If securities regulators were to start enforcing e-mail retention rules today, independent advisors would in be big trouble. Based on my recent conversations with advisors and compliance consultants, I'd estimate that a majority of independent advisors are out of compliance with the e-mail retention rules set by the Securities & Exchange Commission and the National Association of Securities Dealers.
RIAs are subject to less onerous rules then registered reps and broker/dealers. They have to retain their e-mails in case of an audit by the SEC. Reps affiliated with a B/D, however, are subject to tougher rules. Their B/D must retain all their e-mails in a non-rewriteable format, but the B/D must also have a procedure in place to review all the e-mails to and from every rep.
It's easy to argue that e-mail is so new that you'd have to give time for a B/D or RIA to catch up to the rules, especially since forcing financial firms to spend money on expensive compliance systems in a bear market is asking a lot. But the Internet has been around long enough, and regulators have been more than patient in closing their eyes while e-mail has become the main medium for correspondence between many advisors and their clients. So it's only a matter of time before regulators get serious about compliance on the Internet by independent advisors.
E-mail has already figured prominently in brokerage enforcement cases. In December, five brokerage firms were fined $8.25 million for violating record-keeping retention requirements concerning e-mail communications. Deutsche Bank Securities, Goldman, Sachs, Morgan Stanley, Salomon Smith Barney, and U.S. Bancorp Piper Jaffray signed a consent order. Each will pay a $1.65 million penalty after being charged with failing to keep their e-mail records in accordance with Section 17(a) of the Exchange Act, specifically Rule 17 a-4 as well as NYSE Rule 440 and NASD Rule 3110.
The most infamous e-mail-related enforcement action to date, however, was settled on April 28. That is when 10 of the largest brokerages in the country agreed to disgorge $387.5 million, pay $432 million to fund independent research, and pay $487.5 million in penalties, while neither admitting nor denying charges by New York Attorney General Elliot Spitzer. Undoubtedly, the case would not have been as airtight were it not for the fact Spitzer found e-mails written by research analysts that privately disparaged stocks that the firms recommended publicly. In fact, one notorious e-mail message described as "a piece of junk" a company that had at the same time received the brokerage's highest stock rating. That patently exposed the conflict of interest that wirehouses face in rating stocks they also underwrite and that generate lucrative investment banking fees for them.
Why have the giant brokerages been brought so low during this three-year bear market, while independent reps and RIAs have avoided major scandals? I have some theories. Regulators tend to find wirehouses more fertile ground for their efforts because the giant Wall Street firms, with thousands of employees, are susceptible to systemic corruption that can damage thousands of clients. Corruption at an independent B/D or RIA is likely to be isolated because of the separation between independent branches or RIAs. Plus, independent advisors don't generate proprietary research. That alone averts a potentially significant conflict of interest.
But the business of the independent RIA giving advice to wealthy individuals may be remarkably devoid of big scandals because individuals who are entrepreneurial enough to set up their own advisory business may simply be less likely to defraud customers or treat them badly. And regulating and conducting examinations of independent advisors--one unique branch or one RIA at a time--is more difficult than regulating the standardized, uniform businesses at wirehouses. In wirehouses, where all branches use the same products, technology platform, and interoffice systems, it's probably much easier to conduct an inspection than in small branches or RIA offices that all do things differently.
Still, with e-mail proving to be such a valuable way to track correspondence between a brokerage employee and customers, vendors, and supervisors, it is a good bet that the regulators will not continue to allow widespread violation of the rules by independent RIAs and reps. Part of the reason there have been no fines or major cases brought against independent B/D's is that the technology for fulfilling e-mail compliance can be difficult to implement. An independent B/D needs reps to cooperate. Many don't understand the issues or regard e-mail compliance as an encroachment on their independence.
Rules for B/D Reps
Let's look at the rules for e-mail, first focusing on considerations most relevant to independent reps and B/Ds, and then RIAs. Broker/dealers need to retain e-mails in a place accessible to regulators for two years, and keep them for three years. This includes interoffice memos as well as customer communications. Marianne Czernin, a senior VP and director of broker/dealer client services at National Regulatory Services in Lakeville, Connecticut, says that retention is only part of the requirement. Review of e-mails is the other part.
