Key Issues for Investment Management Firms
What are the challenges regulated investment management firms are facing when using the internet?
We asked Jane Jarcho, the former Deputy Director of the SEC's Office of Compliance, Inspection, and Examinations (OCIE) and head of the National Investment Adviser and Investment Company Exam program, who recently joined the Promontory Financial Group as a consultant on regulatory and exam issues.
At the OCIE, Jane Jarcho oversaw its program areas, including Investment Adviser/Investment Company (IA/IC), Broker-Dealer and Exchange, FINRA and Securities Industry Oversight, and Clearance and Settlement. Ms. Jarcho also led the IA/IC examination program. Under her leadership, the number of IA/IC examinations increased by more than 100 percent.
The interview was conducted by Chirag Vasavada, Head of Business Operations at Authentic8.
Chirag Vasavada: Jane, given your tenure and experience across the SEC's program areas, you're in an ideal position to speak to the challenges faced by regulated entities today. The industry is under increased scrutiny from federal and state regulators. What's driving this and who is the most impacted?
Jane Jarcho: OCIE, and I would say other regulators as well, have always relied on compliance professionals as a first line of defense and review. Early on, the SEC focused on looking for market manipulations and pump and dumps and offering frauds that were being offered over the internet. That was the first phase.
More recently, they started looking at the different forms of communication that occur over the internet, in two categories: communication, such as any of the popular apps or Facebook that people use to communicate, as well as reviews - l and other types of review platforms. And like any new technology, that required an application of old rules that were written when this new form of communication was not envisioned.
Because online reviews and referrals were becoming the new normal how people did business or looked for business, this became an area of interest. And then, of course, there's always internet security. So I'd put that as a third category.
”Certain Types of Checks Would be Expected”
The technological challenges are probably no different in the securities industry than in many other industries, right? And that is a constant. What's important is that a firm can show that it is performing certain types of checks that would be expected to protect their client information and to protect their assets.
What are they doing to check to see what sort of attacks are occurring? What policies and procedures have they put in place? Then, what do they have in place if in fact someone is able to breach their wall and get in, what happens once [attackers] are inside their system?
Are attackers able to run around the system and get into everything? Or are things segmented off? Penetration testing and things like that would be expected. I'm not going to say there's a rule that requires it, but it would be expected just because, at this point, it's a necessary business practice.
Chirag Vasavada: Managing communication with clients or prospective clients, managing the way the firm markets and advertises itself and reviews its services, testimonials… - that seems to be a little bit more tricky. How do regulated entities manage that risk and what trends have you seen there?
Jane Jarcho: I referred earlier to a rule which was written without ever anticipating the internet. That rule applies here. It is the Advertising and Testimonial rule, which was written in 1961 and hasn't been substantially amended since. It prohibits the use of testimonials and endorsements of any kind concerning advice given by the adviser.
On the Internet, What is a Testimonial?
I think the concern with respect to the testimonials is that they're undoubtedly prohibited under the rule. So the question becomes, what is a testimonial on the internet? And what's allowed and what's not allowed?
The best place for anyone to go is the Guidance on the Testimonial Rule and Social Media, provided by the Division of Investment Management in 2014, that gave pretty good guidance on what the SEC is thinking.
The social media site must be independent, which includes having no material connections. Any comments that would be listed must be independent. And someone in a regulated entity obviously cannot author them, direct someone to author them or use an alias to come up with comments. If you have comments, they can't be modified by the firm or the individual. If there's a comment section and five people make a comment and three of them are negative, if they remove those three, that's a problem.
Chirag Vasavada: So if I were a Chief Compliance Officer or an IT administrator of a regulated entity, beyond writing a comprehensive policy compliance manual, are there steps that would be reasonable and prudent for me to take?
Jane Jarcho: I’d refer again to the 2014 investment management guidance because I think it really does give good guidance around those issues.
Having said that, not all public commentary on social media is prohibited. There can be statements, both by an individual investment adviser rep, as well as by clients. A chief compliance officer has to go back to the [investment management] guidance for the checklist that tells you what's permitted and what's not permitted.
It would be prohibited under the guidance to, say, invite clients to post testimonials. It would be prohibited to remove unfavorable comments or edit them. It would be prohibited to submit false statements on a social media site. But a submission might be permissible if it doesn't fall into the various prohibited categories.
Chirag Vasavada: Over your tenure, how have areas of risk changed? And what implications does that have?
Jane Jarcho: Early on they were about not having the right policies and procedures written up. As time changed and the internet became a common means of communication, we had to add [online] reviews, for example.
Monitoring Employee Communication - But How?
Still high on the list of risks is how people communicate, because the rules require that certain and most communications of a registered rep or an IA rep be retained. But now people communicate on apps that are set up so that nothing is retained. Or they communicate outside of the regular forms.
It used to be that everyone communicated just on their business email, right? But now we all carry around a phone, and you can get information and communications that way, and you might have four different or more email accounts.
So the policies and procedures have to answer the question: What are you doing to make sure you are monitoring and covering all of the possible ways that your employees may be communicating?
Chirag Vasavada: What are the blind spots today that firms need to think about?
Jane Jarcho: Probably the single biggest compliance headache is the forms of communication that are on a personal device.
