Fund Compliance Insider - Latest Articles


	Subscribe by March 31, 2025 and get $200 off of the regular price!

Special Report: Best practices in e-mail retention

As SEC examiners increasingly make e-mails a key part of routine inspections, we have culled some best practices regarding e-mail retention from remarks by SEC staff and outside experts at recent industry conferences:

• Saving all e-mail is the easy way. This approach safeguards against honest mistakes. You are only required, though, to keep e-mails that, if they existed in paper, would be a required record. It is okay to toss non-required e-mails. However, once the SEC begins an examination and asks for an e-mail, whether it's required or not, it should not be destroyed.

• If you are deleting any e-mail you need to have a crystal clear policy documenting how that is being done and why. Establish some systematic way of deleting non-required e-mails. Have a process in place whereby a review is undertaken prior to the deletion of e-mail. Example: all e-mails initially targeted for deletion would be forwarded to an e-mail box for review by a firm's compliance officer before any of the items are destroyed. The review would be conducted by searching the file for certain predefined words. COs would then likely review anywhere between 5% and 25% of e-mails containing the key words. Warning: If you're currently purging all your e-mails, you have a problem.

• Printing out required e-mails can work. If the cost of buying e-mail software is prohibitive, you can simply print out required e-mails and save them. Filing paper copies of e-mails, or putting them in some repository where other like information is retained, is one way of keeping e-mails. However, it can make your life more difficult. Often people forget to print out the attachments. Also, if the SEC ask for e-mails from a certain period, hard copy files can be difficult to sort through. Then, too, examiners often want internal e-mails, so that if you are only keeping client communications that may not be enough.

• SEC examiners have the right to see all your e-mails, whether or not they actually are "required records," unless they are privileged. Firms need to think ahead and say, “Well, how can we effectively retrieve those e-mails that don't represent books and records-required information but nevertheless we have them?”

• What is the SEC looking for? Requests from SEC examiners "are fairly broad." Typically exam staff ask either for all e-mails or those of specific personnel in the firm. A typical request is for e-mail for the past 90 days. Large firms may get requests from the SEC for e-mails of specific people and three months of detail. Smaller firms are typically asked to provide e-mails for all personnel.

• Be prepared to deliver requested e-mails "promptly" - but not necessarily in 24 hours. While "promptly" has traditionally been viewed by SEC staff to mean 24 hours, there is no strict 24-hour rule "But we expect to get them pretty quickly,” SEC officials advise. For bigger requests, the firm can offer to provide them on a rolling basis, SEC staff says.

• Do a test run before the SEC shows up. Work through responses to model SEC examiner requests, such as e-mails: relating to a particular client; involving transactions in the shares of a certain issuer; on a certain date or during a certain period; or to or from a certain person. This can make for long cozy chats with your IT department or your software's technical support providers. But better to have those chats now, while you don't have a gaggle of SEC examiners waiting in your conference room.

• When responding to an OCIE request, keep examiners in the loop. If "you get a request for e-mails and for one reason or another production will not be prompt, talk to the examiners," say SEC officials. Explain what your situation is to the examiners. "This is a new process," SEC officials admit, "and firms historically perhaps haven't paid that much attention to it."

• Expect to provide personal e -mails. If you allow your employees to use business systems to send personal communications, and personal e-mails are on the system, SEC examiners will expect to see personal e-mails. There is no obligation for advisers to keep purely personal e-mails. "On the other hand," say SEC officials, "our examination authority goes to all records."

• Flag your privileged e-mails. Firms can flag e-mail under attorney-client privilege. The SEC will ask that documents be tagged accordingly. Some lawyers splash "PRIVILEGED AND CONFIDENTIAL: ATTORNEY-CLIENT COMMUNICATION" at the start of the subject line and prominently within the e-mail. That doesn't mean you won't be challenged. If a claim of privilege is made, examiners will expect advisers to list those e-mails in a privilege log.

• What's good for the goose may be good for the compliance officer. Several SEC officials and industry experts suggest that compliance officers make like the SEC and dig through e-mails. Compliance officers should ask themselves, "Do I have people in my firm who are saying one thing to me, or who told me one thing and in fact are doing things that are totally different?"

• Clearly state who (not just a title) employees can approach should questions arise. The individual ultimately accountable must be captured. Omission of this detail could lead to a "failure to supervise.”

• Have all employee e-mails simultaneously go to the CO's e-mail box. Consider using Microsoft Outlook and take the additional step of contracting with your Internet Service Provider to dump duplicate e-mails to an archiving computer. The CO can then immediately access all e-mail from this computer.

• Implement rolling procedures whereby you burn e-mail files to CD and then archive. Burn the e-mail file to CD on a weekly basis and store the data off site. Have an in-house backup available too. If an SEC examiner were to walk in, an in-house backup would allow you to provide "virtually instantaneous" access to e-mails. Or, have an arrangement with your storage site that allows for CD's to be back on site within 24 hours. Alternatively, you could consider adding another server on which all e-mail is stored.

• Make employees aware in your policies that the CCO and the SEC will be looking at e-mail to focus employees on using e-mail for only appropriate business purposes.

• Do not create standards that you can't live up to. And if you opt to rely on individual employees to identify and retain required e-mails (by printing them out and saving them in the client file, or by cc-ing them to a "records" e-mail mailbox), make sure your procedures include back-end checks on whether employees are actually doing so.

• Review the archived e-mails. NASD Conduct Rule 3010 requires broker-dealers to supervise e-mail.

• What about Instant Messaging? The SEC has not issued guidance on IMs, but the NASD has previously stated that IMs are considered e-mail. Some firms have banned instant messaging.