Czernin says that when e-mail first began to become a serious mode of communication in the mid-1990s, broker/dealers simply required reps to print out copies of their e-mail correspondence with clients. Anything to do with an order, recommendation, proposal, or ad would need to be printed out and reviewed as well as retained. But over the years, she says, e-mail has probably come to comprise a majority of client communications. Only smaller broker/dealers, and a small number of medium-sized ones, continue to rely on review and retention of e-mails printed out on paper. Larger firms have moved to electronic systems.
Broker/dealer e-mail compliance systems work on an easy-to-understand premise. The B/D hosts an e-mail server dedicated to serving e-mails for its reps. The server can be owned by the B/D and be on its premises or located at an Internet service provider's data center. As long as all incoming and outgoing e-mails to and from reps go through the B/D's e-mail server, software can be set up to review the e-mails and retain them.
A Mid-sized Problem
Czernin say that although some firms have set up such servers and software systems, many have not. "The huge firms have the money and the people to deal with this, and the small firms with four or five reps can do it manually and it is not an issue for them," says Czernin. "It is the small and medium-sized firms that this is impacting from a cost and time perspective. No one is ignoring the issue," Czernin adds. "They know that it is an issue and it is something they need to deal with."
Czernin says firms "are pretty much doing" what is needed: buying or leasing e-mail servers and compliance software to monitor e-mail. But Brian Hamburger, managing director of Market Counsel, a Teaneck, New Jersey, compliance consulting firm, maintains that "a significant number of firms, large and small, have simply not addressed this issue."
Hamburger says advisors have become a big impediment to the successful implementation of e-mail compliance systems. Maybe it is because B/D compliance departments often tie up reps in paperwork on seemingly trivial issues and have created great animosity with reps. Maybe it is because reps fear ceding day-to-day control of their e-mail service to their B/D. Indeed, many reps ignore the request of their broker/dealer to use their B/D-hosted e-mail address. I know from my own experience that many reps refuse to use their broker/dealer's e-mail server. But I am pretty sure that is going to have to change.
Czernin says that broker/dealers that don't oblige representatives to use their e-mail server "are basically not supervising their reps. They are at serious risk. It is just like deciding not to audit a branch or check your order tickets," she says. "It's a requirement."
While I know how frustrating it can be to have your materials approved by compliance, this may actually be an instance where the broker/dealers should persevere. Like most compliance issues, you ultimately must submit. And, besides, letting your B/D host your e-mail should not be any different from running your e-mail through AOL, Hotmail, or your own local ISP.
If your B/D allows it, you should still be able to use your firm's domain name in your e-mail address and there is no technological necessity to use your B/D's name in your e-mail address. Your e-mail should be delivered as fast as if you use any other service to host your e-mail. The only difference is your B/D's e-mail server will have special software on it that will let the B/D review the e-mails and retain them.
Retaining the e-mails, while not trivial, is fairly straightforward for broker/dealers. They need to be able to provide an NASD or SEC examiner with all of a rep's correspondence with a particular client. The archive of e-mails must be retained on a non-rewriteable medium to comply with NASD rules. This can reasonably assure regulators that the e-mails have not been altered.
The review of the e-mails is where it can be trickier. Czernin says that there is no need for every e-mail to be reviewed prior to being delivered to the rep or sent out from the rep. However, she says the messages should be reviewed within a day or two of their arrival on the B/D's e-mail server. With the volume of e-mail growing so rapidly, that's an enormous job.
Czernin says she recently visited a B/D with 500 reps. The firm had set up its own e-mail server and established a policy requiring review of every incoming and outgoing e-mail. But she says that when she asked the compliance officer responsible for the reviews what he does with all the e-mails, "he said the firm was still sorting it all out."
