SEC Risk Alert for Most Common Compliance Violations by Brokers and Investment Advisors

Updated September 16, 2019Published March 06, 2017
by Marianna Shafir Esq.

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

The Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations (OCIE) notes in its 2019 Examination Priorities that the financial markets, available products and services, and the industry's technological innovations continue to grow at a rapid pace.

To promote compliancy in an ever-changing landscape, many of the OCIE's most recently published Risk Alerts have centered on the most common issues and challenges SEC-registered investment advisers and brokers are facing. These include:

Electronic messaging

The OCIE observed that an increasing number of firms and adviser personnel were using various types of tools and applications for business-related communication. Electronic messages aren’t just email anymore. It includes text messages, social media posts, direct messages, online conferencing, and collaboration tools like Slack and Microsoft Teams.

The use of electronic messaging fall under several Advisers Act Rules:

  • Rule 204-2: Advisors need to make and keep records relating to their investment advisory business

  • Rule 204-2(a)(11): Advisers need to make and keep a copy of each notice, circular, advertisement, newspaper article, investment letter, bulletin or other communication that the investment adviser circulates or distributes, directly or indirectly, to ten or more persons

  • Rule 206(4)(7): Advisors need to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act

The SEC has stated that messages need to be archived and supervised regardless of whether the content is delivered in paper or electronic form. In fact, a pair of roboadvisors were recently fined $250,000 for not preserving copies of their tweets.

Using third-party tools to safeguard customer records and information

Broker-dealers and investment advisers have the responsibility to safeguard customer records and information. Data breach risks are a major OCIE and public focus, and the OCIE has found that firms using third-party network and cloud storage solutions are risking unauthorized access with:

  • Weak or misconfigured security settings

  • Poor implementation procedures that don't maximize their technology partners' offered security features

  • Inaccurate accessibility privileges

With cybersecurity remaining a top priority for the SEC, registered broker-dealers and investment advisors need to review the following regarding electronic storage:

  • Policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the storage solution

  • Guidelines for security controls and baseline security configuration standards to ensure that each solution is configured properly

  • Vendor management policies and procedures that include regular updates and patches and ensuring those updates didn't change existing security configurations

Compliance, supervision, and disclosure of conflicts of interest

The OCIE assessed firms' compliance policies and procedures effectiveness on prevent violations of the Advisors Act. While the Risk Alert placed emphasis on reviewing previously disciplined individuals, it also discusses the increased concern for conflicts of interest.

While conflict of interest cases has decreased in recent years, regulators are keeping a vigilant eye on any external business activities. The private equity industry is especially scrutinized. The SEC has made it a top priority to examine and review private equity firms' and their disclosures of conflicts of interest. Firms need to disclose and meticulously document any conflict of interest; even the appearance of a potential conflict needs to be fully and accurately disclosed.

The SEC is also continuing to bring more enforcement actions against compliance deficiencies, with dual-hat Chief Compliance Officers (CCO) as a prime example of inadequate programs. The SEC argues that compliance supervision requires a dedicated officer who focuses solely on compliance. An executive who oversees compliance as ancillary tasks to their other responsibilities tend to contribute to oversight, and - depending on their other tasks - risk conflict of interest as well.


The SEC won't tolerate inadequate or indifference to compliance. Peter Driscoll, OCIE Director, said in a recent speech that compliance programs need regular internal evaluations and sufficient resources.

"We cannot underscore enough a firm's continued need to assess whether its compliance program has adequate resources to support its compliance function," says Driscoll. "We are concerned when we hear that compliance resources and budgets are being cut or are not keeping up with firms' risk profiles."

Whether that is hiring a dedicated CCO or implementing a powerful content archiving system, maintaining dedicated resources for compliance is crucial to a firm's continued success.

This page was updated on September 16, 2019. Read content originally published on March 06, 2017: Books and Records are Among SEC’s Top Five Compliance Violations

Share this post!

Marianna Shafir Esq.
Archiving and Compliance Blog

Our Blog explores the news, trends and best practices in electronic recordkeeping. It’s about managing and getting value from your electronic communications data. It’s about satisfying legal and regulatory obligations. It’s all about turning compliance liability into business insight.

