-and-all a happy, healthy and prosperous New... read more »

Understanding How to Mitigate Liability and Navigate Insurance Options (Part II)

In June, we shared our thoughts around common insurance gaps and insurance riders that CCOs as well as managers should understand. One of the gaps we shared related to pre-claim... read more »

Cybersecurity - What have we learned and what have we done?

Regulatory Landscape In April 2015, the Securities and Exchange Commission ("SEC's") Division of Investment Management issued a guidance update, identifying cybersecurity as a critical issue. Several regulators are in fact focusing... read more »

Gatekeepers in SEC Crosshairs

Ever since the enforcement cases were announced as part of the SEC’s “Operation Broken Gate,” the SEC enforcement division has continued to ramp up scrutiny of gatekeepers including third-party service... read more »

Anna M. Bencrowsky, CRCP, CMFS Joins SEC3

We are pleased to announce that Anna M. Bencrowsky, CRCP, CMFS has joined SEC3 as a Senior Consultant. Prior to joining SEC3, Anna held several executive compliance positions. Anna recently retired... read more »

Events

Upcoming Events - September & October 2017

Upcoming Events Don’t miss the opportunity to meet with us in person to discuss the topics that matter most to you. SEC3 is teaming up with industry experts in NYC to discuss...

May 23, 2017 - Webcast: WannaCry Ransomware: Were You Really Protected or Just L…

When: Tuesday, May 23rd, 2017 | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. We...

June 14, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Willkie Farr & Gallagher LLP | 600 Travis Street | Suite 2310 | Houston, TX Barry Barbash from Willkie Farr & Gallagher LLP,...

June 13, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Haynes and Boone, LLP | 2323 Victory Avenue | Suite 700 | Dallas, TX 75219 Validated parking is available in the garage attached...

May 31, 2017 - Chicago

9:00-9:30 a.m - Networking and Continental Breakfast 9:30-11:00 a.m - Program Location: Baker & McKenzie LLP | 300 East Randolph Drive | Suite 5000 | Chicago, IL 60601 Kristin Gonzalez and Jerome Tomas...

May 17, 2017 (NYC WIMF)

This event is by invitation only. Please email info@seccc.com to learn more.

May 15, 2017 (NYC Chief Compliance Officer Roundtable)

9:00-9:30am - Networking and Continental Breakfast 9:30-11:00am - Program Location: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone:...

Webcast: The Most Insidious Cybersecurity Threat Is Also The Least Understood

When: Tuesday, April 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. Ransomware, the...

CCO Liability (Part III): Managing Liability Webinar

In this webinar, panelists discuss indemnifications and insurance as potential remedies to address the direct financial risks to a CCO. Attendees will learn: What terms and conditions should Chief Compliance Officers be...

Webinar: CCO Liability (Part III): Managing Liability: Navigating Indemnities an…

When: Tuesday, February 21, 2017 Schedule: 11:00am ET / 10:00am CT / 9:00am MT / 8:00am PT / 7:00am AT Description of Webinar: The National Society of Compliance Professionals is pleased to host...

Webcast: SEC 2017 Examination Focus Area – Cybersecurity Testing

Penetration Testing & Vulnerability Assessments - Examining the SEC & FINRA Requirements When: Wednesday, January 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder,...

Chief Compliance Officer Roundtable: Breakfast Briefing

When: October 20, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Thomas Westle and Janaya...

Practicing Law Institute - Hedge Fund Management 2016

When: September 15, 2016 Where: New York & concurrent webcast | 1177 Avenue of the Americas | New York, NY 10036 Schedule: 9:00 am – 5:00 pm Janaya Moscony, President of SEC3 will...

CHIEF COMPLIANCE OFFICER ROUNDTABLE: BREAKFAST BRIEFING

When: April 13, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 22nd Floor Boardroom Thomas Westle and Janaya Moscony, along with industry experts,...

COMPLIANCE SCIENCE SUMMIT 2015

When: November 17, 2015 Where: Convene Midtown East | 730 Third Avenue | New York, NY 10017 Janaya Moscony, President, SEC Compliance Consultants, Inc. will be moderating a...