Navigating in Cyberspace: Off-Channel Communications and Regulatory Risk
At a Glance
- As long as the firm approves a particular modality for business purposes and establishes the necessary infrastructure to capture, archive and monitor the approved modality, it will be considered “on-channel.” As a result, what constitutes an off-channel communication will vary between firms depending on the scope of the firm’s compliance policies and retention practices.
- Since 2018, a number of enforcement actions relating to electronic messaging have been brought by the SEC. The enforcement actions were initially limited to registered broker-dealers (and affiliated investment advisers) or firms that were dually registered, but the more recent settlements involve stand-alone investment advisers. Billions in financial penalties are associated with these settlements.
- Themes across the SEC settlement orders include violations across all levels of authority, including those supervisors charged with monitoring for off-channel violations.
- We provide six recommended best practices for asset managers.
In the financial services industry, registered firms are subject to recordkeeping rules that require business-related communications to be captured, retained and monitored by the firm for a specified period. For example, Rule 204-2 adopted under the Investment Advisers Act of 1940, as amended (Advisers Act), establishes an obligation for all investment advisers registered with the Securities and Exchange Commission (SEC) to preserve original copies of all books and records related to their investment advisory activities (discussed further below). Recently, the SEC and other financial industry regulators such as the Commodity Futures Trading Commission and the Financial Industry Regulatory Authority, Inc., have been cracking down on firms for alleged noncompliance with recordkeeping requirements relating to “off-channel” communications.
“Off-channel” communications are defined as business-related communications that are not captured, archived and monitored as required because they are sent or received using a communications channel that has not been approved by the firm for business use. Conversely, “on-channel” communications are those made through an approved communication modality and are captured, archived and monitored by the firm. Some channels that create challenges for firms are personal text messaging applications, social media messaging services and other internet-based messaging platforms like WhatsApp. However, it is important to note that there are no inherently inappropriate communication modalities: As long as the firm approves a particular modality for business purposes and establishes the necessary infrastructure to capture, archive and monitor the approved modality, it will be considered “on-channel.” As a result, what constitutes an off-channel communication will vary between firms depending on the scope of the firm’s compliance policies and retention practices.
Recent regulatory fines levied on industry participants, enforcement sweeps and published regulatory guidance make it clear that asset management firms continue to face increased scrutiny when it comes to off-channel communications. Firms must consistently monitor risks, practices, policies and procedures regarding electronic messaging and consider any improvements to their compliance programs that would help comply with regulatory requirements.
Regulatory Obligations
Violations involving off-channel communications implicate two separate compliance obligations under the Advisers Act:
- Section (a)(7) of the so-called Books and Records Rule (Advisers Act Rule 204-2(a)(7)) requires that investment advisers preserve in an easily accessible place originals of all communications received, and copies of all written communications sent and received relating to, among other things and subject to limited exceptions:
- any recommendation made or proposed to be made and any advice given or proposed to be given
- any receipt, disbursement or delivery of funds or securities
- the placing or execution of any order to purchase or sell any security
- the performance or rate of return of any or all managed accounts or securities recommendations
- The Compliance Rule (Advisers Act Rule 206(4)-7) requires registered investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and rules thereunder. The SEC has specified that policies and procedures reasonably designed to prevent violations of the Books and Records Rule should address “[t]he accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction.” See the Office of Compliance Inspections and Examinations’ risk alert on electronic messaging.
In 2018, the SEC’s Office of Compliance Inspections and Examinations (OCIE) (now the Division of Examinations) issued a risk alert after conducting a limited-scope examination of investment advisers to survey the use of electronic messaging (including written business communications conveyed electronically using text messaging, instant messaging, personal email, etc.) given its rise in popularity. OCIE staff found that the use of electronic communications in the industry varied, and in many situations were carried on without meaningful supervision. Since 2018, a number of enforcement actions relating to electronic messaging have been brought by the SEC. The enforcement actions were initially limited to registered broker-dealers (and affiliated investment advisers) or firms that were dually registered, but the more recent settlements involve stand-alone investment advisers. Billions in financial penalties are associated with these settlements.
Enforcement Actions to Date
The timeline below focuses on off-channel enforcement actions involving investment advisers:
- December 2021: JPMorgan agrees to pay $125 million for recordkeeping failures.
- September 2022: Fifteen broker-dealers and one affiliated investment adviser agree to pay combined penalties of more than $1.1 billion.
- May 2023: Two registered broker-dealers acknowledge their recordkeeping violations and agree to pay penalties of $15 million and $7.5 million.
- August 2023: Nine broker-dealers, including one broker-dealer and investment adviser dual-registrant, are ordered to pay combined penalties of $289 million.