Originally published: March 06, 2017

Books and Records are Among SEC’s Top Five Compliance Violations

The SEC’s Office of Compliance Inspections and Examinations (OCIE) has identified Books and Records as one of the top five compliance issues raised most often in deficiency letters to investment firms. OCIE observes advisors have failed to maintain all required records, kept inaccurate records, did not update records, and demonstrated inconsistencies in record keeping practices. For example, in January a large investment firm agreed to pay a $13 Million penalty for compliance breakdowns that included books and records violations. The bottom line: record keeping violations are prevalent. Your firm can avoid record keeping sanctions by implementing Smarsh best practices in modern records management.

Navigate the SEC Books and Records Rule

SEC Rule 204-2 requires firms to maintain certain books and records pertaining to their advisory business. On its examination request lists, the OCIE asks firms to provide emails and other electronic communications retained by registered investment advisors (RIAs). Electronic communications must be kept for the same length of time as a written or printed record.

Records should be kept for a period of not less than five full fiscal years after the last entry was made in that record. For the first two years following the creation of a record, the records must be maintained in the advisor’s principal office. For the final three years, the record may be stored offsite, but must be readily accessible.

You may store your original books and records by using electronic media, such as electronic text, digital images, proprietary and off-the shelf software, and email. Also, if you use email, social media, text messaging, or websites to communicate with clients, you must maintain records of those business electronic communication channels in compliance with SEC Rule 204-2. Plus, if an email pertains to documentation demonstrating the calculation of a product’s financial performance, it may be subject to retention for five full fiscal years after an advisor stops advertising the performance to prospects and clients.

Electronic records must be arranged and indexed in a way that permits easy location, access and retrieval of any record. You should be able to promptly (within 24 hours) produce required electronic records requested by examiners, including email.

Best Practices in Modern Records Management

The electronic communications landscape has never been more complex. Employees of regulated firms now access and use multiple electronic communication platforms during their workday to communicate in real-time. Plus, new communication platforms launch regularly, adding to the complexity.

Firms need to be aware of the electronic communications landscape and ensure they archive all business communications sent to and received by their RIAs, whether those advisors communicate via email, social media, text messaging, websites, or other forms of electronic communication. Your advisors have smartphones. Even if you have a policy that prohibits the use of text messages or social media for business communications, you can’t assume your investment advisors aren’t using their smartphones or social media accounts to communicate with clients.

It’s best practice to implement what I call an archive everything strategy. First, conduct an audit of the communication channels your RIAs really use, and then ensure your firm archives those channels.

Review and Update Your Written Policies and Procedures

Registered investment advisors should review their compliance policies and procedures to ensure they have adequately addressed these issues. OCIE continues to find deficiencies in compliance programs adopted and implemented by RIAs as required by Rule 206(4)-7.

Rule 206(4)-7 requires firms to adopt written policies and procedures designed to ensure compliance with the Investment Advisers Act. If a firm’s compliance manuals don’t fit their practice or are out of date, the firm is in violation of Rule 206(4)-7. Firms are also in violation if they neglect to conduct annual reviews or don’t follow their own policies and procedures.

If your firm does not review its policies and procedures on an annual basis to make sure they are  relevant, then your firm is not in compliance with Rule 206(4)-7. In addition, your firm must review its formal written electronic communication retention and supervision policies to ensure those policies keep up with the pace of technology.

Smarsh recommends that firms update their policies to include often-overlooked (but extremely popular) forms of electronic communications, including website pages, instant messages, text messaging, social media posts, email marketing, and more. It’s important to note that simply forbidding these communication channels in a policy isn’t sufficient to protect against recordkeeping rules violations. As we have seen, regulators may fine or suspend a firm and/or advisor if they discover an advisor uses a communications channel that isn’t archived by their firm.

To maintain compliance, the smartest approach is to acknowledge that your advisors use most modern electronic communication channels to reach out to their prospects and clients, including text messaging and social media. Update your policies now to allow your advisors to use the electronic communication tools they want to use, and then archive everything!

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

Contact Us

Tell us about yourself, and we’ll be in touch right away.