11 Sep 2023

Recordkeeping & Third Party Messaging Apps

Recent and ongoing enforcement actions by US regulators highlight the importance of maintaining compliance with recordkeeping requirements.

The violations involved the use of third-party messaging apps for work-related communication and failures to appropriately maintain records of such work-related communications in line with federal securities law.

Business Communication & Record Keeping Best Practices

Investors and alternative investment managers should ensure implementation of good compliance practices related to business communications, such as:

  1. Maintain electronic and hard copy records of required categories of communications for the period of time prescribed by regulatory bodies in their jurisdiction.
  2. Require staff to follow formal, documented business communication policies as part of its Compliance Framework.
  3. Train staff on regulatory and compliance expectations on business communications, and have staff attest to having read, understood, and followed their compliance obligations.
  4. Define what are acceptable mediums for workplace communication and ensure that these mediums are under control, oversight and monitoring by the firm at all times.
  5. Prohibit use of personal email or other third-party messaging accounts (that are not subject to firm control and compliance oversight) for business matters.
  6. Pre-approval requirement for external communications that are subject to regulatory scrutiny, especially those that may be considered marketing or advertising.
  7. Clearly defined policies about what can and cannot be posted on social media regarding the firm and its business.
  8. Conduct electronic communication surveillance.
  9. Have in place an escalation procedure for employees to seek guidance or report concerns or potential violations of the communication policies.
  10. Managers should regularly review and update their policies to stay compliant with evolving regulatory requirements.
  11. Managers should assess whether ‘Bring Your Own Device’ policies are consistent with their regulatory obligations and allow for the recording and maintenance of business communications. Centrally managed, firm provided and authorised devices may allow for better oversight and monitoring of business communications.
  12. Investors should ensure that their personnel avoid practices that could lead to violations by managers, such as initiating off-channel communications with manager personnel.

Related topics