Is your working from home tech SEC-compliant?
July 02, 2020 • 7 min read
The Covid-19 pandemic has been with us for some time now and by this point you and your colleagues are probably starting to get used to the reality of working from home. The commute is shorter, as is the queue for the coffee machine on your break, but there are also the difficulties of sharing your office with your family and/or pets. Fortunately, the actual tech side of working from home has never been easier.
The hypoconnectivity of 2020 is one of the few things that has stopped this pandemic bringing markets to an absolute halt.
With a secure internet connection, you can choose from a dozen instant messaging platforms and video conferencing solutions to work with colleagues as if they were in the same room. It’s an adjustment yes, but working from home works (just ask the people at Twitter who are choosing to continue working from home once this pandemic is over).
What about compliance?
Though you’ve swapped your office for home, these regulations still apply so it’s important to ensure the tech you’re using to stay connected under lockdown still meets the required regulatory standard.
In normal circumstances, while a business may never be entirely risk-free its compliance management duties will have been a lot easier.
With all employees based on the same location(s) and working with the correct and approved systems, a compliance department's job benefits from a well-established structure and routine. When this is dramatically changed however, and employees are placed into isolation, the risk facing a business is exponentially increased. Businesses haven't forgotten compliance though, with new research showing a 40% increase in compliance budgets during the pandemic.
But what about the employees?
In the past weeks and months, people have had to adapt to a new way of working and there is a higher risk that regulations will take a backseat.
Specifically speaking, regulations that are at most danger of being overlooked are the ones that are in the background and simply a part of administrative duties. Record-keeping responsibilities come under this category and, with markets experiencing extreme volatility and the economy facing unprecedented headwinds, it's understandable that record-keeping rules fall out of mind!
This brings us to rules 17a-4 (and 17a-3 to a less extent) which we’ve already written on at length.
Looking back to the text itself, broker-dealers are required to preserve (for three years): “originals of all communications received and copies of all communications sent (and any approvals thereof) by the member, broker or dealer (including inter-office memoranda and communications) relating to its business.”
For advisers, determining the exact requirements is a bit more challenging. Under Rule 204-2(a)(7) of the Investment Advisers Act of 1940 all advisers must maintain “books and records” including all written communications sent or received by the adviser relating to its investment advisory business.
However, Rule 204-2(a)(7) doesn’t explicitly refer to inter-office memoranda and communications.
However, even though the rules and regs don’t explicitly go into the uses of systems such as Slack and Teams, the regulator has already gone into detail on this.
In December 2018, the SEC issued a risk alert on this very issue, raising concerns that compliance programs were failing to accommodate the use of electronic messaging.
The Commission took this opportunity to clarify that written communications subject to Rule 204-2(a)(7) apply to these kinds of electronic communications and therefore still need to be recorded and communicated.
That was two years ago and well before Covid-19 came along to turn everything on its head. During this pandemic, the SEC has been active in reminding the industry of the support and assistance it can provide. At the same time, with severe volatility triggering the NYSE’s circuit breakers being triggered several times, ensuring market stability and security is also at the regulator’s forefront.
There is a risk that, with companies working remotely, market abuses will rise and there has already been a surge in fraudulent activity.
Transitioning from the office to the living room is a huge reversal for many businesses that previously promoted workplace security by restricting offsite access (limiting logins for remote-working, keeping work devices on the premises, only authorizing the use of certain messaging systems etc).
With businesses having to quickly adapt (seen by huge increases in downloads for platforms such as Slack, Zoom and Teams) there is a risk of compliance becoming ‘out of sight, out of mind’.
Although regulated firms are now using these communication and remote working platforms, concerns have been raised. For instance, Zoom has found itself at the centre of a row over security with complaints of people being able to sneak into confidential corporate video calls.
Even though Zoom has defended itself and is investing considerably in improving security measures, this highlights how vulnerable regulated businesses are to these solutions while working from home.
For instance, imagine a multi-billion dollar asset manager that regularly spends millions on its compliance functions. Taken out of its 'natural habitat' and relying on a new remote tech solution, this firm could could find itself at risk of considerable SEC fines and share price damage if this tech solution failed.
Choosing the right tech is key and, given your firm has probably already chosen your tech, it's crucial to ensure this is ticking all the boxes from a compliance perspective.
This is because the regulations still apply and if anything they require more attention than before the crisis. The SEC, ironically the first federal agency to ask employees to work from home, has issued numerous pieces of guidance during the pandemic. While some regulations have been temporarily paused to give relief, record-keeping is still very much required.
And this makes sense. With so much regulated activity being carried out ‘offsite’, it’s crucial that should a breach happen it can be fully investigated once the pandemic is finished (or whenever lockdown measures have fully eased).
Having legally-admissible and irrefutable records will be the only way of helping the regulator get to the bottom of such an issue, otherwise a black hole in a company’s records simply described as ‘our Covid-19 period’ will not suffice at all.
As we’ve touched upon before, compliance isn’t just about ticking the boxes of regulatory requirements but is increasingly about going above and beyond. Strong compliance processes can not only strengthen a business’s reputation and increase its internal standards and efficiencies.
Fortunately, some of these platforms like Teams and Slack can be configured to meet SEC and FINRA electronic storage and retention requirements.
However, can the same be said for a business’s website and social media feeds?
These can be popular digital channels for broadcasting Covid-19 related statements, market commentary and other forms of guidance that clients need during these unprecedented times.
Therefore, thorough systems are required to create records of websites and social media to instil further accountability. Looking back to the SEC’s risk alert in 2018, it stated that the SEC: “encourages advisers to stay abreast of evolving technology and how they are meeting their regulatory requirements while utilizing new technology.”
Here, web archiving has become increasingly popular as the digital compliance tool of choice. These archives can be searched, are time-stamped and tamperproof which means they are legally admissible for compliance purposes (and can be easily used for future legacy and branding decisions).
The same is true for social media archiving, instead, this is the practice of crawling social media platforms and capturing records of all of the content published, once again this is stored in a single archive as a permanent and unalterable record.