The SEC and states alike require their investment adviser registrants to maintain certain books and records, typically for five years. We encourage all firms, especially startups, to review the applicable recordkeeping rules to ensure that they understand them and can build appropriate policies and procedures for maintenance. Though we provide some practical tips below, firms should discuss any questions with their legal counsel and/or compliance consulting firm.
- Limit compliance files to compliance items. For example, it might be tempting to include personal trading and HR files in the same employee personnel file, but avoid this. If a firm is examined, examiners likely will request records of employee trading. Keeping the two sets of files separate will help firms provide responsive documents efficiently and avoid needlessly expanding the scope of the examination. Hint: if examiners do ask for personnel files, it can be a sign that a routine examination is shifting into enforcement territory.
- Keep it clean. All files should be well organized and easily accessible or both general business reasons and to make production easier in an exam. Extraneous notes that are not needed for general business or required recordkeeping should be discarded, as these can be produced accidentally and create confusion in an exam.
- Don’t get personal. Make sure that employees keeping any personal items or files at work separate these from their work files, and the firm’s other files. Similarly, firms may consider permitting employees to access their personal email from their workstations, to avoid having purely personal (and potentially embarrassing) emails archived and come up in document production searches. Note, however, that a firm’s policies and procedures should prohibit using personal email for firm communications.
- Archive electronic communications. These days, the majority of a firm’s business is conducted electronically (including email, instant messages and, increasingly, social media). Recordkeeping requirements for registrants will likely encompass these sorts of communications. However, even exempt firms can benefit from archiving their emails, electronic communications, website and social media content. Archiving makes production much easier in an examination or subpoena response, which the SEC can and does issue to non-registrants if it believes a violation of other securities laws has occurred. Moreover, people frequently delete emails they subsequently wish they had kept; these can be rescued from the archive. Finally, general business reasons (e.g., employee and client/investor questions or disputes, human resources issues) may make the cost of archiving worthwhile.
Key issue: make sure your vendor uses “envelope journaling” to capture emails. This is a function on Microsoft Exchange that your vendor and internal IT personnel will activate; this process ensures that all emails on the server will be captured automatically. Archiving that is based on the spam filter or similar may be less expensive, but it is also significantly less reliable. Spam filters do fail with some frequency, which means that emails cannot be archived while the filter is inoperable. In these cases, data may or may not be recoverable. In addition, these methods typically have limited searching, reporting and audit trail functionality. Firms that use instant messaging and social media for business purposes will have to consider how to separately archive these.
- Consider available space and filing method. Determine how much space you have available for compliance files, who needs to access them and what methods are preferred for storing the various records. For example, some CCOs prefer to keep employee attestations, disclosures and similar items in annual binders. Personal account and trading information can be kept in individual binders for each employee. Binders also have the advantages of maintaining chronological, alphabetical or other order and ensure that filed items do not get lost.
- Limit access to sensitive files. Employees are already unhappy about disclosing sensitive personal information such as securities holdings, trades and political contributions to their employers. Give them some reassurance by keeping these files in a dedicated area for compliance staff only and under lock and key.
- Considerations for electronic storage. Both the SEC and states permit records to be kept and produced in electronic form. From both a business and regulatory perspective, firms should ensure that, however records are kept, they are secure. As more and more firms move toward electronic recordkeeping exclusively, the following should be considered:
-Cloud storage vs. traditional servers (see our article on cloud storage here);
-The need for compliance-specific platforms (other than email archiving);
-CRMs for managing client and investor data;
-Passwords and security issues.