This Risk Alert (December 14, 2018) is to remind advisers of their obligations when they allow personnel to use electronic messaging, and to help advisers improve their systems, policies, and procedures by sharing the staff’s observations with regards to Rules 204-2 (Books and Records) and 206(4)-7 (Compliance Programs). The examination staff excluded email because they regard emails as typically on the firm systems and do not present the same challenges as third-party apps or systems.
The examination staff identified the following examples of practices that may assist advisers in meeting their record retention obligations:
Policies and Procedures
- Permitting only those forms of electronic communication that the adviser determines can be used in compliance with the books and records requirements of the Act.
- Prohibiting business use of apps that can allow an employee to send messages or communicate anonymously, allow for automatic destruction of messages, or prohibit third-party viewing or back-up.
- If an employee receives an electronic message using a form of communication prohibited by the firm for business purposes, requiring that the employee move those messages to another system that the adviser has determined can be used in compliance with its books and records obligations, and including instructions on how to do so.
- Where advisers permit the use of personally owned mobile devices for business purposes, adopting and implementing policies and procedures addressing that use with, for example, social media, instant messaging, texting, personal email, personal websites, and information security.
- If advisers permit the use of social media, personal email accounts, or personal websites for business purposes, adopting and implementing policies and procedures for the monitoring, review, and retention of those communications.
- Including a statement informing employees that violations may result in discipline or dismissal.
Employee Training and Attestations
- Requiring personnel to complete training on the adviser’s policies and procedures regarding prohibitions and limitations placed on the use of electronic messaging and electronic apps and the disciplinary consequences of violating the policies and procedures.
- Obtaining attestations from personnel at the commencement of employment with the adviser and regularly thereafter that employees (i) have completed all of the required training on electronic messaging, (ii) have complied with all such requirements, and (iii) commit to do so in the future.
- Providing regular reminders to employees of what is permitted and prohibited under the adviser’s policies and procedures with respect to electronic messaging.
- Soliciting feedback from personnel as to what forms of messaging are requested by clients and service providers allowing the adviser to assess the risks and how those forms of communication may be incorporated into the adviser’s policies.
- For advisers that permit use of social media, personal email, or personal websites for business purposes, contracting with software vendors to (i) monitor the social media posts, emails, or websites, (ii) archive such business communications to ensure compliance with record retention rules, and (iii) ensure that they have the capability to identify any changes to content and compare postings to a list of key words and phrases.
- Regularly reviewing popular social media sites to identify if employees are using the media in a way not permitted by the adviser’s policies. Such policies included prohibitions on using personal social media for business purposes or using it outside of the vendor services the adviser uses for monitoring and record retention.
- Running regular Internet searches or setting up automated alerts to notify the adviser when an employee’s name or the adviser’s name appears on a website to identify potentially unauthorized advisory business being conducted online.
- Establishing a reporting program or other confidential means by which employees can report concerns about a colleague’s electronic messaging, website, or use of social media for business communications. Colleagues may be “connected” or “friends” with each other and see questionable or impermissible posts before compliance staff notes them during any monitoring.
Control over Devices
- Requiring employees to obtain prior approval from the adviser’s information technology or compliance staff before they are able to access firm email servers or other business applications from personally owned devices. This may help advisers understand each employee’s use of mobile devices to engage in advisory activities.
- Loading certain security apps or other software on company-issued or personally owned devices prior to allowing them to be used for business communications. Software is available that enables advisers to (i) “push” mandatory cybersecurity patches to the devices to better protect the devices from hacking or malware, (ii) monitor for prohibited apps, and (iii) “wipe” the device of all locally stored information if the device were lost or stolen.
- Allowing employees to access the adviser’s email servers or other business applications only by virtual private networks or other security apps to segregate remote activity to help protect the adviser’s servers from hackers or malware.
These are examples that the examination staff has identified and recognize that none of them may be applicable to your operations, but we would recommend double checking before deciding that none of them are applicable.
SEC Charges Former Senior Attorney at Apple with Insider Trading
Also known as SEC v. Gene Daniel Levoff., was a litigation release filed by the SEC on February 13, 2019.
“The SEC’s complaint alleges that Gene Daniel Levoff, an attorney who previously served as Apple’s global head of corporate law and corporate secretary, received confidential information about Apple’s quarterly earnings announcements in his role on a committee of senior executives who reviewed the company’s draft earnings materials prior to their public dissemination. Using this confidential information, Levoff traded Apple securities ahead of three quarterly earnings announcements in 2015 and 2016 and made approximately $382,000 in combined profits and losses avoided. The SEC’s complaint alleges that Levoff was responsible for securities laws compliance at Apple, including compliance with insider trading laws. As part of his responsibilities, Levoff reviewed and approved the company’s insider trading policy and notified employees of their obligations under the insider trading policy around quarterly earnings announcements.” (emphasis added)
Additionally, Levoff traded on material nonpublic information in 2011 and 2012, resulting in approximately $245, 000 in profits.
“Apple fired Levoff last year after conducting an internal investigation in response to contact from the authorities. During his career at Apple, he was one of the people responsible for ensuring that employees followed the company’s insider-trading policy. In 2015, he even implemented an update to the policy. The SEC’s filing says that, on three occasions in 2010 and 2011, Levoff emailed employees to warn them that the company was entering a blackout period and that they were prohibited from trading Apple shares. Two of these emails were “immediately prior” to his 2011 insider trading.
One of those emails included the following all-caps reminder:
REMEMBER, IS NOT PERMITTED, WHETHER OR NOT IN AN OPEN TRADING WINDOW, IF YOU POSSESS OR HAVE ACCESS TO MATERIAL INFORMATION THAT HAS NOT BEEN DISCLOSED PUBLICLY
The SEC is demanding Levoff pay a sum equal to the profits made and losses avoided over the last five years (which would eliminate 2011 and 2012), along with a penalty of three times that amount. The agency is also demanding that he be banned from serving as an officer or director of a public company. Simultaneously, the US Attorney in Newark, New Jersey, has filed criminal charges, which carry a maximum penalty of 20 years in prison and a $5 million fine.”
We like this Risk Alert. The SEC is not badgering us about something that they think we have messed up, but making suggestions on things we can do to prevent issues from arising. It is a take-it-or-leave-it situation, but before you leave it, make sure it would not apply.
We think we will hear more about Levoff in the future, since he pleaded not guilty and was released on a $500,000 bond. We would also think that he could lose his law license. The big question is, how responsible is Apple for not implementing policies and controls around insider trading? The article above indicated that Apple conducted an internal investigation, after being notified by the authorities. They had violations in 2011, 2012, 2015, and 2016, and no one caught it? This was not a situation where Apple identified the problem and went to the authorities.