How to Design an Appropriate Electronic Communications Review
A frequent question we receive from both established and newly registered advisers concerns the proper review of electronic communications. We understand that no one really wants to read someone else’s private and sometimes very personal emails. But, it has to be done and your “supervised persons” should be well aware that there can be no expectation of privacy when using your business’ electronic communication platforms (emails, instant messaging, text, etc).
As with all elements in your compliance program, training is important. All supervised persons should receive at least annual training and it goes without saying that training should include your policies around electronic communications. Your written policies and procedures should clearly spell out what is acceptable and not acceptable use of electronic communications. The dangers of using email should be explicit. Educating employees to understand why it is necessary to review emails and instant messages is important.
Email review is key in order to demonstrate adequate supervision. If a “smoking gun” exists in an email, and no email review or inadequate email review was performed, the likelihood of a “failure to supervise” and often an associated “aiding and abetting” enforcement action occurring is significantly increased. If on the other hand, adequate email review was performed but the “smoking gun” email was not found, then it becomes much more difficult to bring such an enforcement action against an adviser, its CCO and senior management. See our CCO Communique on June 20, 2012 concerning Adequate Supervision.
The SEC does not expect every email or instant message to be reviewed. It does expect, however, that every review be thought out and performed by knowledgeable personnel who can identify red flags.
Email review should be risk-based but also cast a wide enough net across the entire firm. Depending on the business, the risks can be varied. You should have a process to identify which business areas warrant additional or specifically targeted supervision. Below are a few examples of emails you should consider for review:
- External email communications of your sales people, especially if they are compensated based on production. Such communications would likely be considered high risk due to the inherent conflict of interest associated with how the sales people are compensated and should be reviewed frequently.
- Trading activity. If you have traders, you would likely want to spend some extra time reviewing their emails and instant messages with their sell-side counterparts.
- If you have supervised persons who have relatives or close friends who work for another adviser or for a broker dealer, you may want to review some of those communications.
- Anyone who has disciplinary history may also warrant additional review.
Email review is a powerful compliance tool and should be used not only to check for violations of the securities laws such as trading while in possession of material non-public information, but also to test for compliance with specific firm policies and procedures. For example, email review can be used as one of various tests to ascertain whether your gifts and entertainment policies are being followed. The reviewer might have a gift log available and by searching emails for references to dinner, lunch or golf outings etc., one may be able to verify whether the events have been properly logged as prescribed by your policies and procedures.
Performing reviews can be very time-consuming and the tips below may be helpful in abbreviating the time involved. For the purpose of this discussion, we are assuming you are using an email archiving service. If you are not using a service, you should determine if the points discussed below could be incorporated into your methodology.
- The review should, for most advisers, include a combination of “lexicon-based” and “random sampling” reviews. Lexicon-based reviews are based on sensitive words or phrases which may indicate problematic correspondence. Selecting key-words and phrases should be meaningful and based on a firm’s business model and on the risks involved (products, clients, trading activities, marketing activities, etc).
- The list should include industry “jargon” and slang. The various email archiving firms offer examples of key-word lists. These lists can be quite extensive but they are a great starting point. Select those words that are relevant to your business. It is almost as important to define your exceptions. You may, for instance, want to have a rule that “flags” the word “trouble”. However, you do not necessarily want to capture instances of phrases such as “Having trouble viewing this email?” Also, having the ability to ignore disclaimer language is a good feature but not all email archiving firms can provide this. In such cases, searching the word “confidential” poses unique challenges as there are countless ways the word can be used in disclaimer language. Building a robust set of rules takes trial and error.
- Once you incorporate a key-word list into your system, it is in your best interest to start immediately establishing your expectations regarding frequency of review. It is best to review your “hits” daily and amend appropriately. If you leave this for any length of time, you may well have tens of thousands of hits – it adds up very quickly.You may determine that it is not necessary to review each and every key-word “hit” in order to ensure an effective review. However, the rationale for reaching such a conclusion should be documented and based on reasonable inferences drawn from your reviews. You will most likely be required to walk an SEC examiner through the same process. Note that procedures should exist to keep the key-word list confidential. Those that are bent on circumventing the system will take special care not to use words for which a “flagging” rule has been set up. The key-word list should be reviewed periodically to determine if the list should be amended.
- As mentioned, key-word reviews should be supplemented by random sampling of electronic correspondence. Random sampling refers to the use of a sampling technique, whereby some reasonable percentage of email, instant messages or other communications is reviewed. When random sampling is performed in conjunction with the use of key-words, the goal is to cast a wider net and be able to demonstrate that you increased your coverage to include all possible emails, not just those with key-word hits. Random sampling involves choosing an appropriate sample size. There is no prescribed percentage of electronic communication that should be reviewed. The correct percentage depends on each business’ unique factors such as number of outgoing, incoming and internal emails, products offered, client base, trading activities, marketing activities, etc. For instance, high-risk employees, either due to previous disciplinary issues or due to their job function should warrant additional scrutiny.
Documentation of email reviews, as with all facets of your compliance program, is important. Documentation should include the rationale for determining the appropriate sample size and the key words chosen as well as the frequency of reviews. In addition, it should be clear who performed the review, what was reviewed, and how any issues were resolved. Most archiving systems have detailed “hard-coded” audit history which allows for easy review of what messages were reviewed, when, by whom, if any action was taken, etc. They also usually provide statistics including percentage of emails reviewed for specific dates.
As discussed, review of electronic communications is a powerful compliance tool and can be used to test various components of your compliance program. Email review should not be static. Instead, it should be a dynamic process changing with the firm. We assist clients in performing their email reviews. Please contact us if you need any assistance in creating an appropriate email review policy, performing related employee training or creating an email key-word list.