Theta Lake Blog

SEC Risk Alert Reiterates Focus on Recordkeeping

Written by Susannah Hammond | Oct 16, 2023 3:05:46 PM

The U.S. Securities and Exchange Commission’s Risk Alert provides additional information regarding the Division of Examination’s risk-based approach for both selecting registered investment advisers to examine and in determining the scope of risk areas to examine. It sets out the documents and information that staff will initially request as well as additional requests for information and documents from the adviser the staff may request as the examination progresses. Firms need to be aware that electronic communications–with all of the modalities such as emojis, GIFs, additions and deletions–are specifically included in the regulator’s risk-based approach.

Risk-based approach

Some of the reasons the Division may select an adviser to examine include, but are not limited to, one or more of the following: 

  • the firm’s risk characteristics
  • a tip, complaint, or referral
  • the staff’s interest in a particular compliance risk area - one of which is clearly recordkeeping given the recent expansion of enforcement action to include investment advisers. 

There are also firm-specific risk factors that the staff considers when selecting advisers for examination, such as those related to a particular adviser’s business activities and regulatory history. 

Examinations typically include reviewing advisers’ operations, policies and compliance practices with respect to certain core areas. Information regarding the compliance program, risk management, and internal controls includes specifically complaints, correspondence and electronic communications.  As well as the process for monitoring those communications.

Firms need to be aware that the scope of electronic communications need to be considered. For instance, the expectation is that a firm can identify, capture, search for and retrieve an angry face emoji which may well be deemed a complaint. 

During an examination, the regulator’s staff will request documents and information and will expect the firm to be able to retrieve all the requested records promptly in order to be able test the effectiveness of the adviser’s compliance policies and procedures for monitoring, mitigating, and managing risks. Simple policy maintenance is not enough - firms need to be able to evidence that their policies and procedures are working in practice. 


Robust recordkeeping underpins compliance with information requests

The Risk Alert is aimed at registered investment advisers but the need for robust and comprehensive recordkeeping is universal for financial services firms. Without the ability to capture, retain, search and retrieve all relevant records, firms will simply not be able to respond to information requests and, by association, will not be able to evidence their compliance. 

Firms may well have done all the right things in all the right ways but unless they can evidence that compliance, it will be seen as a breach by the regulator. Before a regulator even gets to assessing compliance with specific rules and requirements, a firm that cannot produce requested information will be found to have violated recordkeeping requirements.

The Risk Alert gives a general outline as to the likely initial request for information which would typically include: 

  • general information, which provides the staff with an understanding of the adviser’s business and investment activities;
  • information about the compliance risks that the adviser has identified and the written policies and procedures the firm has adopted and implemented to address each of those risks;
  • information to facilitate testing with respect to advisory trading activities; and 
  • information for the staff to perform its own testing for compliance in various areas. 

All of the above areas will require a firm to be able to retrieve the required information and that can only happen if the firm has already identified, captured and retained the information.

Regulatory patience is running out

The Risk Alert is set against a backdrop of now more than $2.5bn in fines having been imposed for communications recordkeeping failures. Regulators around the world expect firms to learn from enforcement actions and in particular to review whether their own business activities could suffer from the same gaps in compliance. The Risk Alert makes clear that it is describing risks that firms may consider to not only assess their supervisory, compliance, and/or other risk management systems but also to make any changes to address or strengthen such systems.

In practical terms, firms would be well advised to review their approach to communications compliance and ensure that they have appropriate technical controls and evidence to facilitate the capture, retention, search and retrieval of all relevant records, emojis specifically included.  

How Theta Lake can help and ways to learn more

Backed by the investment arms of Cisco, RingCentral, Salesforce, and Zoom, Theta Lake’s multi-award winning product suite provides patented compliance and security for modern collaboration platforms, utilizing hundreds of frictionless partner integrations including RingCentral, Webex by Cisco, Microsoft 365 and Teams, Slack, Zoom, Movius, Box, Mural, Asana and more

Theta Lake empowers organizations to safely, compliantly, and cost-effectively expand their use of unified communication platforms by enabling capture, compliant archives, and acting as an archive connector for existing archives of record across video, voice, and chat collaboration systems. Customers benefit from:

  • Searching instantly across participants, all modes of unified communication and collaboration tools, meshed conversations, and timelines in an easy to navigate search system that covers and provides full replay for voice, video, chat, email, images, emojis, files, whiteboards, and more.

  • Patented AI & ML to detect, surface, and enable actual response for regulatory, privacy, and security risks in an AI assisted review workflow with remediation and patented UCC security control integrations for protection across what is shared, shown, spoken, and typed.

  • The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to supervisors and regulators. For example, chat messages can be viewed in their native format over the entire history of the conversation, with full context retained including images, GIFs, emojis and reactions.

  • Theta Lake’s risk and compliance suite provides an advanced security and privacy architecture named STAR3 (Secure in Transit, Access, in Redaction, Remediation, and Removal), which is  SOC2 Type II certified with ISO 27001 mapping, PCI DSS certified, 17a-4 and audit trail attested, BAA supported, and undergoes regular penetration testing so our customers, partners, and regulators worldwide are confident in That Lake’s data and system security, integrity, and privacy. 

Ways to learn more: