A Winning Strategy: Corporate Accountability for Personal Devices
Best Practices for Broker-Dealers and RIAs
By Anna de Venoge, Supervisor; Rachel DiDio, Partner; and Victor Peña, Partner
The shift to remote work arrangements over the past few years has dramatically accelerated a digital transformation in our workplaces and fueled the adoption of personal devices for work purposes. Recent estimates indicate that more than 85 percent of businesses rely on their employees to use personal communication devices for work, with many employees likewise finding it easier and more efficient to use their own devices to manage work tasks.
This pervasive use of personal devices introduces significant challenges for businesses in maintaining data integrity, security and compliance with regulatory requirements — particularly in the financial services industry, where firms are subject to record-keeping regulations for broker-dealers and registered investment advisers (RIAs).
We have analyzed the landscape, reviewed the relevant regulations and enforcement actions and compiled a list of best practices to share with you, our financial services business partners.
SEC Record-Keeping Regulations Remain Relevant — Even in This BYOD Environment
Regulations governing record keeping are not new for the financial services industry. Even though many businesses have moved to a bring-your-own-device (BYOD) model and the protocols of corporate communication through personal devices continue to evolve, the U.S. Securities and Exchange Commission (SEC) has maintained its focus on compliance with legacy regulations. What remains relevant:
- The Securities Exchange Act of 1934 Rule 17a-4(b)(4) requires broker-dealers to preserve originals of all communications received and sent relating to their business for a minimum of three years.
- Similarly, the Investment Advisers Act of 1940 Rule 204-2(a)(7) requires that investment advisers preserve, in an easily accessible place, originals of all communications received and copies of all written communications sent relating to, among other things, any recommendations made or proposed to be made and any advice given or proposed to be given.
The Ramifications of Non-Compliance
The SEC has been increasing scrutiny of how companies manage and monitor business communications, emphasizing that the use of personal devices does not absolve companies of their obligation to preserve and oversee business-related communications. Here’s recent proof:
- In an SEC press release dated September 27, 2022, the SEC highlighted its findings of widespread record keeping failures by 16 firms and their employees to maintain and preserve electronic communications. Focus was placed on the lack of maintenance of business-related “off channel” communications between employees on personal devices.
- The firms were charged penalties totaling more than $1.1 billion for the violations, marking a critical point in the SEC’s stance on corporate accountability and record-keeping regulatory compliance.
- The firms were charged penalties totaling more than $1.1 billion for the violations, marking a critical point in the SEC’s stance on corporate accountability and record-keeping regulatory compliance.
- More recently, the SEC announced on April 3, 2024 charges against an advisory firm for widespread and longstanding failures to maintain and preserve certain electronic communications. According to the press release, firm employees also engaged in “off-channel” communications regarding the business which the firm failed to maintain and preserve as required by federal securities laws and the firm’s policies and procedures.
- The adviser agreed to pay a $6.5 million penalty and to implement improvements to its compliance policies and procedures.
Five Best Practices to Help You Comply
These SEC findings reinforce the importance of implementing and maintaining robust compliance frameworks to effectively monitor the use of personal devices. We share the following Five Best Practices to help your financial services firm navigate this regulatory environment:
- Implement clear policies and procedures around the use of personal devices to conduct business. This includes keeping up with new technology and the changing regulatory environment by routinely reviewing and updating them.
- Invest in advanced technology solutions to manage the use of personal devices. Mobile Device Management systems, for example, can provide a cost-effective way to ensure compliance across all devices.
- Educate employees through routine mandatory training that brings awareness to the risks of non-compliance. This can be an important line of defense to reduce the risk of personal-device misuse.
- Establish surveillance protocols to identify communications that may contain sensitive business information shared through personal devices. Continuous monitoring is essential to identify issues and, in turn, determine solutions.
- Engage an external expert if you don’t have the in-house expertise to implement and monitor policies and procedures to ensure compliance when using personal devices to conduct business.
Contact Us
In today’s digital work environment, proactive compliance is not just a regulatory requirement, but a strategic advantage. As always, our specialists are prepared to help you monitor and identify potential concerns and move quickly to resolve them. For more information about compliance, personal device management, monitoring and cybersecurity, contact a member of your client service team or feel free to connect with us directly:
Anna de Venoge
Supervisor
Broker-Dealer Specialist
646.699.2916 I adevenoge@pkfod.com
Rachel DiDio
Partner
Broker-Dealer Specialist
646.965.7780 I rdidio@pkfod.com
Vic Peña
Partner
Broker-Dealer Practice Leader
646.449.6380 I vpena@pkfod.com