Scanning for Sensitive Words
To ease this burden, NRS and a number of other companies have created filtering software that flags e-mails for review. NRS, for instance, is creating a dictionary of 1,700 terms that will help flag e-mails for review by a compliance official. If the word, "cheat," shows up in an incoming mail message, for instance, Czernin says that could have come from a client accusing a rep of malfeasance and would be flagged for review. Unfortunately, if the rep is being accused of cheating on his wife, the compliance officer would also see that. The software, however, is prepared for common misspellings, so if a rep promises a "guarantied" return on an investment, the software would flag it as "guaranteed."
Czernin says broker/dealers who have their own e-mail servers and review and retention procedures, but whose reps do not use the system, can probably continue to be "marginally compliant" until a problem occurs. "But when they are examined for cause, these problems suddenly can become serious," she says. "The minute there is a problem and regulators find out the B/D or the rep has not been in compliance with the rules, that's when they will be in serious trouble."
How about when the B/D has a system in place, but it is not being used by a rep? Hamburger says that ultimately the rep could be in the most trouble. "The B/D might simply say it's a rogue broker case to minimize their responsibility," he says.
Rules for RIAs
While RIAs don't have the problem of reporting to a B/D compliance officer, they have their own e-mail compliance issues to deal with. Still, Hamburger says the rules concerning e-mail compliance are less demanding of RIAs.
Rob Stirling, a senior consultant at NRS who specializes in registered investment advisor compliance issues, says RIAs must comply with the books and records rules laid out in section 204-2(a) of the Investment Advisers Act of 1940. Like the rules for registered reps enforced by NASD, these rules were originally intended for written communications. The SEC, Stirling says, has never specifically said how e-mail is to be treated within these guidelines. Nor has it specified how RIAs should comply or how to retain e-mail records. However, Stirling says that when RIAs are examined, they are being asked about their e-mail retention system. But "we have yet to see any of our RIA clients be cited in a regulatory exam for failing to maintain e-mails," says Hamburger. "And until that threat is there, it is difficult in this environment to convince clients to spend additional dollars on e-mail compliance."
Hamburger says RIAs fall into three categories regarding e-mail compliance. About 10% of RIA firms have a system and policies regarding e-mail retention, he says. These RIAs usually have a network running Act! or Goldmine for tracking contacts with clients. Or they use Microsoft Outlook with Microsoft Exchange Server (Exchange Server is software that runs on a network server). With ACT! or Goldmine, an RIA can associate each outgoing or incoming e-mail with a particular contact. With Exchange Server, an RIA can create folder for each client on the network, and run a rule in Outlook that automatically places all e-mails to or from a particular client into that client's respective folder. With any of these setups, the e-mails are organized so that in case of an SEC exam, any client's e-mail correspondence can be produced quickly. The client folders are backed up once a day or one a week in an automated routine.
A second category of RIAs, which Hamburger says comprises 40% of the planners and money managers serving high-net-worth individuals, use a "stopgap solution" for e-mail compliance. These RIA firms keep all their e-mails a single folder and some segregate client e-mails from their other e-mails. But they do not organize e-mails into folders dedicated to each individual client. They do not run a network on Exchange Server or use Goldmine or Act!. So staff members cannot send client e-mails to a centralized folder on the network and cannot associate an e-mail with a particular client for retrieval later. To retrieve specific e-mails in case of an examination by the SEC, they would have to perform a text search for a client's name using their e-mail software.
Doing Nothing? Bad Idea
The third category of RIAs, which Hamburger thinks is about half of the independent RIAs serving high-net-worth individuals, are those doing nothing. "They do not equate the electronic medium to the old books and recordkeeping rules predating the Internet, and they don't realize that e-mail communication is the same as written correspondence," he says.
With the NASD crackdown on brokerages, it's reasonable to expect the SEC will follow suit with RIAs. However, it is hard for the SEC examiners to cite an RIA for what is not given to him. In other words, when an examiner asks for all client correspondence and the RIA shows some but not all e-mails, it's difficult for an SEC examiner to know what's not there.