- Wedbush Securities Inc. was charged with violating the Books and Records Rule and Section 203(e)(6) of the Advisers Act in its capacity as investment adviser.
- Wedbush maintained policies and procedures designed to ensure compliance with the Books and Records rule, including (i) identifying unapproved electronic communication methods, (ii) requiring employees to forward work-related communications from personal email, charts or text messages to Wedbush’s compliance function, and (iii) supervising training on such matters. However, Wedbush allegedly failed to implement sufficient monitoring to ensure compliance therewith.
- The SEC found that Wedbush routinely communicated off-channel using personal devices.
- September 2023: The SEC charges 10 firms, including dually registered broker-dealers and investment advisers, and investment advisers affiliated to broker-dealers, with fines ranging from $2.5 million to $35 million.
- February 2024: The SEC announces charges against 16 firms, including dually registered broker-dealers and investment advisers, and investment advisers affiliated to broker-dealers. Fines range vastly, with $16.5 million on the high end and $1.5 million on the low end for a self-reporting firm.
- April 2024: Senvest Management, LLC, is ordered to pay a $6.5 million penalty for violations under the Advisers Act.
- Senvest employees allegedly communicated about Senvest-related business internally and externally using personal texting platforms and other non-Senvest electronic communication services. Some messages received on personal devices were set to automatically delete after 30 days.
- However, Senvest’s policies and procedures (i) required retention of all electronic communications sent and received by the firm — a substantially broader obligation than that under the Books and Records Rule — and (ii) prohibited use of non-Senvest electronic communication services for any business purpose.
- As a result of the conduct described above, Senvest was found to have willfully violated the Books and Records Rule and the Compliance Rule.
- August 2024: The SEC charges 26 firms, including broker-dealers, investment advisers, and dually registered broker-dealers and investment advisers with fines ranging from $400,000 to $50 million. The SEC notes that “among this group of firms, there are several that differentiated themselves by self-reporting prior to the staff’s investigation, demonstrating once again the real benefits of proactive cooperation.”
Themes across the SEC settlement orders include (i) violations across all levels of authority, including those supervisors charged with monitoring for off-channel violations, and (ii) observations from the SEC that asset managers’ failure to preserve records impedes the SEC in fully carrying out its regulatory and investigative functions.
Recommended Best Practices for Asset Managers
1. Conduct a Risk Assessment of Off-Channel Communications
Conduct a comprehensive risk assessment to evaluate where the relevant risks lie within your firm regarding off-channel communications. Interview employees to learn of their preferred communication forms, both for internal and client-facing purposes, to determine if such communication forms are being captured, retained and monitored.
2. Establish an Off-Channel Communication Policy
Adopt and implement policies that provide detailed guidance regarding off-channel messaging platforms. These policies should explicitly identify the forms of communications that are approved for business purposes because they can be captured, retained and monitored as required by the Advisers Act. Further, these policies should specifically prohibit any communication forms that are not approved (including those that allow for automatic destruction of messages, allow employees to communicate anonymously or prevent third-party viewing).
3. Develop Supporting Procedures
Ensure that the firm is capturing business communications on all channels provided for in the relevant policy. These procedures should also include specific instructions on how employees can move messages received from clients on an off-channel platform to an electronic system that the firm supports and that can be captured for the firm’s books and records obligations.
4. Ensure Appropriate Training
Training for employees should address off-channel communications and the firm’s relevant policies, including specific examples of permitted or prohibited communication channels, and what to do in the case of an inadvertent off-channel communication. Training should be provided to all new hires promptly after their start, as well as more frequent trainings for known or suspected offenders or higher risk departments. These trainings should be consistently reinforced by circulating relevant reminders. The firm should periodically solicit feedback from departments on whether the policies and approved communication methods need to be updated. Firms should also require periodic attestations in which employees specifically certify to their understanding of, and compliance with, the firm’s policies on off-channel communications (quarterly attestations are becoming the industry standard for these).
5. Display Leadership by Example
Recent regulatory actions have highlighted that a strong “tone at the top” is critical. In many instances, firms faced amplified fines because the senior executives and supervisors who were supposed to enforce the off-channel policies were the largest violators. Those in supervisory positions should lead by example — for instance, by having senior leadership directly send the periodic reminders and deliver the trainings described above.
6. Monitor for Compliance
Firms should implement appropriate mechanisms for detecting violations of their off-channel communication policies, including enhancing technological surveillance solutions that use natural-language processing. For instance, firms should surveil company email and other on-channel communication methods for references to the prohibited applications or other language implying off-channel communications to determine if employees are inappropriately conducting business-related communications on unapproved platforms.