The U.S. Securities and Exchange Commission’s Risk Alert provides additional information regarding the Division of Examination’s risk-based approach for both selecting registered investment advisers to examine and in determining the scope of risk areas to examine. It sets out the documents and information that staff will initially request as well as additional requests for information and documents from the adviser the staff may request as the examination progresses. Firms need to be aware that electronic communications–with all of the modalities such as emojis, GIFs, additions and deletions–are specifically included in the regulator’s risk-based approach.
Some of the reasons the Division may select an adviser to examine include, but are not limited to, one or more of the following:
There are also firm-specific risk factors that the staff considers when selecting advisers for examination, such as those related to a particular adviser’s business activities and regulatory history.
Examinations typically include reviewing advisers’ operations, policies and compliance practices with respect to certain core areas. Information regarding the compliance program, risk management, and internal controls includes specifically complaints, correspondence and electronic communications. As well as the process for monitoring those communications.
Firms need to be aware that the scope of electronic communications need to be considered. For instance, the expectation is that a firm can identify, capture, search for and retrieve an angry face emoji which may well be deemed a complaint.
During an examination, the regulator’s staff will request documents and information and will expect the firm to be able to retrieve all the requested records promptly in order to be able test the effectiveness of the adviser’s compliance policies and procedures for monitoring, mitigating, and managing risks. Simple policy maintenance is not enough - firms need to be able to evidence that their policies and procedures are working in practice.
The Risk Alert is aimed at registered investment advisers but the need for robust and comprehensive recordkeeping is universal for financial services firms. Without the ability to capture, retain, search and retrieve all relevant records, firms will simply not be able to respond to information requests and, by association, will not be able to evidence their compliance.
Firms may well have done all the right things in all the right ways but unless they can evidence that compliance, it will be seen as a breach by the regulator. Before a regulator even gets to assessing compliance with specific rules and requirements, a firm that cannot produce requested information will be found to have violated recordkeeping requirements.
The Risk Alert gives a general outline as to the likely initial request for information which would typically include:
All of the above areas will require a firm to be able to retrieve the required information and that can only happen if the firm has already identified, captured and retained the information.
The Risk Alert is set against a backdrop of now more than $2.5bn in fines having been imposed for communications recordkeeping failures. Regulators around the world expect firms to learn from enforcement actions and in particular to review whether their own business activities could suffer from the same gaps in compliance. The Risk Alert makes clear that it is describing risks that firms may consider to not only assess their supervisory, compliance, and/or other risk management systems but also to make any changes to address or strengthen such systems.
In practical terms, firms would be well advised to review their approach to communications compliance and ensure that they have appropriate technical controls and evidence to facilitate the capture, retention, search and retrieval of all relevant records, emojis specifically included.
Backed by the investment arms of Cisco, RingCentral, Salesforce, and Zoom, Theta Lake’s multi-award winning product suite provides patented compliance and security for modern collaboration platforms, utilizing hundreds of frictionless partner integrations including RingCentral, Webex by Cisco, Microsoft 365 and Teams, Slack, Zoom, Movius, Box, Mural, Asana and more.
Theta Lake empowers organizations to safely, compliantly, and cost-effectively expand their use of unified communication platforms by enabling capture, compliant archives, and acting as an archive connector for existing archives of record across video, voice, and chat collaboration systems. Customers benefit from: