Compliance: Email Archiving and Surveillance

An important and modern advancement of the SEC’s “Books and Records Rule” is the storage and review of email activity by Registered Investment Advisors (RIAs).

Emails, and their attachments, fall under the regulatory definition of “written communications” and therefore are subject to the archiving requirements defined within the Books and Records Rule. Additionally, CCOs are expected to ensure that the content of these electronic communications remain within regulatory guidelines and consistent with the fiduciary standard to which they are held by documenting periodic reviews of the archive.

Email Archiving & Surveillance in a Nutshell

Your RIA needs to ensure that email with clients is preserved in an archive and regularly reviewed for compliance concerns, specifically violations of the fiduciary duty and misleading or other inappropriate communications. The Books and Records Rule for RIAs states that “written communications” are subject to archiving requirements of all RIAs. Specifically, written messages with clients must be kept (with some exceptions) for a period of five1 years, the most recent two of which must be stored on-site or immediately accessible from your office. As is the case with all books and records, cloud-based systems that are accessible from on-site are considered "on-site" since files and information stored there can be produced without traveling to another location. Email messages that fall under the Books and Records Rule are those sent or received by employees of RIAs that fall into any of these categories:

Any recommendations or advice proposed or given

Any receipt, disbursement or delivery of funds or securities

Communications relating to the placing or execution of any security trade

And more generally, communications with clients regarding:

Compliance Program

Client Management

Trading

Marketing

Business Management

Potentially others, depending on your RIA’s specific business practices

For more detail on the Books and Records Rule, please see our prior blog post here , and also the text of the full Books and Records Rule 204-2 here .

Email Archiving
Email messages and attachments must be archived in a manner that preserves their original record state. It is the CCO's responsibility to ensure that all email records are maintained and protected from any alteration or destruction. Additionally, it is the CCO's responsibility to ensure that client communications are conducted on an email system that is being archived (that is, no personal email accounts) to ensure that future communications will be archived. The CCO should also be familiar with the email archiving system used and know how to retrieve items from it for review or to produce for regulators upon request. Similar to your other books and records, regulators allow for cloud-based, electronic storage of email messages and attachments. The key is that you can demonstrate your ability to:

reasonably safeguard them from loss, alteration or destruction,

prevent unauthorized access from individuals outside your firm, and

retrieve archived messages in their original recorded state based on keyword searches, employees and/or specific time frames.

Technology controls of archived email should be understood and reviewed periodically to ensure that they are reasonably configured to minimize risk of loss or destruction. Access should be reviewed as well to ensure that only those responsible for administration or review have access to edit or view the archive. Note: Your “Inbox” does not demonstrate the proper archiving standard expected by regulators because anyone who has access to that inbox has the ability to alter or destroy messages or attachments.

Email Surveillance
While the Books and Records Rule requires that you keep copies of your email communications and attachments, there is no specific language in the Adviser's Act to monitor or periodically search emails. However, CCOs are expected to follow procedures to detect risks, prevent and correct violations of the compliance program, so it is considered a best practice to conduct some level of proactive surveillance in order to demonstrate that as CCO you are providing supervision to your supervised persons regarding their adherence to the RIA's compliance program.

CCOs would therefore want to implement some periodic review of the messages that are sent and received, so as to ensure compliance with SEC (or state) regulations that impose fiduciary and supervisory duties, like adherence to your Code of Ethics and advertising constraints, among others. The frequency and depth of review should be based on the structure and complexity of your RIA's business, and the CCO's familiarity or involvement with the client communications of a particular supervised person. If the CCO works closely with one but remotely with another, it would be reasonable for the CCO to apply greater supervision of the remote person's email archive messages. Finally, the CCO should document these surveillance reviews of the email archive and capture information at least regarding the time period reviewed, the number of messages in the time period, the number of messages reviewed, whether or not issues where found, and the resolution to those issues.

Through the Regulator’s Eyes

Regulators will focus on two aspects of your email system: the quality of your archive, and your surveillance process. In their view, these tasks are designed to protect your business and clients from unauthorized access or disclosure of sensitive data, and also to ensure that your RIA is actively monitoring its supervised persons and addressing issues internally. Regulators expect you to be able to retrieve any email sent or received that may be used to substantiate your finances, support the decisions made on behalf of your clients, or validate that you are always adhering to your fiduciary duty. The documentation of your surveillance activities should reasonably demonstrate that as CCO you are applying supervision to the communications between your supervised persons and your clients.

Recently, the SEC Commissioners’ opinion has also clarified that a RIA's obligation to produce electronic records includes employees’ personal email messages, instant messages, text messages and personal computer hard drives when they are used for business purposes. This is why it is critical to ensure that approved mediums for written communications are included in your archive.

Thinking through an advisor complaint will help define the expectations that will be placed on your RIA during an examination. Regulators are required to respond to every complaint lodged against an RIA, and in that response, they may request that you produce any and all written communications, including emails, sent and received between the RIA and the client involved. As such, you want to be confident that those records exist and are ready to retrieve. A complete history of all communications through the past five1 years in a readily accessible archive will allow you to promptly respond to the regulator’s request and reach a resolution. Additionally, the regulators may wonder why it reached this point, and look to your policy and process of email surveillance and the business practices that surround them. Regulators want to ensure that you are reasonably monitoring your employee’s communications that are subject to the Books and Records Rule, to verify you have a satisfactory level of prevention to internally address potential issues before they escalate. In response, you will want to provide reports and supporting documentation of email surveillance performed by the CCO of the RIA.

Most states enforce the Books and Records requirement on RIAs in a manner consistent with the SEC, but you are under the oversight of state regulators, you’ll want to familiarize yourself with their requirements as well.

CCO Best Practices for Email Archiving & Surveillance

Know the different ways in which your supervised persons could exchange written communication with your clients.

Consider creating an approved technology and device list, so as to limit unauthorized use of written communications with clients and limit the scope of your RIA's technology usage for the purposes of monitoring and regulatory examination. For example, requiring that business communications and documents are transmitted only through company-owned computers or devices, or even applications such as email but not instant message.

Expect regulators will request to review personal email or messages sent, received or stored on personal devices, such as personal cell phones, so as to ensure that there is no business usage of those devices, and prepare your employees for those requests.

Periodically conduct email reviews of your archive, and try to focus on supervised persons or clients which with which you are less familiar in order to have a broad understanding of communications among all supervised persons and your firm's clients. Document all reviews conducted and parameters of the archive being reviewed.

Use keywords to try to find suspicious emails, such as by searching for keywords such as “complaint”, “guarantee”, “superior”, “great performance”, “guaranteed performance”, "disappointed", "trick", etc. Contact your email archiving vendor to see if they are maintaining a list for you to use. Here are the ten most commonly flagged fraud terms from Smarsh .

Don’t approach email surveillance and archiving as a compliance chore. The best practice in the long term is foster strong relationships between compliance and the individuals that are subject to your RIA's compliance program. For instance, ensure that compliance is represented in any discussions related to operational or technology changes, such as a new approved device for client communications and the related compliance components to authorize that device's use.

Integrate your email surveillance and archiving requirements into your RIA's technology architecture to strengthen your culture of compliance among your technology operations, and keep current with any changes in your technology policies and procedures.

Perform due diligence on vendors that provide your firm with applicable communication streams, such as cloud-based email archiving service providers, to verify they have appropriate physical, electronic and procedural safeguards. Document the results of this due diligence and include in your annual CCO report.

The Books and Records Rule generally requires records to be kept for five or more years, from the end of the fiscal year in which an entry was last made to the record, with the most recent two years being accessible from the RIA's primary office location.