This Week in FinTech & Compliance #6: SEC Charges Investment Adviser for Recordkeeping Failures

In our modern day of technology, there are dozens of unique and convenient ways to communicate information. Whether it's through text messaging, community messaging apps like Discord or Slack, or just a simple phone call, communication has never been easier. But, as communication has grown easier and more accessible, so has tracking and infiltrating said communication. Security risks are an everyday concern and both businesses and individuals alike are working to maintain the highest levels of information security on sensitive information. As such, registered investment advisers (“RIAs”) and other members of our industry generally have stringent requirements for cybersecurity and the protection of both company and client personal information. These requirements include policies on how to transmit information between team members, vendors, and clients.

Every year since 2020 the SEC has marked “Information Security and Operational Resilience” as a core exam priority. The SEC continues to see a lack of information security as a prime threat and vulnerability to investors. A recent enforcement action against 11 firms, including an RIA, emphasizes this point. We'll break down this enforcement action and what it means for you.

Wedbush's Record Preservation and Procedures Failure

At the beginning of August 2023, the SEC issued a cease-and-desist order against a dually registered broker-dealer and investment adviser, Wedbush Securities Inc. (“Wedbush”), regarding Wedbush employees communicating via text messaging and other messaging apps on personal devices. These devices and applications, referred to as “Off-Channel Messaging Apps” and “Off-Channel Messages”, were not considered approved methods of communication for business purposes by the firm and thus were in violation of Wedbush's compliance and security policies. A prohibition of Off-Channel Messages is a common practice in the industry, in lieu of allowing these messages and monitoring and archiving them, similar to emails.

Wedbush employees were required to forward any personal texts, chats, or emails they received for business purposes to Wedbush's compliance team to preserve these communications. Any messages sent through approved communications methods were monitored and preserved as standard practice. With this, Wedbush advised employees that any messages that were sent or received on personal devices were not secured by Wedbush's cybersecurity methods and, unless actions were explicitly taken by the employee, were not archived with other business communications.

According to the SEC's order, it is alleged that Wedbush failed to prevent misuse of employee communications for business purposes on Off-Channel Messaging Applications as well as preserve these communications, failed to implement appropriate procedures to prohibit these types of communications, and failed to implement a system of review of said procedures, violating multiple rules. This includes a violation of Section 204 of the Investment Advisers Act and Rule 2042(a)(7) thereunder, which require investment advisers to preserve in an easily accessible place originals of all written communications received, and copies of all written communications sent relating to, among other things, any recommendation made or proposed to be made and any advice given or proposed to be given.

During its investigation the SEC found that Wedbush's investment adviser representatives and related employees sent and received Off-Channel Messages regarding client investment advice, Wedbush's supervisory employees communicated for business purposes, both internally and externally, through Off-Channel Messages, and Wedbush failed to preserve and archive any of these communications.

Wedbush's Remediation Efforts

Wedbush offered a settlement which the SEC ultimately accepted. This settlement has multiple facets and efforts on the side of Wedbush including:

• The requirement to retain an independent compliance consultant to comprehensively review Wedbush's policies, procedures, training, and preservation related to electronic communications.
• For two years following the order, Wedbush is required to notify the SEC of any disciplinary actions taken by Wedbush related to electronic communication policy violations.
• The requirement to conduct a separate, internal audit of Wedbush's electronic communications policies.
• The requirement to pay a civil penalty of $10,000,000.

Your Key Takeaways

One of the most important aspects of an RIA's role in the adviser-client relationship is to protect the financial interests of and advocate for the advisory client. A failure to maintain explicit cybersecurity measures of communications as well as the precise archival of these communications can easily put a client's sensitive data and financial interests at risk. While it is necessary to maintain written security policies and procedures regarding electronic communications, that isn't enough. It is important for RIAs to actively participate in and monitor these policies and procedures on a regular basis.

Firms should take the time to review these procedures and maintain the highest standards regarding communication security. If your current policy is a prohibition of Off-Channel Messages via text messaging and other messaging apps, is a good time to review this policy and determine if it's reasonably designed and monitored. As a seasoned group of compliance professionals, FinTech Law's team can help you implement the proper policies regarding Off-Channel Messages based on your business model. Contact FinTech Law today.