The SEC announced charges in a September 28 release against 15 prominent brokerage firms and an adviser for failures related to maintenance of books and records for communications using personal devices. The SEC identified what they described as pervasive use of personal devices and applications thereon to communicate on business matters.
While a particular method of communication is not forbidden, all written and electronic business communications are subject to various books and records requirements. Compliance pros know that go-to communications include texting. Also, most social media applications have chat capabilities and, particularly since COVID, many other apps have added messaging features as well. Given the vast array of applications available, how can compliance stay in-the-know to be sure they are seeing everything?
Firms need policies and procedures that reflect their specific situation. This can be demonstrated by documenting a thorough risk assessment. While there is not just one “right” approach, there is one question at the root of this assessment that will drive all subsequent considerations; Do you prohibit business communications on personal devices, or permit them?
If you are prohibiting the activity, the primary question is, “What measures are you taking to ensure that the prohibition is observed?” Collecting and testing personal devices raises a range of privacy considerations. However, documenting attestations by covered employees and demonstrating routine communication of policy can go a long way toward establishing a reasonable reliance.
If you take the permitting path, the questions can become more varied. Who has this permission? Are there limits on the business to be conducted, or on the applications to be used? How do you test those limits? How do you ensure that you collect and store all required communications? Does such permission establish firm rights to install firm collection and monitoring software? Given the technological layers added by permitting personal devices, most firms take the prohibition route.
The goal, as always, is to ensure that you have the right solution sets for the risks you choose. In this case, ignorance is not bliss. You need to ask the questions and set up and train staff on the policies. Next, you need to test to confirm the policies and procedures are being followed and collect attestations to ensure you have staff buy-in.
And, as always, if you need assistance, we are here to help!