Electronic Communications–What Should CCOs Be Asking?

We promised last week to help you dissect your compliance program to be sure you are ready to answer related questions from regulators and institutional investors.

Let’s start this week with the glaringly obvious—electronic communications.  One key adaptation to pandemic life has undoubtedly been the heightened reliance on electronic communications. While these technologies have been in place for some time, the risk has increased with the additional reliance on email, conference services, video conferencing, and chat features.

As communications are fundamental to our businesses, this topic overlaps with other compliance efforts, including supervision of personnel, cybersecurity, operations (i.e., authentication), information protection, and maintenance of complete books and records.

Recently, examiner focus on electronic communications has been designed to assess the enhancements that firms have put in place to keep in touch with employees, vendors and clients. While we have seen much of the focus here as information gathering – what is working and where firms are experiencing issues – compliance staff should be aware of the capabilities and limitations of all systems used by employees to communicate electronically. Here are some important considerations for CCOs to iron out:

  • What new services are being employed to support operations and communications?
  • To what extent has the Firm added or increased its reliance on electronic platforms for communications, operation, or data storage?
  • Has the firm updated its inventory of devices being used to support business activities and client communications?
  • How does the Firm ensure that electronic communications are taking place solely on approved platforms and devices?
  • Are approved applications monitored for new features?

Adopting a video conferencing application for client meetings, or allowing a particular social networking platform as temporary additional communication, should involve an assessment of any other capabilities available for the application – for example, is there a separate embedded chat function where communications should be retained?

In addition, employees working remotely may feel the need to adapt to their own circumstances using the tools with which they are familiar. This could include accepting communications from clients on platforms favored by those clients, without immediate consideration for books and records requirements.

CCOs should consider role playing exercises during training and for example, providing sample language for moving a communication from a personal platform back into the fold: “Thanks for reaching out to me on my [LinkedIn page, WhatsApp account, etc.]. If you send me your email, I can get back to you that way.”

These responses can vary by scenario, so are not required to be “from the book”, but the policy should provide a few examples so that employees can readily adapt them to their particular situations.

Overall, firms’ policies and procedures should include requirements for explicit approval of new platforms, ongoing application monitoring, explicit prohibition of non-approved methods of communication, continuous books and records testing, and routine training on these topics.  If you have not held training addressing the new normal, you are not ready for the next regulator or institutional investor due diligence meeting.

For more information on these and related topics, we hope you can join us – virtually, of course – at our next compliance roundtable Oct 27, 2020. Stay Tuned for details to come.