Stirling says that RIAs should establish a policy for complying with the rules and should also establish a policy on how to back up their archived e-mail files. SEC rules require that files be reasonably safeguarded from loss, alteration or destruction. Advisors should consider backing up their drives to an off-site server. A Web-based storage system could be used, or you can install a virtual private network to create a private, secure line to a branch office or your home and back up securely to that remote location. You can also back up to a tape or other drive and take it home with you, but this is not automated and can get sloppy. "You'd have a hard time saying your file was reasonably protected if your only backup is on-site," says Stirling.
Another option is to use commercially available systems that are created for RIAs. Such systems are similar to what is offered to broker/dealers and can help ease the burden on an RIA for retaining e-mail records. Since my company makes such a system, however, I won't comment on specific products.
An Exception to the Rule
Incidentally, RIAs are not subject to the rule requiring a B/D to keep e-mail correspondence on a non-rewriteable medium. The SEC eased this restriction of the books and records rules about two years ago, according to Hamburger.
One important aspect of e-mail compliance for an RIA is that retaining e-mails on your server or vendor's is not enough. You also need to organize the e-mails in a way that will allow you to access easily what regulators ask. If the SEC asks you for all the e-mails you sent to John Client over the past three years, you should to be able to produce them.
Hiring a consultant to create a state-of-the-art document management system that takes your office paperless is the ideal solution for addressing the issue of organizing your e-mails within regulatory constraints. But many RIAs simply don't have the $7,500 to $10,000 that is the typical cost of a document management system for a seven-employee office, according to Kevin Day of Trumpet Inc., a paperless office consultant in Phoenix. (See my interview with Day in the March IA.)
For smaller firms and those not inclined to spend the money on a paperless document management system, here are some ideas. In a recent survey I took of Investment Advisor readers, 249 of the 1,100 respondents said they used ACT! as their contact manager, while another 162 used Outlook. Goldmine was a distant third, with 84. Since Act! uses Outlook as its e-mail client, let's focus on solutions for Outlook.
RIAs basically have two choices. They can use a contact management application to sort all their e-mails at the time that they are sent and received. You can have a separate folder for each client on a server if you are using Exchange Server and everyone in you firm can place e-mails pertaining to that client in that same folder. And you can create a folder for all advertisements:: any e-mail soliciting business or discussing market conditions and sent to more than one client. If you are not using Exchange, then each staffer will have to keep his own folders for individual clients and advertisements. In case of an exam by the SEC, each staffer will need to print correspondence requested by the examiner or ask the examiner to view them on the different computers your employees use.
Sorting the Mail
You can do a search based on your client's e-mail addresses to find the relevant e-mails. While you may catch all the correspondence to and from a client by doing a full text search of all the e-mails with the client's name, you could miss an e-mail about a particular client that you sent to his accountant or to your custodian, and attachments will not be searchable.
Sorting e-mails when they come in and are sent out by your firm can be time- consuming, however, and requires discipline by an RIA's staff. Also, it can be tricky to make sure that if you send a copy to multiple clients, it will be placed into their individual folders. It can also be difficult to be sure that e-mail sent to clients' accounts, or a general solicitation to all your clients, will also be placed in their individual folders.
One promising solution on the horizon is a program called Nelson E-mail Organizer (www.emailorganizer.com). It can help RIAs organize e-mails and e-mail archives if they are audited by the SEC. At only $40, it's worth the price even if you don't rely on it for compliance.
NEO examines all your e-mails in Outlook and automatically indexes them. A search of all my mail for the word "Centerpiece" that took 60 seconds in Outlook took one second in NEO. And NEO organizes e-mails by correspondents. When in the correspondent view, you can see all e-mails from one individual, plus all your responses. While NEO works with only one Outlook user at a time, NEO Professional, due out in August, will allow multiple users. That will let you produce reports with all e-mails to and from your entire staff to a particular client. NEO will also let you sort your attachments by file type, so you can see all e-mails sent to you with GIF, PDF or DOC attachments, and it will sort your e-mails by the month and year. It will put e-mail you received from spammers or e-newsletters into a bulk mail folder. And it should be a quick way to get regulators the e-mails they need. And make no mistake: They will need them. My hunch is that e-mail is going to become critical issue in coming months.