Best Practices Guide for Email Surveillance

An important topic in SEC exams has been the application of the SEC’s “Books and Records Rule” to the storage and review of electronic communications by Registered Investment Advisors (RIAs). This Best Practices Guide provides valuable information based on our experience, observations and input from our clients.

Emails, and their attachments, fall under the regulatory definition of “written communications” and therefore are subject to the archiving requirements defined within the Books and Records Rule. The SEC requires that all electronic communications be retained and reviewed. The same logic that applies to email surveillance also apply to review of all other forms of electronic communication, such as text messages, instant messages, and messages sent within social media platforms. For ease of reference, we will refer to all electronic communications as emails.

Policy Requirement:
Because written communications transmitted via any of these electronic means must be captured, archived and reviewed pursuant to the Books and Records Rule, we recommend creating a policy that limits the parameters for permissible written communications. We strongly suggest developing a policy that requires that business communications be transmitted only through approved devices, only through email as opposed to text message or social media platforms, and that strictly prohibits text messages or the use of personal email accounts for business purposes.

To be clear, there is no specific language in the Adviser’s Act requiring the review of emails. However, CCOs are expected to take appropriate steps to detect risks and prevent and correct violations of the firm’s compliance program. It is therefore considered a best practice for the CCO to conduct some level of proactive surveillance to demonstrate that he/she is providing supervision to his/her supervised persons regarding their adherence to the compliance program. Email reviews have become so commonplace that OCIE now routinely includes documentation of email surveillance in their examination document requests.

The OCIE expects that RIAs are reviewing emails periodically to test for inappropriate communications. CCOs or their designees typically conduct reviews weekly or monthly. Less frequently than monthly may result in an inordinate amount of emails and may not be viewed as proactive given that inappropriate communications should be identified sooner rather than later. Note that the CCO must remember to designate someone to review his/her emails as well. Examiners are likely to inquire how the CCO’s own emails are reviewed.

Sample Size:
The rule does not proscribe a set number of emails to be reviewed. Email sample sizes generally range between 3% – 5% of all emails but the percentage should reflect the degree of risk associated with the firm’s investment strategy and business model. The important thing is to comply with the email review procedures. Several firms limit the review to outgoing emails only and this has been satisfactory to examiners. The review should include an equal combination of emails flagged based on key words and email captured based on a random sample.

Key Words:
Emails must be retained in a searchable format. You may develop any set of key words that are likely to elicit emails of an inappropriate nature or that may uncover potential communication issues. Your key words should be kept confidential – you wouldn’t want your team to know which words to avoid using. Some key words that CCOs find useful include:

  • gift
  • political
  • campaign
  • tip
  • inside
  • can’t talk
  • hurry
  • blame
  • compliant
  • ground floor
  • guaranteed return
  • inside information
  • in exchange
  • stellar
  • window ofopportunity
  • risk-free
  • not released yet
  • rumor
  • sure thing
  • time the market
  • my resume
  • not authorized
  • tip
  • without consent
  • growth
  • sexist
  • racist
  • help
  • experience
  • confidentially
  • best
  • owe
  • quickly
  • expensive

The advisor should periodically review its list of key words and key-phrases as the business changes or new risks emerge. Conversely, key words or phrases that cause too many emails to be flagged should be stricken.

Emails must be captured and retained for a period of not less than five years pursuant to the SEC’s recordkeeping requirement. Most email retention vendors will capture and archive all emails sent to and from employees within your advisory firm. Email attachments must also be retained if they concern any of the records required to be kept by Rule 204-2 under the Advisers Act. A full list of such records can be found here.

Email surveillance serves several purposes for an employer. They provide an opportunity to monitor employees’ adherence to the firm’s written communications policy but email surveillance can also serve as a tool to effectively oversee the firm and its employees. Be open to discovering issues in the following areas:

  • Insider trading
  • Undisclosed client complaints
  • Sharing of proprietary information
  • Distribution of unapproved and non-compliant marketing materials
  • Potentially fraudulent statements
  • Suspicious emails from clients who may have had their email account hacked
  • Improper or undisclosed political contributions
  • Inappropriate gifts
  • Job searching
  • Inappropriate work place behaviors

Documentation of Reviews:
The old adage “if it’s not documented, it didn’t happen” rings true particularly in the case of email reviews. Email reviews should be documented to indicate the number of emails reviewed, the number of emails flagged for further review, the number of emails that resulted in a violation of the written communications policy or other company policy, and how issues were resolved. Email retention software should be capable of producing reports documenting email reviews. Regulators will focus on two aspects of your email system: the quality of your archiving software, and your surveillance process.

We hope you find this information helpful. Please contact us with any questions.