What steps can a firm take to at least monitor those [personal devices]? That's a big challenge. First, you set up policies and procedures that are very clear about what's allowed and what's not allowed. And then you get the employee training. So that's worth what it's worth, right?
But you have to think beyond that approach. You have to include some form of surveillance. You should be surveilling emails, because the email where it says "let's take this offline" is the one that you worry about.
You also need to think about what possible guidance you could give to clients to let them know that they should not be contacted through any means except for the ones approved by the firm. Some firms have notified clients that “if you're being contacted through other means, then you should let us know.”
Chirag Vasavada: It definitely feels like the personal device area is a quagmire. The other area of risk that seems to be a source of angst for Chief Compliance Officers and CISOs are social media, webmail, and online storage or file-sharing services. Which risks are associated with those sites from a compliance point of view?
Sources of Angst for CCOs
Jane Jarcho: Some of them have to do with what we were discussing earlier. Can what's being said on those social media sites, either by the individual who's making comments or by others that are responding, violate the testimonial rule or create other regulatory issues?
When you get to things like [cloud] storage, I think there's a certain amount of evidence now that, with the right storage providers, [the cloud] might be the safest place. A vendor that has put tremendous amounts of knowledge and money into making their cloud storage safe may be doing a better job than any individual company can do.
I think there's a changing view that the cloud now might be able to provide some of the safest places to put information.
Chirag Vasavada: You mentioned earlier the importance that the firm surveil its employees' email communication. It makes me wonder whether that requirement also extends to web activity?
Jane Jarcho: Yes, absolutely. Absolutely. It covers any place where somebody might post, "let's take that offline." So that could be an email; it could obviously be a text message, and it could be a lot of other things. You may not be able to stop everything. But those are the places that you're looking to surveil, where it will give you a clue that there was a communication where somebody thought, "let's not have this communication here."
Chirag Vasavada: There’s a related question in many firms that we've encountered. Most firms in the industry use a message archiving service that allows you to record and store standard channels of communication -- email, instant messenger, chat, text messaging, etc.
But where it becomes less clear and you get more dispersion across the firms is for social media sites, blog sites, places where people might post comments that are professional or express a professional opinion, or a quasi-professional opinion.
With those sites, it's not clear whether firms are required or if it is even prudent for them to monitor those sites. What’s your perspective on that as a former regulator?
Jane Jarcho: If a firm is permitting any sort of communications on those sites, they probably have an obligation to surveil them and to keep records in accordance with the record retention requirements.
“Obligation to Surveil”
I've seen firms that tell their employees as part of their policy: “If you're going to use text messages to conduct business, you have to make a copy of them and in some way get them into our system, because when you're communicating with a client about business, we're required to keep those communications.”
Whether that works or not, I don't know. But the firm requires that.
Chirag Vasavada: What about personal email? If you were ever to forward, even accidentally, something from your professional account to your personal email account, would that make the personal email account subject to review and surveillance as well?
Jane Jarcho: Let me put it a different way. If you had a communication with a client on your personal email, whether it was forwarded or not, and it was about the nature of the business: yes, those emails need to be forwarded back and archived. Because the fact that you had it on your personal email doesn't mean that it wasn't a business communication which there needs to be a record of.
Chirag Vasavada: So if the topic or the subject matter is professional in nature and it relates to marketing the firm, its activities or its ideas, then…
Jane Jarcho: ...that falls within the purview of compliance for the firm as well as for regulators, yes.
Chirag Vasavada: Is there latitude for individuals who want to express a personal sentiment in a non-professional capacity? A lawyer that wants to express an opinion about a court ruling, or an analyst that wants to express a comment about a general news item that might have an impact on the market?
Jane Jarcho: Clearly somebody is free to express their opinions that are unrelated, on a website, in a chat room, in an op-ed, and wherever. It then depends more on the terms of the firm's policies and procedures.
Chirag Vasavada: Are there topics here that we haven't explored that you think are important to touch upon? Areas that are sources of vulnerability, or places where firms ought to do more work in thinking through their policy?
Jane Jarcho: I think there is such a topic, and it’s related to some of the things we talked about. It turns out that the most dangerous breaches in the system happen because of human error - because employees click on something. And the truth is they almost always know they're not supposed to.
When Employees Click, Bad Things Can Happen
Firms need to remind themselves that this is how most bad things happen. Anything they can do to prevent this situation is a really helpful step.
Chirag Vasavada: You pick a really good point there. I would add that re-architecting the way individuals interact with the web also helps. Having measures or mechanisms in place to prevent the click, or to make sure that employees are insulated from the consequences of that wrong click.
Jane Jarcho: It's probably one of the most important things that firms should think about. This is compliance spending dollars in high-risk areas, so whatever various ways there are in addition to educating employees, it seems to me a good investment.
Chirag Vasavada: Jane, thank you so much for your time, I really enjoyed our conversation. Where can readers find out more about you and your consulting services online, hopefully using a secure browser?
Jane Jarcho: My email at Promontory is firstname.lastname@example.org.
About the interviewer: Chirag Vasavada’s responsibilities at Authentic8 include finance and strategy, commercial sales, and customer success functions. Before joining Authentic8, he spent 13 years in the investment management industry at T. Rowe Price, Fidelity and several alternative investment managers, responsible for building and overseeing investment teams as well as for research and compliance functions.